Secure Coding mailing list archives
Re: Hypothetical design question
From: "Paco Hope" <bhope () cigital com>
Date: Wed, 28 Jan 2004 03:07:37 +0000
On 1/27/04 4:38 PM, "Kenneth R. van Wyk" <[EMAIL PROTECTED]> wrote:
Can it be done? What sort of design features would you put into the application to help prevent the system from being used to propagate viruses -- e.g., compartmentalizing or sandboxing the execution of attachments such that they have no network or file resources? What sort of design/feature trade-offs would you think need to be made?
I don't think this represents a valid approach to the problem. That is, the problem is not with the email client but with the environment in which the launched applications execute. This is a problem with the operating system that runs the mail client, not the client itself. While you could create some sort of sandboxing technology inside the email client, that strikes me as bad design. I.e. That sort of functionality doesn't belong in an email client. Thus, any solution you would come up with would work as well with Microsoft Outbreak as with any other client. One feature that is abused a lot by viruses is the email automation API. That is, the ability to read the address book and programmatically send messages. This is a vital API, though, for Windows programs to be able to send legitimate mail. It's like having /usr/bin/sendmail available to unix programs that want to originate mail. There's always the brute-force way like personal firewalls. MacOS X's keychain works a bit this way, too: Identify the program that is trying to use the email API and let the user choose a level and duration of access. Potentially remember her choice. I know that's what everyone wants in Windows: one more irritating, useless dialog box that no one will read and that has far-reaching consequences that the users never understand. Outlook has sorta covered this already. It already prompts you when something tries to access the address book. Wrapping the outbound mail APIs in similar functionality doesn't do much. It means that virus writers will start connecting straight to port 25 on mail servers. Direct connections outbound to port 25 get picked up by personal firewalls. That doesn't belong in an email client. I hate to be all curmudgeony about it, but my outlook on the whole thing is bleak. It's the OS that's broken, not the email client. Email is just a vector for getting attack code in that is ultimately attacking the OS. You can make the email client more resistant, but it doesn't address the real problem. If email isn't the easiest way to get attack code in, they'll find another way (maybe go back to macro viruses). Paco -- Paco Hope Senior Software Security Consultant Cigital, Inc. http://www.cigital.com/ [EMAIL PROTECTED] -- +1.703.404.5769 ---------------------------------------------------------------------------- This electronic message transmission contains information that may be confidential or privileged. The information contained herein is intended solely for the recipient and use by any other party is not authorized. If you are not the intended recipient (or otherwise authorized to receive this message by the intended recipient), any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message transmission in error, please contact the sender by reply email and delete all copies of this message. Cigital, Inc. accepts no responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents. Thank You. ----------------------------------------------------------------------------
Current thread:
- Hypothetical design question Kenneth R. van Wyk (Jan 27)
- Re: Hypothetical design question Paco Hope (Jan 27)
- Re: Hypothetical design question Andreas Saurwein (Jan 28)
- RE: Hypothetical design question Dave Paris (Jan 28)
- RE: Hypothetical design question Andreas Saurwein (Jan 28)
- RE: Hypothetical design question Dave Paris (Jan 28)
- RE: Hypothetical design question Michael S Hines (Jan 28)
- Re: Hypothetical design question Kenneth R. van Wyk (Jan 29)
- Re: Hypothetical design question Andreas Saurwein (Jan 28)
- Re: Hypothetical design question Paco Hope (Jan 27)
- Re: Hypothetical design question Paco Hope (Jan 28)
- Re: Hypothetical design question Dave Aronson (Jan 28)
- Re: Hypothetical design question Andreas Saurwein (Jan 28)