Full Disclosure mailing list archives
Re: Support the Sasser-author fund started
From: Ondrej Krajicek <krajicek () ics muni cz>
Date: Mon, 17 May 2004 13:33:44 +0200
I run anti-virus software on my servers... to sluff away the moronic Windows viruses that clog up my email account. Anti-virus monitors are a built-in performance drag on the OS. Microsoft says, "hey, when we benchmark against samba, we're almost as fast, and this special case, we're faster". Add on an the required anti-virus program monitoring packets in and out and watch your performance drop as that eliminates the whole concept behind DMA as now you have to route all data through the host cpu anyways. Pretty soon, we'll need AV signature engines encoded in the data bus of Windows machines in silicon. I wouldn't be surprised if Intel or AMD had a skunkworks project on this very problem. M$ is going to hit a performance wall pretty hard otherwise.
IMHO the data are routed through host CPU anyway, DMA is not as clever to locate the proper file in the proper filesystem on the proper volume and pass them to the proper network card. You're right that the CPU does not have to process every single bit of each (?) file. But this could be solved by used more advanced bus architecture (PCIX or even something faster) and adding more CPU. Dedicated anti-virus chip is a thing which I hope is not going to happen. Virus prevention solutions are useless when you have careless or undereducated users. I've seen a secretary who were told not to open attachments in e-mails in Outlook. When she got another tremendous birthday card from god-knows-who she obeyed, saved the attachment to the desktop and then opened it.
What other vendors have done is to disable services by default, separate code privileges by user, run code in various levels of restricted privileges from limited access to the filesystem (chroot jails) to limited access to generic capabilities (POSIX 1e), and even just making simple distinctions like what code is data and what code is executable... They've supposedly got a microkernel design in the flagship NT OSs. This should be wonderful from a security standpoint, but in reality, has it helped them? Why did so many processes require system level access? Why are _parsers_ (ASN.1) running with system level access at all? OpenSSH learned its lesson on that, and every other major unix-style daemon has learned how to drop privileges and run non-privilege-requiring code in users and processes with restricted and dropped privileges. Why is M$ so late to the market with even this?
Well, it's worth another discussion whether the NT kernel is really a microkernel. It's not a classical monolith, but still far from Mach. In design, it's rather comparable to the Linux modular kernel (yes, I know that NT were first out there). The whole thing with security is that Windows OS is so complex, that whole bunch of decisions is made for simplicity's sake, _alas_. No wonder that today, after more than ten years of Windows development, they still lack fundamental management and monitoring capabilities (for instance). Because of the clever idea, that some space must be left to third parties to earn some extra bucks. Do they?
An accountant I know got blaster from connecting to MSN's registration service after a fresh XP install. Why was the registration service on Internet-routable IPs? Why can't one get updates via a M$ dialup BBS system? Why is the MSN installation and registration system forcing people to get exploited and they haven't even finished their registration?
This would be too expensive for the end user (not mentioning the speed of BBS and the last-mile dial-up connections). Instead, there could be some locked-down default internet connection set up, which allows the user to connect to the Windows Update and _ONLY_ to the Windows Update, throwing away all traffic from the rest of world. Also, another problem is maintaining security in older versions of Windows. Microsoft is slowly pushing implementations of lacking security features (such as usable firewall, etc.). But what to do when you really must maintain security even for Windows98 boxes? We'd better to run away screaming when Microsoft introduced the concept of Windows95... Ondra +>>>-----------------------------------------------------------------+ |Ondrej Krajicek (-KO| |Institute of Computer Science, Masaryk University Brno, CR | |http://isildur.ics.muni.cz/~ondra krajicek () ics muni cz| +--------------------------------------------------------------------+
Attachment:
_bin
Description:
Current thread:
- Re: Support the Sasser-author fund started, (continued)
- Re: Support the Sasser-author fund started James Riden (May 17)
- Re: Support the Sasser-author fund started Stormwalker (May 17)
- Re: Support the Sasser-author fund started Valdis . Kletnieks (May 17)
- Re: Support the Sasser-author fund started Nick FitzGerald (May 17)
- Re: Support the Sasser-author fund started Valdis . Kletnieks (May 17)
- Re: Support the Sasser-author fund started Nick FitzGerald (May 18)
- Re: Support the Sasser-author fund started Alexander Schreiber (May 17)
- Re: Support the Sasser-author fund started Nick FitzGerald (May 18)
- Re: Support the Sasser-author fund started Alexander Schreiber (May 18)
- RE: Support the Sasser-author fund started Bill Royds (May 17)
- Re: Support the Sasser-author fund started Ondrej Krajicek (May 17)
- Re: Support the Sasser-author fund started Valdis . Kletnieks (May 17)
- Re: Support the Sasser-author fund started Ondrej Krajicek (May 17)
- Re: Support the Sasser-author fund started Valdis . Kletnieks (May 17)
- Re[2]: Support the Sasser-author fund started npguy (May 16)
- Re: Support the Sasser-author fund started Exibar (May 14)
- Re: Support the Sasser-author fund started Konstantin Gavrilenko (May 15)
- RE: Support the Sasser-author fund started Aditya, ALD [Aditya Lalit Deshmukh] (May 14)
- RE: Support the Sasser-author fund started - Please stop this thread m . garg (May 14)
- Re: Support the Sasser-author fund started Exibar (May 13)
- Re: Support the Sasser-author fund started Valdis . Kletnieks (May 13)