User: Password:
Subscribe / Log in / New account

Desktop malware risk gets raised and patched

Desktop malware risk gets raised and patched

Posted Feb 26, 2009 16:26 UTC (Thu) by drag (subscriber, #31333)
Parent article: Desktop malware risk gets raised and patched

Thanks for the nod, lwn.

I'd just like to point out for the record that I think this .desktop file hoopla is just a symptom of a larger major security issue with the Linux desktop;

The issue is caused by the fact that so far security on Linux (and unix in general) has focused mostly on server and multiuser systems. That is the focus (besides code quality in application and external hardening) has been one of isolating and restricting accounts to prevent potentially vulnerable services or user accounts from compromising the security of the entire system. However on a typical user desktop there is only one user. For example, on my laptop I have all my important stuff in my /home directory. If a attacker attacked my laptop and successfully gained access to my user account then there is no need for them ever to get root account... they already have all my information, all my passwords stored in the browser, the ability to monitor myself and applications, etc etc.

So a typical laptop or desktop what is stored in /home/username is as much, or more critical then what is stored in /etc/shadow.

On a modern desktop it's becoming more and more internet oriented. Nowadays you have all sorts of programs regularly going on and connecting to online services, streaming media, downloading files, examining images and other data from untrusted sources, etc etc. All in all it's very complex system and a always-on desktop system can be dealing with upwards to several gigabytes worth of information every month streaming from all corners of the globe.

And then with the rise of mobile internet devices and similar efforts, like Intel's Moblin or other similar systems, it's going to get more and more intense and more and more automated.

So the likelihood of having a exploitable weakness in one of the dozens of applications that regularly connect with the internet is pretty high. Currently browsers get most of the scrutiny, but every application that gets data from untrusted sources is in the same boat. For example; I have to look up and find specifications for hardware regularly on the internet... so I am downloading and viewing PDFs from links from google without having any real idea who made them or were they come from. So a vulnerability in Evince would sink me.

So I figure there needs to be some sort of isolation so that programs that go and connect to the internet or are likely to read data from untrusted sources need to be sandboxed away from the critical areas in my desktop environment... both in terms of files and in terms of what other programs they are allowed to access. I figure something like a 'desktop profile' for Selinux (or simplier framework) would be key.

But I understand that the problems and incompatibilities that this would cause here are vast... So there may be a much more clever way to do this.

I don't know of the proper solution, but I know it's a problem and if we don't start dealing with it now it's going be a much bigger problem in 10 years time or so.

Keep in mind that Microsoft starting introducing a scheme like that with Windows XP SP2 were they are using NTFS's alternative data streams feature to store a security context about files that users deal with. So you have files with 'internet zone' vs 'trusted zone' and things like that. And this scheme has been improved and extended somewhat with later updates and Vista (and in the up and coming Windows 7). Of course the security measures that Windows is able to leverage is much weaker then what is potentially available with Linux, but they have the advantage of having something that works were we have nothing.

(Log in to post comments)

Desktop malware risk gets raised and patched

Posted Feb 26, 2009 18:36 UTC (Thu) by tshow (subscriber, #6411) [Link]

The problem is that once you've downloaded the file, it automatically gets assigned the same trust level as all of your other files.

Why not take advantage of the multiuser nature of the underlying system? Make any program that can download things (email clients, web browsers, instant messenger programs, IRC clients...) run as a separate user, and save files under that username.

It could be something as simple as your user name with :untrusted appended to it.

It wouldn't be too hard to train Gnome and KDE to know that files from user "username" are normal, but files owned by "username:untrused" have come from the great wilds beyond the fence and require the user to bless them explicitly before they can be executed. The underlying system doesn't need training at all if the umask is set properly.

It uses the existing infrastructure, and it requires relatively few changes to work. Most of the effort is in the setup; adding a user would require setting up two accounts, one of which (the untrusted account) would be a locked no-login account with no home directory.

From the command line, the user could "bless" files with chown(1), and I suspect the "stupid people get what they deserve" rule applies to someone who opens a terminal and directly invokes a downloaded script without vetting it. For actual executables, you'd be foiled by the lack of group/other execute permission in the umask if you tried to run it.

On the GUI side, all that really needs to be done is the launchers need to check to see if the uid of the file is suspicious (which they ought to be doing anyways...), and if so, bring up an appropriate dialog, that could be one of:

- the file is owned by some other (non-root) user on the system and is effectively executable, do you want to [make & run owned copy] [run] [cancel]

- the file is owned by your untrusted alter-ego, and is not executable, do you want to [take ownership & open] [open], [cancel]

- the file is owned by your untrusted alter-ego, is executable or contains a script, dialog has a big picture of your parents looking stern, [pick up the soap][flee]

It might even be worth saying you simply can't bless executable files owned by your untrusted alter-ego without dropping to the command line and using chown.

The other part of this is that making magic executables with .desktop was a mistake. It wouldn't have been hard to use "shabang" to make .desktop files legitimately executable through the standard system, at which point they'd even (!) work properly from the command line, and they'd inherit the security mechanisms built around file access. Every alternate path to execution in the system is another possible point of failure for security.

Desktop malware risk gets raised and patched

Posted Feb 26, 2009 19:10 UTC (Thu) by drag (subscriber, #31333) [Link]

Well the nice thing about taking advantage of Selinux (or Smack, or Apparmor, or some desktop-specific LSM layer) is that you can apply the security contexts to applications without having to do extensive rewriting of them or whatnot.

So typically a application is launched when you double click on a file. As long as that application gets launched as a separate process then it's (relatively) easy to isolate that process and restrict it's movements. As long as the program behaves itself this should be all completely transparent to the end user and would not require any rewrite of the application, barring any bugs. That is you get the security 'for free' without bugging the user with dialogs or having applications run in a odd manner. This should work with very little impact to the end user and should apply (relatively) easily to most programs.

Now the problems you run into are programs that try to 'optimize' things by launching new instances in threads. Programs like your web browser.

The other way this breaks down is if you have a running program and you go to open up a file through the application file dialog. You can get around this by making the file dialog aware of what is going on and adding a notification to bug the user or something like that. That shouldn't be terrifically difficult for the KDE and Gnome applications, but it would be troublesome for applications that use their own file dialogs (, for example).


The other way to go about it would be trying to take advantage of some of the work going into trying to standardize the anti-virus stuff.

That is efforts to get on-demand scanning into the kernel were the kernel can intercept files being accessed and defer to a userland program, which then can allow or disallow the access.

Then you can intercept the programming accessing a risky file and then pop up a dialog warning the user.

Or you could program that into nautilus, konquerer, and the file dialogs to check that stuff..

But I don't like that because that's annoying and will be just another dialog for a user to ignore. They downloaded the file and while it may be risky they still want to find out what is in it... so by opening it in a application is the only way they could know what it really is. So your forcing the end user to make security decisions without allowing them the information they need to make the correct decision. If they make a bad decision and it's a malicious file then it still gets read into a program with full user privileges. So it's a bit of a mess.

Desktop malware risk gets raised and patched

Posted Feb 26, 2009 19:28 UTC (Thu) by raven667 (subscriber, #5198) [Link]

What you are looking for is largely implemented using SELinux policies and extended attributes to
files that include security tag information. SELinux policies are being pushed into X and used to
manage Firefox as well as most of the other network connected software on your system. This has
largely already been accomplished, if you are running a reasonably recent copy of Fedora (from the
last several years) all this stuff exists and is enabled by default. As long as the applications behave
and the policies are right the underlying protection is pretty unobtrusive.

While we stand around and talk about how browser and desktop security should work in the future,
others are actually taking care of the problem and before anyone realizes it has happened it will all
be done.

Desktop malware risk gets raised and patched

Posted Feb 26, 2009 23:52 UTC (Thu) by drag (subscriber, #31333) [Link]

> While we stand around and talk about how browser and desktop security should work in the future, others are actually taking care of the problem and before anyone realizes it has happened it will all be done.

That's good people are putting work into it.

It's definitely something that needs to be touted then if the work is getting done. It can be a very important selling point for some people... especially corporations that hand laptops out to salespeople and whatnot. Since they are not in their corporate sandbox then there is very little IT people can do to control the environment in which these things run.

Being able to not only lock down the desktop to secure it without restricting user's ability to use and get the full benefit of the OS environment is a huge thing and is something you can't get from Windows.

This sort of thing would be a real, obvious, and tangible benefit to switching to Linux.

Desktop malware risk gets raised and patched

Posted Feb 28, 2009 21:33 UTC (Sat) by rahulsundaram (subscriber, #21946) [Link]

Fedora has been doing a lot of desktop SELinux work including xguest and lock down of common desktop programs including dbus and browser plugins. A few references:

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds