Threat Model [LWN.net]

Threat Model

Posted Aug 28, 2008 12:47 UTC (Thu) by skitching (guest, #36856)
Parent article: TALPA strides forward

People have been very scathing about the need for providing traditional windows-style virus-checking on Linux.

I would certainly agree that "privilege escalation" problems are less common on Linux, and that the correct way to deal with these is through architectural fixes rather than trying to block programs that exploit a flaw. However it seems (in my uninformed view) that there are a large number of security issues that do not rely on privilege escalation at all.

Case 1: A user visits an evil webpage. That webpage then exploits some browser flaw to drop a .so file on the local system and modify the user's .bashrc file to specify that file in LD_PRELOAD or similar.

Case 2: A user downloads and runs a trojaned "game" of some sort that has been emailed to them. Yes they shouldn't, but there are more and more "innocent" users of Linux these days.

Even without privilege escalation, an attack of this sort can do significant damage, including:
* sending spam (when that user is logged in)
* capturing user private data

Won't a "virus scanning" solution help here, where the traditional Linux security approach will not?

to post comments

Threat Model

Posted Aug 28, 2008 16:47 UTC (Thu) by bfields (subscriber, #19510) [Link] (1 responses)

Case 1: A user visits an evil webpage. That webpage then exploits some browser flaw to drop a .so file on the local system and modify the user's .bashrc file to specify that file in LD_PRELOAD or similar.

Would you rather fix this with a browser patch, or with a scanner that, with great effort, tries to identify a few specific examples of such exploits?

Case 2: A user downloads and runs a trojaned "game" of some sort that has been emailed to them. Yes they shouldn't, but there are more and more "innocent" users of Linux these days.

Again, do you want to get in the business of cataloging every single trojaned game, or would you rather, say, give users trusted game sources, or better tools for sandboxing the games they run?

"Do both" is one possible answer, but I worry whether the obvious incentives for short-term bandaids may reduce the incentives for longer-term solutions.

Threat Model

Posted Aug 28, 2008 18:07 UTC (Thu) by bronson (subscriber, #4806) [Link]

Remember the Sony rootkit. Such a scanner would necessarily be large and very complex... and quite flawed. There's a very good chance that someone would arrange a successful attack against the scanner itself.

Adding more layers of software is unlikely to ever reduce your attack surface.