Weekly Edition
Return to the Press page
| |||||||||||
Linux Unhackable At TippingPoint Contest (eFluxMedia)
While it is certainly not proof that Linux is hacker-proof, as some have reported it, the news that
Linux was the only survivor of a hacking contest is a nice indication of lots of hard work that has been done to secure the OS. "The contest was in Vancouver, Canada and it had three phases: during the first day, only network attacks were allowed, but none of the laptops could be broken into remotely. In the second day, rules stated that the hacker could give instructions to a staff member. During the third day, the rules of the contest allow the installation of popular 3rd party client applications on the notebooks."
(Log in to post comments)
Linux Unhackable At TippingPoint Contest (eFluxMedia) Posted Mar 31, 2008 15:45 UTC (Mon) by ArbitraryConstant (guest, #42725) [Link] meh Presumeably, the flash vulnerability that took down Vista would also have worked on Ubuntu, but the contest rules forbade re-using the same exploit.
Linux Unhackable At TippingPoint Contest (eFluxMedia) Posted Mar 31, 2008 15:58 UTC (Mon) by drag (subscriber, #31333) [Link] Maybe. Flash for Linux uses different sorts of things for media playback and such. (ie Alsa support) so it could or could not work depending on what part of the flash plugin was hacked. For all we know it could be something to execute a javascript command and run a exploit on IE, like people have been able to trick Firefox into doing in the past. but ya certainly likely that nothing inherent in Linux would save us from some proprietary browser plugin eating our home directories or whatnot. Flashblock installed by default seems like a cool idea at this point. It's worth keeping in mind that on both cases, the Vista hack and the OS X hack, both were taken down with very proprietary multi-media oriented applications that are very high profile items for their respective companies: Quicktime from Apple Flash from Adobe.
Might only PWN a user account, though Posted Mar 31, 2008 20:44 UTC (Mon) by AnswerGuy (subscriber, #1256) [Link] Even if the Ubuntu Flash plugin was vulnerable to a nearly identical exploit; we don't know if there was another readily available privilege elevation exploit to go from PWN-ing the user to PWN-ing the whole box.
Linux Unhackable At TippingPoint Contest (eFluxMedia) Posted Mar 31, 2008 21:42 UTC (Mon) by eru (subscriber, #2753) [Link] but ya certainly likely that nothing inherent in Linux would save us from some proprietary browser plugin eating our home directories or whatnot.You know, I have long wondered if it would be practical to sandbox those plugins into a virtual machine. Of course they all try being sandboxes unto interpreted code themselves, but they often have flaws. Putting the plugin itself into a virtual machine instance (built for the purpose and torn down after the plugin exits) would erect another wall around it. I'm pretty sure this is doable, but whether the performance would suffer too much is another question.
Linux Unhackable At TippingPoint Contest (eFluxMedia) Posted Mar 31, 2008 22:14 UTC (Mon) by nix (subscriber, #2304) [Link] Yeah. It's called a JVM. What you get then is security holes in the JVM. (They're still turning up, after fifteen years... I suspect anything complex enough and with enough interfaces to the outside world to run a useful plugin on top of will be complex enough to have a never-ending supply of increasingly baroque security holes.)
Linux Unhackable At TippingPoint Contest (eFluxMedia) Posted Apr 2, 2008 10:57 UTC (Wed) by dvdeug (subscriber, #10998) [Link] No machine is unhackable once you're sitting at the controls and the hacker has a gun to your head. The name of the game is never impossibility, it's making it sufficiently difficult that they give up. If the VM adds an additional layer, that can be a good thing (if it's worth the cost) without being perfectly free of bugs, so long as those bugs are fixed promptly.
Linux Unhackable At TippingPoint Contest (eFluxMedia) Posted Mar 31, 2008 23:25 UTC (Mon) by ianburrell (subscriber, #47313) [Link] A virtual machine isn't necessary. SELinux can confine processes and only allow them do things that are specified by the policy. People are working on policies for browsers but it is hard because users want browsers to support downloads and uploads. Plugins would need to be run in a separate process to be more limited than the browser. This could be done with nspluginwrapper. Some plugins, like Flash, will need access to the network. Some might need access to files but probably could be limited to a single directory. In any case, they could be prevented from accessing arbitrary user or system files. X would still be vulnerable to attack since plugins talk to the X server. There has been some work on adding SELinux to X. The Linux kernel can also be vulnerable to root escalation exploits. Some can be done before the SELinux hooks or with calls that aren't checked because they aren't normally a security problem.
Linux Unhackable At TippingPoint Contest (eFluxMedia) Posted Mar 31, 2008 23:36 UTC (Mon) by zlynx (subscriber, #2285) [Link] Yeah, SELinux can do it, or a set of alternate user accounts and sudo. On a laptop system, something like "sudo webuser firefox" can go a long way toward enhancing your browsing security without getting into anything too complicated. A virtual machine is overkill. I also find it a bit funny. After all, virtual memory and process isolation was supposed to protect us from all the same problems virtual machines are supposed to save us from now. All our current security issues are caused in the name of convenience, and now in virtualization VMware is already getting into security problems in the name of convenience (all their cut&paste and remote control options? potential security holes).
Intra-application security models Posted Apr 1, 2008 9:25 UTC (Tue) by skitching (subscriber, #36856) [Link] Interestingly, Java's security model means that different pieces of code within the same process can have different security policies. This is possible because instructions in JVM bytecode do not just address random bits of memory; they are constrained to access only valid objects. And a code verifier runs at load-time to ensure that they do so. So a browser implemented in java can apply a different security policy to plugins than to the IO code that interacts with remote webservers. Other languages can do this too; Microsoft's research OS "Singularity" applies a similar approach, allowing user code to run with the same privileges as kernel code - but the code must be written in a special "verifiable" language. Having only per-process security and then using multiple cooperating processes is an alternative, but has some major impacts on performance and developer convenience. I don't know why people are so harsh about Java and similar languages. There really are some nice features available when using a "constrained" language. Ok, it's possible for the VM to have a security bug; anything can have a bug (splice, anyone?). But I personally don't remember a major one for a long time in the Java VM.
Intra-application security models Posted Apr 1, 2008 18:56 UTC (Tue) by nix (subscriber, #2304) [Link] The verifier has had bugs with security implications, I know that. (Whether anyone ever *exploited* these bugs is a different question.)
Linux Unhackable At TippingPoint Contest (eFluxMedia) Posted Apr 1, 2008 10:40 UTC (Tue) by epa (subscriber, #39769) [Link] A Linux process already runs in a virtual machine: it sees a virtual address space, a virtualized processor and no direct hardware access. The problem is not lack of virtualization, but too much permissions given to the process running in the virtual machine. Browser plugins could be run in a sandbox giving them no access to the filesystem and only limited network access. I suppose setting up a VMWare instance, etc. is one convenient way to get this, but it seems like unnecessary extra layering when SELinux, chroot and so on can achieve the same effect in a more lightweight way.
Linux Unhackable At TippingPoint Contest (eFluxMedia) Posted Apr 17, 2008 10:38 UTC (Thu) by lgb (guest, #784) [Link] Yeah, according to launchpad.net for example, one of the loudest desktop bug in ubuntu development distro is the flash problem (crashes the while webbrowser). In a sandbox, plugin would not be able to crash the whole browser and of course you would be able to enhance the security as well with applying verious restrictions to it, eg like my current solution where flash plugin is runned by nspluginwrapper even on 32 bit machine, it does the "browser crash protection" and also since plugin is running another process it does not slow down the whole browser and even cause better utilizition of multiple CPUs/cores of current desktops ...
Sandbox Posted Apr 3, 2008 21:19 UTC (Thu) by spitzak (subscriber, #4593) [Link] There were quite a few posts on Slashdot claiming that the Vista Internet Explorer did exactly that for either the entire browser or for the flash plugin, but apparently it failed to stop the attack. It sounds like Flash actually ran another executable outside the sandbox that opened up a communication channel with the sandboxed part and obeyed instructions from it. Not at all clear whether this outside executable was either setup to autorun as part of the flash installation, or if somehow the "sandboxed" flash was still able to cause it to run. If there is any truth to this it is a good indication that reliance on sandboxing to solve things may be wrong.
Linux Unhackable At TippingPoint Contest (eFluxMedia) Posted Mar 31, 2008 16:01 UTC (Mon) by MathFox (subscriber, #6104) [Link] I am not sure what the exact rules for the hacking contest were, so I'll talk about what it takes to make a flash or other http propagated hack work. First one has to find a vulnerability, like a buffer overflow, in an application that handles data from the internet and play with it to get some code running. At that moment you're only running with user privileges, then you'll have to exploit a "privilege escalation" bug that will allow you to obtain control of the machine. Security issues in web browsers, image manipulation programs, video players, etc. are relatively common, so it is imaginable that a hacker can gain control of a user account. Privilege escalation bugs are rare and fixed with hight priority. Taking over a machine where you have a user account should be hard (in the UNIX philosophy). So it will also be hard too for a hacker to get from a random user account to full system privileges.
bad guys don't need root Posted Mar 31, 2008 16:13 UTC (Mon) by JoeBuck (subscriber, #2330) [Link] You don't necessarily need the second attack (privilege escalation to get root). For many purposes, it's good enough for the bad guy to just be an ordinary user. The compromised user account still suffices to send spam, participate in DDOS attacks, or serve as a machine for launching further attacks from, to cover the attacker's tracks. And for a single-user machine, the user's account can read and write all of the user's data, scan it, and send anything interesting over the network to the attacker.It's true that, without root, it's hard to hide the extra processes, but if the machine doesn't have a skilled sysadmin looking after it, it doesn't matter.
Linux Unhackable At TippingPoint Contest (eFluxMedia) Posted Mar 31, 2008 17:27 UTC (Mon) by mrshiny (subscriber, #4266) [Link] Also remember that on Windows XP almost everybody runs as Administrator (i.e. root)
Linux Unhackable At TippingPoint Contest (eFluxMedia) Posted Mar 31, 2008 19:57 UTC (Mon) by cortana (subscriber, #24596) [Link] On many systems, you don't need to look for a privilege elevation exploit. You can easily wait around for the user to authenticate themselves with sudo, and then run whatever you want as root. If the user uses su rather than sudo, it's not that much harder; you can wait for them to authenticate themselves with su, and then stuff characters into their terminal...
Linux Unhackable At TippingPoint Contest (eFluxMedia) Posted Mar 31, 2008 21:39 UTC (Mon) by drag (subscriber, #31333) [Link] On my single user machine.. aka Laptop.. I am much more concerned about protecting private data such as online passwords, financial stuff, and links to banks and that sort of thing. Any sort of information leakage that can put me in a vulnerable position. As far as I am concerned what I have in my home directory is much much more sensitive then what I have in my.. say.. /etc/shadow file. My /etc/password file could be containing plain text passwords and it wouldn't make any difference. At that point I don't really care, the game is already over. So if they get through my browser and into my main account then I am screwed. There is no need for a root exploit.. the damage is already done. They got access to the vast majority of my sensitive information. The only advantage I have then for protecting my root account is that user applications are much easier to detect then your average linux kernel module root kit. Even then it's still better to wipe and reinstall. That approach requires much less effort.
Linux Unhackable At TippingPoint Contest (eFluxMedia) Posted Mar 31, 2008 16:02 UTC (Mon) by gtb (subscriber, #3978) [Link] It is certainly welcome news that Linux is the only survivor in a contest to compromise the security of operating systems. But I must vent my frustration with the language usage "Linux unhackable" in the title of your story, and similar examples in its body. Call me old fashioned if you want. But some of us, including myself, still value Linux precisely for the fact that it's eminently hackable. For the wealth of opportunities it provides to (white hat) hackers who want to extend it, customize it, or otherwise mold it to their needs. Considering that many in the Linux community continue to see hacking as honorable, may I respectfully suggest that LWN editorial policy respect the Linux hacker community's usage in the future? The discussion of the issue in the /New Hacker's Dictionary/ seems like a reasonable starting point. Best regards, Thomas
Linux Unhackable At TippingPoint Contest (eFluxMedia) Posted Mar 31, 2008 16:39 UTC (Mon) by ajross (subscriber, #4563) [Link] Languages change. Words acquire new meanings. I sympathize, but this isn't something we can fix. At best, we can preserve the old usage. But you can't redefine a word that's been in popular use for 20 years, no matter what meaning it used to have. You can't hack linguistics, basically. :)
Linux Unhackable At TippingPoint Contest (eFluxMedia) Posted Mar 31, 2008 16:42 UTC (Mon) by jake (editor, #205) [Link] > Considering that many in the Linux community continue to see hacking as > honorable, may I respectfully suggest that LWN editorial policy respect > the Linux hacker community's usage in the future? I think you will find that in stories we create, we consistently use hacker in the traditional, positive sense of that term. Unfortunately, we have lost that battle in mainstream usage. I guess my usage of "hacker-proof" was somewhat ill advised in the blurb, though an alternative is not so easy to come up with either. Do remember that the titles are from the website we are quoting. jake
Linux Unhackable At TippingPoint Contest (eFluxMedia) Posted Mar 31, 2008 17:01 UTC (Mon) by gtb (subscriber, #3978) [Link] > Do remember that the titles are from the website we are quoting. That, indeed, is the part I have missed. I apologize for the misunderstanding. -- T.
Linux Unhackable At TippingPoint Contest (eFluxMedia) Posted Mar 31, 2008 18:11 UTC (Mon) by JoeBuck (subscriber, #2330) [Link] I would suggest that LWN insert something like [sic] occasionally to flag a misleading headline, though.Not in this case: as others have said, we've already lost the battle on the meaining of hack{er,ing}.
Linux Unhackable At TippingPoint Contest (eFluxMedia) Posted Mar 31, 2008 20:41 UTC (Mon) by nix (subscriber, #2304) [Link] I don't know. If someone uses 'hacker' wrong around me, I belabour them with an axe, and they soon stop. ;}
Hacking with an Axe Posted Apr 1, 2008 16:26 UTC (Tue) by GreyWizard (subscriber, #1026) [Link] So you hack them? I don't think that's the usage gtb was hoping to promote.
Linux Unhackable At TippingPoint Contest (eFluxMedia) Posted Apr 1, 2008 3:17 UTC (Tue) by grouch (subscriber, #27289) [Link]
I don't buy that. Every time I've talked to someone who uses the moronic media's definition of "hacker", I educate them about the differences between "hacker" and "cracker", "vandal", "script kiddie" and Hollyweird. 'Scuse me for a while; I have to go "hack" an alien mothership to "download" a virus to it and save humanity from teenage phreakers in bad costumes running around acting as "Hackers".
Linux Unhackable At TippingPoint Contest (eFluxMedia) Posted Mar 31, 2008 16:39 UTC (Mon) by southey (subscriber, #9466) [Link] Well not sure about 'unhackable' A few media reports like this one also include the finding of bugs (but obviously not easy to use):"TippingPoint Manager Terri Forslof said several attendees tried to crack the Linux box, but nobody could pull it off. She noted that some had found bugs in the Linux operating system but many of them didn't want to put the work into developing the exploit code that would be required to win the contest."
Path of least resistance Posted Apr 1, 2008 3:25 UTC (Tue) by pr1268 (subscriber, #24648) [Link] Humans (including hackers, malicious or not) notoriously take the path of least resistance. That being said, I suppose given the time constraints of the contest, the hackers targeted the Mac and Vista laptops first, perhaps realizing their security could be broken in a shorter time frame. I still can hardly believe that Mac's security didn't put up a bigger fight than that. "Pwned" in two minutes... Wow.
Linux Unhackable At TippingPoint Contest (eFluxMedia) Posted Mar 31, 2008 16:48 UTC (Mon) by roblucid (subscriber, #48964) [Link] Next time someone trots out the old chestnut about closed source being more secure because of it's obscurity, this competition could be a nice little bolster to the logical rebuttal. Only thing is Safari browser uses FOSS derived rendering component, I wonder if it's only OSX affected.
Linux Unhackable At TippingPoint Contest (eFluxMedia) Posted Mar 31, 2008 20:24 UTC (Mon) by aleXXX (subscriber, #2742) [Link] "the FOSS derived rendering component" is WebKit, which is LGPL (so it is FOSS), which is forked from khtml (which is LGPL). Alex
Linux Unhackable At TippingPoint Contest (eFluxMedia) Posted Mar 31, 2008 22:30 UTC (Mon) by drag (subscriber, #31333) [Link] Also Safari was cracked through how Quicktime mismanaged some sort of Java compatibility do-dad. I am pretty sure that would have very little to do with anything that Webkit did.
Linux Unhackable At TippingPoint Contest (eFluxMedia) Posted Apr 1, 2008 0:51 UTC (Tue) by melo@isp.novis.pt (subscriber, #4380) [Link] Sorry, no. the Mac was hacked via an old exploit in the PCRE lib used by the JavaScript core of WebKit. So yes, if other operating systems run the same unpatched PCRE, it might be vulnerable. Patch to WebKit is here: http://trac.webkit.org/projects/webkit/changeset/31388 Best regards,
Linux Unhackable At TippingPoint Contest (eFluxMedia) Posted Apr 1, 2008 11:03 UTC (Tue) by tzafrir (subscriber, #11501) [Link] Well, the previous story on LWN is http://lwn.net/Articles/275701/ ("Adobe joins Linux Foundation, develops Air for Linux"), also by Jake. A good hint that Adobe wants to level the playing field between Ubuntu and Vista.
Linux Unhackable At TippingPoint Contest (eFluxMedia) Posted Apr 5, 2008 17:09 UTC (Sat) by dps (subscriber, #5725) [Link] In reality you do not need ultra-security for most applications. All you have to do is make the job too expensive or dangerous. Too expensive merely means that another route to the same end is cheaper or less risky. If I want a botnet then a windows worm is almost certainly hard to beat on risk, cost and impact grounds, Almost all legitimate users on linux have abusable privileges---it is hard to allow unrestricted email without also allowing spam too. What we can do is make sending spam an activity with a high risk of discovery and expensive consequences. (Losing your job under a cloud is expensive for most people with jobs.) One of the limitations of linux is that most of the proposed sandbox measures can not be used without root privileges, exception for hard resource limits and the policy implemented by their java security manager.
|
|||||||||||