Mandatory Access Control And Malware
After listening to the virtus/malware discussion on LUG Radio’s new (but apparently one-off) show (check it out at lugradio.org, these guys are hilarious), got me thinking about how much Linux users are exposed to malware.
Lets forget, for the sake of the discussion, the technical attacks1 as these are relatively easy to handle and Linux operating systems are already pretty well protected against such. The main vector of attack for malware these days is Social Engineering anyway – this is how Mac OS-X users get attacked by malware: you browse a web site, and an image that looks like a a blinking dialog box notifies you that your computer has been infected by a virus and prompts you to download this “fix”.
Most of us, technically inclined users, sneer at this type of “threat”, but most people aren’t technically inclined and there are enough people out there that will be fooled by this practice time and time again. Click the image and a binary gets downloaded to your computer and if it is in the correct format it will get executed.
This is where the Linux side of business starts (and where the “Mandatory Access Control” part of the title comes to play) – a binary that you just downloaded and executed cannot just go and do anything. Most Linux operating systems these days (at least the more popular ones) employ some sort of “Mandatory Access Control” – be it SELinux or AppArmor – which means that unless you specifically say, ahead of time, that some program can do something – then it can’t. This applies to all access including access to user files2.
The thing is – Linux users are already well protected against the user of “downloading an executable file” and running it: You have to download the file and save it somewhere that you can find3, then double click it. At which point a dialog box pops up and tells you that you can’t execute files with out the “execute bit”, so you have to open the file properties, go to permissions, figure out what the “execute bit” is and set it, click OK and try to run the file again. That is on Ubuntu – other OSs have even a worse user experience. So you see – no worries there: if a user is gullible enough to download just any file of the internet and try to run it – there’s no way they’re going to be able to do it.
So what’s the problem?
The problem is that if you can target Mac users and get them to download a Mac specific binary file (vs. a Windows specific executable for Windows users), then you can easily target specific (and popular) Linux distributions by getting their users binary files formatted with the appropriate software installation package format (“.deb” for Ubuntu, Debian and related OSs and “.rpm” for Fedora, SuSE and related OSs). All these operating systems, when you start downloading a file with the appropriate format, helpfully pop up a dialog that allows you to easily type in your password and install the “helpful software” right into your operating system!
Unlike getting a user to just execute a program, which will run with the user’s access level and at worst will trash the user’s files, this procedure lets loose an unverified piece of software into your operating system with full administration privileges. With that kind of access, such software can easily install its own “Mandatory Access Policy” that lets itself do whatever it wants.
And how does your operating system protect you from this vector? Very little if at all. At least in Ubuntu you get the very detailed “dpkg UI” dialog which presents a lot of information on the software you are going to install before you click OK – which may also expose you to additional social engineering. Fedora on the other hand does very little except show you the file name and allow you to click OK.
At no point there are warning to help the user decide what is the right thing to do – not that I expect this will do any good: uneducated users are very prone to just click “OK” to any dialog box that pops up without ever reading what it says, let alone considering it.
The Android styled “Mandatory Access Control” that has programs request specific permissions and the user is presented with this list for approval is not any better – for most users this is just another dialog that they don’t have to read if they just want to click OK.
What can be done about it?
Very little I’m afraid. Linux users are currently around 1~2% of total internet traffic and as long as it stays this low it unlikely malware authors will invest the extra effort to target us. But if we want to get more market share – and that means getting more uninformed people to use Linux based operating systems, then this will change.
I think its unhelpful to think that we can educate people to the point that these type of social engineering attacks will fail. If we really want to tackle the problem we have to be pro-active about defense, and as they say – “the best defense is a good offense” 🙂
What I propose should be done is that whenever a user tries to install a software using the “single click install” procedure, the confirmation dialog will be much more verbose and ask the user, not for their password, but to fill a simple multiple selection quiz: choose one of the provided reasons you want to install this software (or click “other” and type your own) and a couple of other questions like you get when you try to subscribe to a website – “where did you hear about it” and such. Not something truly drastic, just enough to get the user to think a bit more about what they are about to do.
After completing the dialog, the system will file all this information, along with the URL from which the software was downloaded, to a central repository on the internet (without any personally identifying information of course, not even the IP address) and interested individuals can look at these reports and vote if the software is valid or malware. Whenever an operating system is trying to install a specific piece of software from the internet, it can first look up the target in this database and if the consensus on the internet is that this is malware, then the operating system can refuse to install – very similar to how the website verification process that Internet Explorer and Mozilla Firefox use.
Advanced users can be spared this process (if they want to) as command line installations will not trigger this behavior and if you are really inclined there would be a checkbox in some system settings dialog that says something like “stop harassing me when I install software off the internet”.
So this is my proposal. What do you think?
- Such as buffer overflows and such [↩]
- I got bit by this when I tried to set up VPN to the office only to find out that the VPN process is only allowed to read the certificate files from a certain directory in the user’s home [↩]
- notably the desktop for most users, but recent UI shells have gone into the habit of not showing files on the desktop, so there goes that attack vector [↩]
Interesting idea.
white listing is the future!!! with stuff like this http://malwaredoc.com/top-5-data-breaches-2014 it only makes sense..