Open Source And Viruses [LWN.net]

From:		SOT Public Relations <PRelations-AT-sot.com>
To:		lwn-AT-lwn.net
Subject:		Open Source And Viruses
Date:		Fri, 4 Jun 2004 14:55:37 +0300


OPEN SOURCE AND THE WAR ON VIRUSES


To be freely published.

By Santeri Kannisto, Managing Director of SOT Finnish Software
Engineering Ltd.

This article may be edited, translated and distributed
in any medium, without restriction.  

Author's photo: http://www.sot.com/images/santeri2.jpg 
Copyright Ž© SOT Finnish Engineering Ltd., 2004

Open Source is the best protection in the war against viruses.

Open Source software,  such as GNU/Linux, has remained remarkably
free from the viruses which have plagued closed source software.
It has been claimed by closed source advocates that viruses
targeting GNU/Linux will begin to appear as Open Source software
gains in popularity.  However, the lack of viruses threatening
GNU/Linux must also be understood as a result of the Open Source
business model.  It is this factor that leads us to expect that
GNU/Linux will continue to be largely virus-free in the future.

The infection and spread of viruses

Viruses, worms and crackers exploit mistakes and loopholes in
programming code.  All programs contain such mistakes --- it is
impossible to catch and correct every possible flaw in a program.

The main goal of a virus is to infect our computers with rogue
software, effectively taking control of the computer's resources
for the virus' own purposes --- which usually include damage to the
infected computer and transmission of the virus to other computers.
Some viruses also attempt to conceal their presence, leaving the
user unaware that their computer has been contaminated.

Anti-virus programs try to prevent the damage by detecting and
blocking individual viruses and worms before they can exploit
the flaws in computer programs. To achieve this, the anti-virus
programs must be continually updated with information about newly
discovered viruses.

Program errors and closed source software

An intrinsic feature of closed source software is the so-called
end-user license.  This license is, in fact, the commodity sold
by the closed source supplier, and grants the consumer the right
to use the closed source program.  The text of end-user licenses
invariably relieves the supplier of any responsibility for flaws
in the software, while at the same time denying users the right to
correct such flaws themselves.   In other words, users of closed
source software must trust to chance, gambling the safety of their
computers on code they cannot inspect or correct.

Revenue from closed source software is generated through the sale
of new licenses --- an incentive for software manufacturers to
bring newer versions to market, rather than fixing problems in
existing products.  Because the cost of finding and fixing flaws
reduces profit, manufacturers tend to correct only most crippling,
or widely-publicized software flaws.  More often manufacturers are
silent about the errors in their products, or issue corrections in
new software that must be purchased separately.

Open Source and program errors

The majority of Open Source programs are available for free. Open
Source suppliers make money by offering additional services to
users --- for example, by fixing software errors and providing
software guarantees.   Because Open Source software is free to all,
competition between suppliers is encouraged.  This leads to the
evolution of optimal customer service and results in the production
of extra-secure software.

Clients who use Open Source software are not attached to a single
supplier,  in contrast to their closed source counterparts.  Because
the source code of their software is publicly available, clients
using Open Source have the freedom to move to a different supplier
if they so choose.   The open nature of the program code is also an
incentive for Open Source programmers to develop cleaner, error-free
programs - thereby minimizing the potential for exploitation of
Open Source software by viruses. Concealing software weaknesses
is impossible, and indeed pointless, under Open Source, as the
program code is available to the world for inspection and correction.
And when flaws in Open Source software are identified and corrected,
the new, improved versions are also made available to the public.

Closed source and viruses

Speed is our main weapon against viruses, worms and crackers. The
more quickly software vulnerabilities are corrected , the safer we
are against virus attacks.

Vulnerabilities in closed source programs are usually well known
to crackers and virus writers.  However, such vulnerabilities are
seldom corrected by closed source suppliers.  Even if a corrected
version of the software exists, it may not have been received or
installed  by users of the software, leaving their computers open
to infection.  At this point, anti-virus programs step in, but are
only able to provide protection to a specific virus after it has
revealed itself by claiming its first victims.

In other words, anti-virus programs prevent individual viruses from
exploiting a specific software vulnerability,  but do nothing to
correct the vulnerability itself.  For each vulnerability, there
exist many different viruses designed to exploit it, and each one
needs to be specifically identified by anti-virus programs. The
manufacturers of anti-virus programs work hard to keep up, but are
hard pressed  to win the war against new threats.  The suppliers
of closed source software can take months to correct the original
vulnerabilities in their programs, because they do not benefit
from fixing errors in their own software, and are loathe to admit
that their programs contain any flaws. Automatic daily updates
create  the impression that software errors are being corrected.
Unfortunately this is not true.

Money and speed is the deciding factor

Open Source suppliers make money by fixing errors in Open Source
software. Due to competition, they are motivated to correct errors
for their clients as soon as possible. Very often, corrected versions
of Open Source software are available within hours after the error
is noticed for the first time. In addition, Open Source suppliers
are able to provide a service whereby the improved version is sent
directly to the client's computer, with the supplier taking full
responsibility for maintaining a high level of security.

For clients using closed source software, the picture is different.
Closed source suppliers lose money by fixing the flaws in their
software, so errors go uncorrected and their clients are driven
to  use anti-virus programs.  Anti-virus programs bring remarkable
additional expenses and a significant loss in work-time, without
eliminating new risks.

Users of Open Source software have immediate access to improved
software.  Closed Source users have to wait a long time to receive
corrections.  Because of this difference in business models, the
threat of viruses to GNU/Linux is unlikely to increase in the future,
despite number of users exceeding 20 million.

In Helsinki, 03.06.2004 
Santeri Kannisto, Managing Director, SOT.

SOT

SOT provides professional services related to product
development and ICT-infrastructure to grow its customers'
business.  Founded in 1991, the company's core competences
are GNU/Linux and Open Source.  As an established software
house in the ICT arena, SOT counts Finland's leading
companies and public corporations among its current
customers.  SOT's best known products include SOT Linux,
Best Linux and SOT Office.


SOT Media relations
telephone: +358 20 155 2206
fax: +358 20 155 2209
E-mail: PRelations@sot.com

(Log in to post comments)

Open Source And Viruses

Posted Jun 4, 2004 17:31 UTC (Fri) by JoeBuck (subscriber, #2330) [Link]

I think that in another year or so, we'll see more features like those you describe in standard kernels. Red Hat already provides most of them. But there's a price to be paid; these techniques tend to break some software.

Open Source And Viruses

Posted Jun 5, 2004 17:52 UTC (Sat) by flewellyn (subscriber, #5047) [Link]

A non-executable stack is basically a guard against buffer overflows. If you have, say, a language that does not allow such, by doing bounds checking, then that problem is eliminated.

Another problem with non-executable stacks is that some languages, like Scheme and Common Lisp, actually need the stack to be executable. Of course, those languages do bounds checking anyway...

Open Source And Viruses

Posted Jun 6, 2004 3:35 UTC (Sun) by eru (subscriber, #2753) [Link]

A non-executable stack is basically a guard against buffer overflows. If you have, say, a language that does not allow such, by doing bounds checking, then that problem is eliminated.

True but irrelevant. In the real world, most software in use will continue to be written in unsafe languages (and safe languages run in "nocheck" mode, and mixtures of safe languages and unsafe languages) for the foreseeable future. Besides, making a system secure needs "defense in depth": multiple barriers against exploits that are in theory redundant, but in practice aren't, because the implementation of each barrier is not perfect.

Another problem with non-executable stacks is that some languages, like Scheme and Common Lisp, actually need the stack to be executable. Of course, those languages do bounds checking anyway...

Efficient implementations of those languages (and of Java as well) do indeed generate code on the fly, but that code is placed on the heap, not on stack. An operating system that tries to make data areas non-executable must of course provide some controlled method to convert writable data memory into executable read-only memory, otherwise it cannot support language implementations that use such "just in time" compiling.

Open Source And Viruses

Posted Jun 7, 2004 15:56 UTC (Mon) by Ross (subscriber, #4065) [Link]

Not really related to worms and viruses but why can't Linux's TCP
timestamps be randomized on a per-connection basis so that the system's
uptime isn't visible remotely?

Open Source And Viruses

Posted Jun 10, 2004 1:58 UTC (Thu) by nchip (guest, #13292) [Link]

ill-conceived ease-of-use features (in particular the ease with which attached programs can be launched in you-know-whose email clients)

I used to believe this was a major reason for virus spreading. Then I saw the first viruses that used password protected zip files for spreading. If you can fool users to open a zip file with a password, you can fool an user to save an .sh attachment and open it with /bin/bash. To fend off viruses for good, we need strong sender authentication. Unfortunetly I do not see a way to make using pgp both easy enough for dummys while not compromising security.

Open Source And Viruses

Posted Jun 5, 2004 9:34 UTC (Sat) by tzafrir (subscriber, #11501) [Link]

MacOS and Linux generally have the same "market share". Yet there are MacOS virii and practically no Linux virii.

Open Source And Viruses

Posted Jun 5, 2004 10:09 UTC (Sat) by rakoch (guest, #4666) [Link]

A malware writer for Linux has the choice of either relying only on the
presence of a Linux kernel, glibc and bash or going only after the
fraction of target systems that exhibits the hole in question. If, for
instance, you target OpenOffice you don't hit:
- Linux users that do not use any Office on Linux
- Linux users using KOffice, Gnome Office Apps, LyX, LaTeX
or other markup
- Linux users using MS Office via Wine

MacOS installations look pretty uniform compared to this. This is the
point: monocultures. It may be that Linux systems are slightly more
secure than MacOS but if so then the only reason is that Linux users are
generally more tech savvy and security concerned. Distributions targeting
the desktop market may remove security for ease of use. I heard that the
Lindows default user is root, for instance.

-Rudiger

Open Source And Viruses

Posted Jun 5, 2004 11:58 UTC (Sat) by piman (subscriber, #8957) [Link]

> I heard that the Lindows default user is root, for instance.

This has not been the case for over a year; please stop repeating it.

Open Source And Viruses

Posted Jun 5, 2004 13:42 UTC (Sat) by k8to (subscriber, #15413) [Link]

In all fairness, Lindows brought this on themselves with that decision. It was a mistake at many levels, but one of them was PR.

Open Source And Viruses

Posted Jun 6, 2004 6:37 UTC (Sun) by utidjian (subscriber, #444) [Link]

I think one of the major problems with Mac OS X is that the default user or machine owner is a member of group 'admin'. Take almost any given Mac OS X system and the primary user of that machine logs in with 'admin' user permissions. Sure they have the root user account disabled by default... but what use is that when the most common user that logs in has 'admin' user permissions?

The 'admin' user has permissions rwx on /Applications and /Library... stuff gets written to those folders willy-nilly with no questions asked. This permissions arrangement is set by design, for ease-of-use.

There are other security 'holes' in Mac OS X that are by design. The recent security patch (Security Update 2004-05-24) is a partial fix for the Help Viewer. This hole existed in Mac OS X since the beginning and Apple was made aware of the problem three months before the patch came out.

Another problem with Mac OS X is that there is no consistent method for installing and checking the authenticity of software. The only software installer that does PGP checks is SoftwareUpdate.app and only for system and security updates from Apple.

In my opinion, the only reasons Mac OS X has been relatively 'safe' from malware and viruses is that no one has taken an interest in it yet and its relatively low density.

-DU-...etc...

Open Source And Viruses

Posted Jun 10, 2004 2:02 UTC (Thu) by beejaybee (guest, #1581) [Link]

Yet.

My experience is that 90% of Windows users think _they_ are fully protected but that 90% of the others aren't. There's a straightforward explanation for this; it's called denial, and it's just as responsible for the problems Windows has with worms and viruses as the shoddiness of the product.

Fact of the matter is, defensive programming is neither perfect nor universal, even in the open source world. Don't let yourself be lulled into a false sense of security. If you can be hit, experience suggests that sooner or later you will be.

Open Source And Viruses

Posted Jun 5, 2004 10:12 UTC (Sat) by ineiti (subscriber, #13626) [Link]

Hi,
well, the normal comment applies: why are there so much more exploits for
MS-webservers than for Apache? I mean, Apache has a way bigger
marketshare. There your algebra doesn't match anymore. But yes, normal
windows-system are just too easy exploitable so that all the Apache- and
other OSS-servers just don't make it up. And when there is really an
exploit and a worm in the wild, usually the OSS-admins are quite quick to
fix it.

I think it's not only MS-desktop-systems that are more widespread, but
also OSS-systems that are administered by more talented people. Add to
that more exploitable bugs in MS-(desktop|server)-systems, and it's clear
who you want to attack...

Anyway, my 2 cents, and yes, my linux-server has been hacked, twice. Once
because I used a weak password and the second time I still don't
know :( But I was quick to fix it ;)

ineiti

Open Source And Viruses

Posted Jun 5, 2004 20:24 UTC (Sat) by vosechu (guest, #20549) [Link]

The reason IIS is easy to hack is manyfold, just like windows. As you pointed out the market audience is not as savvy as the LAMP market.

The point that a lot of people miss (though it was touched on earlier) is that Linux is being hacked, often, and most of the time the hacks are both technical and social problems.

Look at the stanford hack earlier this year (maybe 2 months ago?). The reason it was so easy to hack Stanford was because the Unix boxes weren't updated in ages; this is standard. For a savvy person, an update isn't that hard, for a newbie it's impossible. For a production server it's frowned upon unless you have another that's the exact same hardware to rotate into place.

I can't count the number of Unix boxes I've reinstalled because I made the mistake of updating too often. Just like the windows market it's usually a good idea to wait about a month to see how many machines get broken before updating, but this is extremely difficult to do with Linux's facilities.

Viruses will take hold in Linux/Unix. They started in *nix they will come back. But as someone earlier mentioned there are already fixes in place. The part about Linux that will break viruses is not that it's technically superior, but that it's evolving. Eventually Linux will either move to a microkernel or a super-limited one, or GNU/Mach and GNU/HURD will gain acceptance and become a suitable alternative to GNU/Linux.

Viruses will hit *nix, *nix will evolve. Anyone know if there's a honeypot for viruses yet?

Open Source And Viruses

Posted Jun 7, 2004 16:56 UTC (Mon) by tzafrir (subscriber, #11501) [Link]

Linux distros actually do a good job in providing "minimal" fixes, that almost never brealk anything.

In addition they provide the tools to make a security upgrade simple enough for the newbie.

Open Source And Viruses

Posted Jun 8, 2004 12:50 UTC (Tue) by thompsot (guest, #12368) [Link]

I agree that having a more standardized setup makes Win/Office a more viable target, but submitting that popularity is the main driver behind Windows' virus woes is simplistic and short-sighted. If it were popularity alone, why haven't Cisco routers been continually overrun by viruses over the last few decades? And why haven't the Unix boxes that have run most of the internet been crippled every few months like Windows systems seem to be? There were a lot of systems connected to the internet before Microsoft's products filled the datacenter, and there were plenty of talented programmers with ill intent around then too. The problem now is simply sloppiness in coding, and the "everything but the kitchen sink" approach, which makes debugging and security checks much more difficult.

Most of the major damage that has been done has not come from the relatively small talented pool of virus creators, by the way, but from less talented people who use parts of their creations to easily break the weak systems out there.

Now for the required analogy:
Let's say there were two separate lines of guys with arms interlinked, blocking my path to some desirable destination behind each line, and I would need to run at them and try to break through to get there. One line was made up of guys who looked like Arnold Schwarzenegger, but the line was longer and there was about 400 different places I could hit, and from lots of angles. The other was made up of skinny little thirteen year old kids, but they were holding onto each other more tightly and there was only one place I could try to break through. I don't care how "popular" the options were relating to the strong line or how many different ways there were to run at the strong line, most people would take the easy way and try to break through the weak line every time, even though it was "less poplular". If Microsoft's products were less popluar, they might not be the target as much as they are now, but when they did become a target, they would break just as quickly as they do now. The penalty for MS's popularity is against the people using their products, whether few use them or many use them, they will all be affected by the weakness in the product itself.

Popularity has much less to do with it than I keep hearing about. Cisco routers are popular. Unix web servers are popular. They are not crippled three times a year though. They are stronger and harder to crack, so script-kiddies and less talented crackers aren't up to the challenge. And an occational security alert and some patches being issued is not the same as a system being completely crippled, companies losing millions of dollars in downtime, then some patches being issued, then re-issued to fix the earlier patch, etc. Windows boxes are too sloppily coded and too insecure and that's the bottom line, whether you work at Microsoft or OSDL, it's not hard to recognize that this fact stands on it's own, popular or not.