Re: Hypothetical design question

["Paco Hope" <bhope () cigital com>]

On 1/27/04 4:38 PM, "Kenneth R. van Wyk" <[EMAIL PROTECTED]> wrote:
> Can it be done?  What sort of design features would you put into the
> application to help prevent the system from being used to propagate viruses
> -- e.g., compartmentalizing or sandboxing the execution of attachments such
> that they have no network or file resources?  What sort of design/feature
> trade-offs would you think need to be made?

I don't think this represents a valid approach to the problem. That is, the
problem is not with the email client but with the environment in which the
launched applications execute. This is a problem with the operating system
that runs the mail client, not the client itself. While you could create
some sort of sandboxing technology inside the email client, that strikes me
as bad design. I.e. That sort of functionality doesn't belong in an email
client. Thus, any solution you would come up with would work as well with
Microsoft Outbreak as with any other client.

One feature that is abused a lot by viruses is the email automation API.
That is, the ability to read the address book and programmatically send
messages. This is a vital API, though, for Windows programs to be able to
send legitimate mail. It's like having /usr/bin/sendmail available to unix
programs that want to originate mail.

There's always the brute-force way like personal firewalls. MacOS X's
keychain works a bit this way, too: Identify the program that is trying to
use the email API and let the user choose a level and duration of access.
Potentially remember her choice. I know that's what everyone wants in
Windows: one more irritating, useless dialog box that no one will read and
that has far-reaching consequences that the users never understand.

Outlook has sorta covered this already. It already prompts you when
something tries to access the address book. Wrapping the outbound mail APIs
in similar functionality doesn't do much. It means that virus writers will
start connecting straight to port 25 on mail servers. Direct connections
outbound to port 25 get picked up by personal firewalls. That doesn't belong
in an email client.

I hate to be all curmudgeony about it, but my outlook on the whole thing is
bleak. It's the OS that's broken, not the email client. Email is just a
vector for getting attack code in that is ultimately attacking the OS. You
can make the email client more resistant, but it doesn't address the real
problem. If email isn't the easiest way to get attack code in, they'll find
another way (maybe go back to macro viruses).

Paco
-- 
Paco Hope
Senior Software Security Consultant
Cigital, Inc. http://www.cigital.com/
[EMAIL PROTECTED] -- +1.703.404.5769



----------------------------------------------------------------------------
This electronic message transmission contains information that may be
confidential or privileged.  The information contained herein is intended
solely for the recipient and use by any other party is not authorized.  If
you are not the intended recipient (or otherwise authorized to receive this
message by the intended recipient), any disclosure, copying, distribution or
use of the contents of the information is prohibited.  If you have received
this electronic message transmission in error, please contact the sender by
reply email and delete all copies of this message.  Cigital, Inc. accepts no
responsibility for any loss or damage resulting directly or indirectly from
the use of this email or its contents.
Thank You.
----------------------------------------------------------------------------