Fog Creek Software
Discussion Board




clever worms are here again

Would it be possible for somebody to have software run in a restricted environment such that clever social engineering worm messages can't propagate?

It seems like a losing battle to me to keep saying "upgrade your antivirus software" and "don't run random attachments" when people _don't_ keep antivirus software up to date and _do_ run random attachments.

The most obvious option would be to not allow execution of binaries, but some people would simply save, then execute.  Plus advertising the message as a security update or game makes people want to run it anyway.

The problem is that people just can't be trusted to make smart decisions about what binaries are safe to execute on their machine.

Could a "jail" environment be designed such that worms are so restricted (or obviously flagged as malicious) that serious propagation isn't likely anymore?

Eric Seppanen
Tuesday, March 23, 2004

That's the age-old sandbox problem.

The short answer is: probably not.

I recently switched to SprintPCS for my cell service because their phones could be programmed in Java. I had all kinds of ideas for applets I wanted to write:

(1) An applet to synchronize the phone list in my phone with my Outlook contact list.
(2) An applet so I could easily switch my phone between "modes" that combined ringing and voicemail behavior. So I could tell the phone I was at the gym and it would switch to an outgoing voicemail message saying, "please leave a voicemail, I'll get it within an hour," or I could tell it I was in the subway and the voicemail would say, "I'm in the subway and will get your message within 20 minutes."

Then I started looking intop J2ME and discovered that (a) I did not have access to the phone numbers stored on the phone (b) I did not have access to any of the phone settings such as ringer volume (c) I did not have the ability to make outgoing phone calls (d) I did not have the ability to use the GPS built into the phone to determine my location (e) I did not have the ability to access the phone's built-in camera (f) and on and on.

Basically this reflects Sun's attitude towards sandboxing, which is, err on the side of safety, even if it means your development environment is completely useless. And the same thing will happen to J2ME that happened to applets in the browser: the only thing the sandbox lets you do is write really slow games (Ms PacMan is decent) and the technology is virtually worthless for anything else.

Microsoft's attitude towards sandboxing is quite different -- infinitely more dangerous, but a lot more fun. At the PDC they showed a demo where somebody used a .NET-powered cellphone and about 10 lines of mobile .net code to take a picture, take coordinates with the GPS and convert them to a street address, take a sound recording with some notes and upload the whole thing to a database (the proverbial "insurance adjuster's app"). All stuff you can't do with J2ME even though the phone clearly has the capability to do it.

Now -- the reason I mentioned the age-old sandbox problem goes back to Applets. When Applets first appeared there was a lot of George Gilder talk about how the next word processor would be a big ol' Java Applet. The trouble is that a Java Applet couldn't read or write files on the hard drive. It was in the sandbox. If it wanted persistence, it had to upload the files to some hard drive in the sky. Someone thought it was OK to allow data to persist INSIDE the sandbox, as long as you can't get to data OUTSIDE the sandbox. The trouble is... your data is on the outside. But never mind that. Even in a brave new world in which you have all your data INSIDE the sandbox, well, now you don't have much security do you? Because everything you care about is inside the sandbox. Face it: if you want the ability to run arbitrary code which modifies your pictures, so you can put Bill Clinton's face on Marky Mark's body, you're going to have to have the ability to run arbitrary code which modifies your pictures, and if that code decides to do something bad to your pictures, you lose. Sorry bubby.

Microsoft and Sun are both moving to a "fine grained" security model where you give individual apps fine grained permission to do certain things. Ms. PacMan can read and write files, but only the high score table, and she certainly can't access the Net. You can set up infinitely complex security policies.

As anyone who knows anything about security will tell you, This Is Not Going To Work. The more complicated a security system is, the more likely it is to be misconfigured. Humans can only deal with so much complexity and nobody has time to manage the permissions for all their apps on a fine-grained basis.

So all in all, it seems like a depressing world. That said, there's nothing we do to keep thugs from hitting old ladies over the heads with baseball bats and taking their purses. We can threaten them with punishment and we can lock up thugs, but right now I assure you that if you were determined to hit an old lady over the head with a baseball bat you'd probably succeed. Similarly there's nothing to stop you from driving your car off a cliff. Get in your car, go to a cliff, try to drive off -- nothing will stop you.

People expect the computer world to be so much safer than the real world and they expect it to "protect you from yourself," but it just ain't going to happen, just like car makers are never going to figure out how to make cars that refuse to drive off cliffs and little old ladies will not start wearing hardhats in public. And yet life goes on, so I for one am going to find something else to lose sleep over.

Joel Spolsky
Fog Creek Software
Wednesday, March 24, 2004

You ought to put that one on the JOS site,  Joel.

Fine-grained security won't ever work when even tech-savvy users don't know what half the MS programs do. You could run a dozen worms and a few dozen Al-Qaeeda cells inside svchost and I and most others would be none the wiser.

I followed advice to change the default services settings in W2K in the vain hope it would boot up quicker. I've still got time to father a couple of children while W2K boots up but now my name and email address no longer appear in the form to post to Fog creek in Navigator. No idea what setting caused the problem!

Stephen Jones
Wednesday, March 24, 2004

That second-to-last paragraph is pretty depressing from a counter-terrorism perspective.

Edoc
Wednesday, March 24, 2004

Recently I have developed for a J2ME phone that allows access to the address book.

Also, there is another method of allowing limited sandboxes without requiring user intervention.  Some carriers have certification processes and these can enable selective permissions that do not require end-user intervention.

Scot
Wednesday, March 24, 2004

Except, Scot, that further encourages the phone provider to:
a) potentially certify nothing, because you'll just mess up your phone
b) potentially charge for the privelage of having your app certified
c) potentially charge for the use of their certified apps
d) have one guy who certifies apps and who will generally get back to you within 2 years.
e) Make you visit the office which happens to be 40 miles from you, and is only open when you need to be working for the 'privelage' of messing with your phone

Flamebait Sr.
Wednesday, March 24, 2004

"It seems like a losing battle to me to keep saying "upgrade your antivirus software" and "don't run random attachments" when people _don't_ keep antivirus software up to date and _do_ run random attachments."

What do you do when your immune system fails? You go to your doctor and get some penciline. What do you do when you know that you be attacked by the flu? You go to your doctor to get a vacine. What if the patients don't go to the doctor? The doctor must come to them.

You are the doctor, the antivirus program and the human are the two parts of the immune system of the computer. Like the human immune system this one has flaws which the doctor can cure or vacinate against. Make your own small vira which spread through your system (make sure it doesn't spread any further) and forces the anti virus programs to update automatically - if possible so that the human never sees it - and if the computers already are infected, make vira that attack the infesters (that's your penciline).

Fight fire with fire, become a virus writer. There is nothing bad about that as virus can be used for the good too.

I hope it made sense.

Peter Monsson
Wednesday, March 24, 2004

They tried that with one of the worms, Peter, but it didn't work especially well.

Any virus-to-destroy-other-viruses must necessarily be as virulent as the origional virus and, unless there's destructive payload, cause roughly the same damage to network stability as the origional virus.

Flamebait Sr.
Wednesday, March 24, 2004

I don't think certification is the answer, since the bugs get certified too.

Dan Maas
Wednesday, March 24, 2004

"Humans can only deal with so much complexity and nobody has time to manage the permissions for all their apps on a fine-grained basis."

Yet somehow my sister, who is otherwise lost when it comes to understanding computers, knows perfectly well how to interact with ZoneAlarm or the Norton firewall ("application X is trying to access the internet.  Do you want to allow it?")

This seems to me like a problem where the security policy is getting more complicated, and users don't really have a big problem with it.

If modifying the "run stuff on bootup" keys in the registry, or opening a hundred network connections, or touching certain parts of the filesystem were all things that popped up "do you want to allow this" windows, a lot of worms/viruses would have a lot of trouble propagating or would be severely constrained in their behavior.

A computer that pops up windows every three seconds asking me to approve every system call doesn't sound real useful, but it seems like there's some obvious worm/virus behaviour that could be slowed down by "firewalling" some of the machine away from naive users.

P.S. In fact, I wish there was a way to "firewall" the "run" keys in the registry all the time; I'm tired of software (i.e. realplayer) thinking it needs to plant itself there against my wishes.

Eric Seppanen
Thursday, March 25, 2004

Well, it's not all THAT bad.  This  problem has already been solved (as best it can, IMO) and Scot is on the right track. 

Certifications are the way to go.  Howevever, I'm not how sure how realistic this is to implement over cell phones where air time is money (much more so than data running over a cable).  It's the best compromise between user protection and program utility.

Crimson
Thursday, March 25, 2004

I direct reply to Joel's limited feelings about J2ME/MIDP phones, he might want to try a proper open phone where he can program in non-restricted Java or C++ or whatever.  Symbian phones kick ass!

i like i
Thursday, March 25, 2004

I worked on a significant Java applet-based application to be used by a companies clients. Sandbox restrictions made life difficult, all data had to be uploaded to be stored in the database. However that was not such a problem...because of the following fact and some design decisions.

The fact: A Melbourne, Australia organisation did some research into user expectations of software. They found that users generally tolerate programs that take a moment to save because in their minds "it is doing something". But data retrieval is expected to be instant. So at startup we downloaded the important data for the user. For the entire session after that point data retrieval was instantaneous. Saving took a moment while the data was uploaded to the server.

I think our applet must be one of the few Java applets that made it to commercial use. And it works. For a while we were rolling our upgraded versions fortnightly while we were fixing those bugs you that only come out when you go into production. We placed it on our server, and the users didn't even know that software was upgraded, they didn't have to do a thing. it was wonderful!

We got the best of both worlds - easy deployment of web apps, full-featured GUI of a stand-alone app. OK, OK, there are other restrictions compared to stand-alone apps. But all in all it proved that Java applets CAN be a basis for powerful fully-featured software.


Regarding fine-grained security of Java applets: It has been around for several years now, at least three years. I tried to use it on the same project mentioned above. And I found it unworkable. I agree 100% with Joel on that one.

Herr Herr
Thursday, March 25, 2004

"so you can put Bill Clinton's face on Marky Mark's body"

Am I the only one disturbed by that thought?

Russell Thackston
Thursday, March 25, 2004

PC-Cillin updates itself automatically.

MS needs to start bundling an antivirus with Outlook Express and Outlook.

They have already bought one from GeCAD (a Romanian company), so why not start bundling it?

The antivirus needs to update automatically.

E-mailing requires Internet access, so the antivirus can also update itself!

Darth Vader
Thursday, March 25, 2004

Dear Herr Herr,
                        Microsoft obviously did the same research before they decided on such abominations as Find Fast, or keeping all the office .dll's in memory after you'd closed the program.

                          Users have a lot to answer for!

Stephen Jones
Thursday, March 25, 2004

Clever worms are here again,
Tra la la la laaa, la laa laa laa!

Matt
Thursday, March 25, 2004

If you can work with your computer, worms and viruses can work with it, too. There is no way around it, at least not without a complexity that even experienced admins can't handle correctly.

Today, you usually need two computers to install one - the first which is installed, and the second to create boot disks and provide Internet access to download working drivers and patches for the first. Not to mention complete network environments with servers and infrastructure.

To create a secured environment, you need a dozen computers. Net access, firewall, servers and backup servers, IDS, separated computers for work and gaming/internet, ...

But todays machines are powerful enough to enable the use of machines out-of-the-box.

There are Linux distributions completely running from a single bootable CD, including network, dial in and browsers, not touching the hard disk. Whatever happened in the RAM disk while surfing, shutdown the computer, reboot and anything is gone.

The same distributions allow the making of a complete harddisk image using partimage. Store it safely away, handle the user data by a careful backup strategy including secure checksums and the like, and you can restore the system state if anything is wrong. And remember: Today, there is no such thing as an old-enough-to-delete backup.

How about VMWare or similar virtual machines? Install an Internet PC in a session, take a snapshot of the virtual harddisk's state and start unpatched surfing. After successfully worming the virtual installation down, return to the snapshot and repeat as often as you want. Store the virtual disks safely away first, if you don't trust your ability to handle the snapshots.

How secure do you want to be? How much money and how much time do you want to invest, how much trade-offs do you want to make? How much do you care about the integrity of your data?

Holger
Friday, March 26, 2004

*  Recent Topics

*  Fog Creek Home