Best security approach for developers, CS students, etc.

Discussion in 'polls' started by Gullible Jones, Jul 21, 2012.

?

Which strategy is best for users who must run arbitrary code?

  1. Antivirus software (with or without limited user account, etc.)

    3 vote(s)
    15.8%
  2. HIPS software (as a policy sandbox or otherwise)

    2 vote(s)
    10.5%
  3. Sandboxing software (e.g. Sandboxie, with or without LUA)

    3 vote(s)
    15.8%
  4. Instant rollback software (e.g. Returnil)

    4 vote(s)
    21.1%
  5. Limited account with SRP and/or AppLocker

    0 vote(s)
    0.0%
  6. Other or additional (please specify)

    7 vote(s)
    36.8%
  1. What approach do you consider the best for a Computer Science student, software developer, or other person who must write, compile, and execute arbitrary code on their computer?

    Furthermore, why? And how would you implement this approach? If you are a student, developer, etc. then what has your experience with it been? Please explain after choosing an option.

    Edit: Note that I mean this in terms of protecting the OS from ordinary malware, not protecting it from the consequences of deliberately executing code that does Bad Things. e.g. Picking up a rootkit like TDSS would fall within the purview of this; accidentally running a script that deleted C:\Windows\System32 would not.
     
    Last edited by a moderator: Jul 21, 2012
  2. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    If you're talking about keeping your computer safe from other peoples code, VMs. Why, it's a fast an easy way to test code to it's full extent, have many of them! Alternatively, a dirt cheap laptop or an old hardware test dummy you can just wipe clean after testing.
     
  3. No... I'm talking about running and testing my own code, while keeping my computer safe from ordinary malware. Sorry for the lack of clarity, I'll update the OP.
     
  4. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I run codeblocks in an apparmor profile. If I were to open a console program or something in it it wouldn't matter - it has a lot of access since it can use GCC to compile new software but... can't be helped.

    AppArmor's all it really takes for security.
     
  5. Ugh... Need to clarify again: on Windows. :)

    (Going to be honest - my security setup on Linux usually amounts to Noscript, and as far as I know I've yet to be infected. But I suspect that wouldn't work for Windows at this point.)

    BTW, I'll note that I do very little in the way of surfing dodgy sites, and always from live CDs at that. I'm not particularly worried about drive-by installs, barring trusted sites being compromised... More about other vectors:
    - Plugging in an infected USB stick and getting insta-rooted
    - Opening an infected DOC or PDF file that installs something
    - Getting hit by a self-propagating worm on some wifi network

    I don't aim to make Windows invulnerable, just secure enough that I can use it for ordinary stuff without getting infected. Pr0n, w4r3z, and other risky activities are not on the menu.
     
    Last edited by a moderator: Jul 22, 2012
  6. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    In terms of Windows... run all of your dev tools in Sandboxie I suppose. If you're using Eclipse, for example, set it so Eclipse only has access to your workspace and the few other things it needs.
     
  7. Wow. That sounds pretty involved, and I find the idea that such measures might be necessary to be a little scary. Have things really gotten that bad on Windows, even for people who know what they're doing? I'll admit to some skepticism, since haven't seen a whole lot of Wilders members getting obviously infected.

    BTW...

    - I tried Toolwiz Time Freeze briefly. It works, but is a bit of a pain, since it loses my browser history and such on reboot. It seems fairly close to what I want though - provides decent malware protection, lets me save changes to stuff outside my C partition, and doesn't interfere with arbitrary stuff running. That and a UAC limited admin account would work, I think. Main disadantages are
    * It makes it annoying to apply Windows updates.
    * Should I choose to start writing my own software, it won't protect my code in the event of infection. (Though really that's the job of the content tracker, isn't it?)

    - Also tried Panda Cloud AV (2.0). I never even got around to setting up the LUA to go with it, because frankly it's terrible - causes nonstop disk IO, doubles my boot time, and slows Windows 7 to a crawl.
     
  8. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I use windows as admin all the time, 24/7. I do a LOT of developing or tweaking/hacking/modding. Matter of fact, thats all I do other than surf the web for infos regarding projects or an occassional game or movie. I do listen to music, but not often.

    My goal in using my system is exactly what yours is. Perhaps it is why I have been very problem free for such a long time, because I do only certain things.

    Anyway, what I do these days is use sandboxie. I force my downloads directory into a sandbox. When I view a document, it is started, without my help, in the sandbox. If I want to keep the document, I copy it to my archives. Everything else is usually deleted later.

    I can start an IDE or an application outside of the sandbox because I trust what I have created. If I trust the source for an example project file, then I trust it. If I don't trust it, then I start it sandboxed. It is that simple.

    If I am really paranoid about something, then I might start up a virtual machine, but that is getting more rare for me. Possibly because I am always researching or developing, and go to the same sites much of the time.

    It is my belief, for myself, that I only need to find a method of use that restricts unknowns. And once I find my method, I NEVER deviate from it. I mean that. I NEVER deviate from it.

    Matter of fact, for about a year now, I have been using Chromium 19.0.1071.0 (Developer Build 127006 Windows). No updates. I have been using it plain jane, no extra measures. I have no AV, no FW. I have sandboxie forced on my downloads directory, and I have chromium set to download to one directory and never ask me. I have no pdf plugin, I use foxit.

    In this last year, I have had no issues. I have used my computer a lot though. But I have a system, which I follow very religiously. Don't know if it helps you at all. Maybe you can get an idea or two from this.

    Good luck.

    Sul.
     
  9. Thanks Sully, that post was in fact rather helpful.

    I'm beginning to think that maybe a better approach would be a dual-boot setup - maybe with a shared FAT32 partition. Windows for working on and testing Windows applications, Linux for all other day-to-day stuff.

    (Win7 on Virtualbox, on my Core 2 Duo workstation, would probably be better... But alas Win7 is licensed for one computer and only one. Too bad.)
     
  10. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Even if it's licensed for one you can probably activate it like 3 or more times without issue.

    I wouldn't recommend a shared partition so much as you'll lose the UNIX permissions and FAT32 permissions suck.
     
  11. Re Windows 7: I can activate it several times, but only for one machine, which happens not to be a VM.

    Re the shared partition - if I made one, I would not make it large, and definitely not use it for user data.
     
  12. Did some testing with PrivateFirewall... It's no go, completely unusable when compiling stuff, even with learning mode. I think I may end up just using Sandboxie and calling it a day.

    Edit: could still use SRP/LUA, but I don't like the idea of testing my bad code by running it as admin. :p
     
  13. ams963

    ams963 Registered Member

    Joined:
    May 3, 2011
    Posts:
    5,965
    Location:
    Parallel Universe
    I think the poll should have offered multiple option to choose at the same time. Imo, the options in the poll form parts of a strong layered security setup. I myself usually go with av, hips, sandboxes, and others.

    But I've voted hips anyway.
     
  14. NGRhodes

    NGRhodes Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    2,331
    Location:
    West Yorkshire, UK
    Its always been a battle trying to secure a productive development Windows machine, we simply do not bother anymore.

    If you are really worried about security when developing, using virtual machines dedicated to development is the least hassle option.
    Keep it away from the internet, dont use it for your daily communications and document purposes.

    Anything that tries to restrict what you are developing, building and testing can get in the way, Limited accounts get in the way when your code is designed to run on a server, sandboxing prevents debuggers running, even anti virus gets in the way when developing your own AV solutions.
    Visual Studio wont run as a limited account for us - creating certain projects types requires admin rights. Even if you run your code as a limited user through the debugger, quite often not having sufficient permissions to run the app properly, e.g. on the fly modifications to config files, which is needed the first time an encrypted database connection is needed.
    As for developing Sharepoint, you need to be logged into a configured server running sharepoint (desktop will not do) as an admin to develop.
    Want to develop WP7 or WP8 apps (because vs2012 does not support WP8 yet) ? You need to run a WP7 emulator, which wont run inside virtual machines... so your going to end up having to have a physical machine for Mobile development.
    These are all real problems I have come across with no work arounds.
    Our experience in developing in Windows is to stick to default configurations where possible to minimise the amount of hassles and head scratching due to Microsoft being useless at documenting developing in non-standard environments.

    Cheers, Nick
     
    Last edited: Jul 25, 2012
  15. To be honest, I've had quite enough of layered security. Been there, done that... Every layer slows the OS down, and Windows 7 is not fast to start with (on my hardware anyway). Three plus layers of security rubbish, including one of the various morbidly obese antiviruses, would render the computer unusable.

    Thanks, insightful post there. I was afraid of getting an answer like that.

    For now I'm trying Sandboxie, so far I like it - very unobtrusive and easy to use. Microsoft ought to hire Ronen Tzur. :thumb:
     
  16. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,433
    Location:
    Europe
    Multi layered security, virtual machine inclusive.
     
  17. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Unless the code you're working with is for chipsets, video cards, or something similar, I'd use a virtual system. This way you can make the host system as secured as you want by whatever method you prefer and still run anything you want on the virtual system. Most virtual systems also give you the option to save or disregard changes made, so if your code has unexpected results, it's easy to get back to where you started. You also have the benefit of a stable, unchanging starting point.

    Please No unless you want to destroy a good application.
     
  18. I think I've found a more general solution to the issue. It involves HIPS software. It goes like this:

    1. Dial the HIPS' security level down as far as you can

    2. Manually set rules for programs that you know to be problematic.

    This is a little more annoying and a lot less comprehensive than access control solutions available on Linux, but it seems to work.

    In my case I'm using PrivateFirewall. I have it set up so it won't give me *any* popups when installing software, running new software from the Explorer shell, etc - Process Monitoring and Process Detection are both completely disabled. Instead I've set it to:
    - Run known vulnerable or potentially problematic programs as limited
    - Deny those programs the right to spawn other processes through "normal" means
    - Deny a bunch of other things without asking me

    Currently that means I've just set PF to deny all available rules without asking, for my browser and viewer apps. Barring another huge zero-day vulnerability in Windows Explorer, I think this shouldn't be a terrible setup...
     
  19. guest

    guest Guest