Malware Triangle

Discussion in 'Computer Security' started by Richard S. Westmoreland, Nov 19, 2004.

  1. Richard S. Westmoreland

    Ant Guest

    I reckon I've said all that I wanted to say about the issue. This sub-
    thread has gone on long enough, and people are getting tired of it. I
    also don't like the cross-posting, although I read all the groups
    apart from alt.privacy.spyware.

    I understand your position, and I don't fundamentally disagree with
    it. So, as Andrew Wiles said when he thought he had cracked Fermat's
    last theorem, "I think I'll stop here". That reference to prof Wiles
    is irrelevant, I just wanted to use his words. Let's not argue about
    that :)
     
    Ant, Dec 4, 2004
    1. Advertisements

  2. Richard S. Westmoreland

    Roger Wilco Guest

    Broken software does not make the data type it expects to deal with into a "program", it makes the exploit code it doesn't
    expect to deal with into a program. Are you now suggesting that JPEG's are "programs" too because in the end execution
    does happen? The exploit makes the JPEG into a container for the code not expected by the broken software program.
    HTML does not render images either, it has containers for images that are rendered elsewhere, depending on the system,
    and may be placed where the HTML suggests - and this GDI+ threat is an exploit not a designed function.

    The web was created with graphics in mind, executable content was value-added later. Lets not confuse exploit code with
    the fact that HTML is not a programming language. The value-added containers for executable content increase the risk,
    not the HTML itself - and exploit code was not anticipated at all in their implementation.
    He is one of the most learned posters here, but you may as well plonk him 'cause you are incapable of understanding him.
     
    Roger Wilco, Dec 4, 2004
    1. Advertisements

  3. Richard S. Westmoreland

    Roger Wilco Guest

    The subject isn't "programs" here, it is the difference between a "program file" and a file that happens to "contain" a program.
    Programs can be "contained" anywhere, but when they are in a program file they are expected to be recognized by a loader
    or recognized as not needing any of the further translation supplied by a loader. HTML files are not "program files" yet they
    can contain programs. Launching a personal attack against Kurt only goes to show that you are out of ammunition and must
    resort to ad hominem remarks. Why not just admit that he knows more about the subject than you do and be done with it.
     
    Roger Wilco, Dec 4, 2004
  4. On Sat, 4 Dec 2004 15:28:34 -0500, "Roger Wilco"

    This is such a flamable topic, yet the underlying issue - the
    program/data distinction - is crucial to safety. So here goes...
    Exhibit A: All those using C's string copy function as a generic bytes
    mover, and thus all those buffer overruns.

    The point being that computer complexity means there are few who have
    the range of understanding that spans from "big picture" to wires,
    volts and milliseconds. Most work in a narrow band, e.g. bind
    together these black boxes to create a solution, or code this module
    (designed by someone else) using that language's library functions.

    The trend is inescapable, and I found it robbed programming of its
    allure, so I dropped out back in the early '90s. I can see the
    attraction of virus writing; solo work, raw code, not much re-use of
    other ppl's functions other than to abuse them, and simple code-level
    objectives that are self-defined.
    For our purposes (malware theory), what matters is:

    a) Is program material within file "run" when file is "opened"?

    b) If so, is what it can do limited to the scope of that file alone?

    If Yes and No, the file should be considered "program".

    If No and No, the file can be safely considered "data", in terms of
    itself - but knowing that ant file can contain anything, and that
    program files can use the contents of any file for any purpose
    (including loading it into its own memory and running it as code),
    such files may still have malware relevance.

    If Yes and Yes, you may have a safe macro or "text markup" situation,
    but experience shows that sooner or later, sandboxes leak, or devs are
    tempted into facilitating wider effects e.g. by adding a generic
    "shell arbitrary system call" feature etc.

    For this reason, I would prefer *any* sort of macro/scripting to be
    held within separate files that are identifiable as such, and/or to be
    never automatically interpreted when a "data" file is "opened".


    Another detail to avoid getting hung up on, is whether code is
    "really" code, or is script, macro, etc. Usually this is determined
    by whether it is "executed" or "interpreted".

    All code is interpreted, whether it be in hardware such as CPU or
    peripheral device, by software emulation of that hardware, by a
    programming runtime engine, as interpreted as API calls, or by an
    application that parses "document" files in poorly-limited ways.

    Not only that, but interpretation of a file may unwittingly be as
    powerful as a programing engine, i.e. when a genuine data format such
    as JPEG gets to exploit a defective interpreter and thus runs as code.


    If users are to retain control over their computers::

    1) Users must know what they are doing

    2) Computer must limit itself to doing only what it is asked to do

    On (1), it goes about concerptualizing software in such a way the user
    understands it, and the implications of what it does. If software
    does this well, all the user may need to know something they already
    know, e.g. "I want to read a message", "I want to see a list of file
    names", "I want to read a data file", "I want to run a program".

    On (2), it goes about safety WYSIWYG. If the user expects the limited
    risk of listing files, the system should not "run" material within
    those files. If a user expects the low risk of "reading" a file, the
    system should not take the greater risk of running these as programs.

    When (1) fails, e.g. meaningless generic concepts such as "open"
    require additional and quite in-depth knowledge, or when a consumer PC
    is a fully-fledged "network client" requiring sysadmin knowledge, then
    you can expect users to "do dumb things" on a regular basis.

    When (2) fails, it becomes impossible for users to practice "safe
    hex", and effectively, control of their PC is hijacked by anyone with
    the failrly simple tech smarts needed to press a few buttons.

    We currently live with the consequences of (1) and (2) failure.
     
    cquirke (MVP Win9x), Dec 5, 2004
  5. Richard S. Westmoreland

    kurt wismer Guest

    why should i?
    yes, especially when some of us have already established earlier in
    this thread that we are professional programmers...
    micheal is employing an ad hominem attack... he doesn't like the
    message so he attacks the messenger...
     
    kurt wismer, Dec 5, 2004
  6. Richard S. Westmoreland

    kurt wismer Guest

    you say that like 'semantic' is a bad word or something... semantics is
    the study of meaning... ultimately all interesting debates are about
    'meaning'...

    as for it being a game, that's just your guess about the motivation
    behind what's going on here... i guess the idea that people will debate
    until one side gives up or consensus is reached is foreign to you..
    just because there are multiple definitions for program doesn't mean
    everything can be called a program...

    at it's most fundamental level a program is a collection of one or more
    instructions meant to be carried out by the computer... since html has
    tags (labels) instead of instructions, html is not a language for
    making programs - ergo, not a programming language...
     
    kurt wismer, Dec 5, 2004
  7. Richard S. Westmoreland

    kurt wismer Guest

    as a matter of fact...

    i take it you never used lynx... or turned image display off to get
    better performance...
    strange that there aren't more people calling me a troll... i mean, if
    that really were the case you'd think there'd be a lot more people
    saying it...

    if i'm a troll i must be the luckiest troll alive, because somehow i
    manage to avoid the kind of <sarcasm>warm reception</sarcasm> that
    'tracker' (among others) receives...
     
    kurt wismer, Dec 5, 2004
  8. Richard S. Westmoreland

    kurt wismer Guest

    cquirke (MVP Win9x) wrote:
    [snip]
    it would be nice if these evaluated to the same results on all
    systems... unfortunately they don't, so users will have to make these
    determinations on a case by case basis depending not only on the 'data'
    in question, but also on the environment...
    and this can be especially problematic as *all* data 'types' have a
    non-zero probability of triggering the execution of embedded
    (legitimately or otherwise) code when read by some reader or another...

    so the argument could be made to consider all files as programs...

    personally i find that a little extreme...

    [snip]
    the age old (and very sensible) separation of code and data... if only
    we (the human race) had followed that doctrine...
     
    kurt wismer, Dec 5, 2004
  9. Norman L. DeForest, Dec 6, 2004
  10. [alt.privacy.spyware removed, not carried here]

    To indicate the stupidity of Microsoft failing to follow that doctrine....

    If an executable file is dragged and dropped into a document being edited
    by Word and then the part of the document that contains the executable
    and, perhaps, some surrounding text is selected and the selected area is
    dragged to the Windows desktop and dropped there, you now have a scrap
    file with an embedded executable.

    If you do the same thing with a MIDI file as you did with the executable,
    you now have another scrap file with an embedded MIDI file.

    Now comes the stupidity.

    If I double-click on the scrap file with the embedded MIDI file, it is
    opened with Word. If I then double-click on the embedded MIDI file,
    Windows pops up a warning dialogue box and asks me if I really want to
    do something that could pose a danger to the system.

    However, if I double-click on the scrap file with the embedded executable,
    then Windows immediately runs the executable with no warning, prompt,
    request for confirmation or any other safety check whatsoever.

    What's wrong with this picture?
     
    Norman L. DeForest, Dec 6, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.