Is there a simple architectural solution to drive by attacks?

Discussion in 'other security issues & news' started by wearetheborg, Aug 11, 2010.

Thread Status:
Not open for further replies.
  1. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    Been learning about drive by attacks on wilders.

    It seems that there should be an OS solution for this. When I browse websites, I dont want the browser to change my system. Whether playing videos, or entering input into a javascript. Period. When I download a file, I am happy to have it downloaded into a special sandbox, and seperately retieve it. Same with bookmarks.

    Is this too hard to do in the OS (windows or linux)? Or even in the browser?

    EDIT: Hmmm this seems like protected mode in Vista/win 7.
     
    Last edited: Aug 11, 2010
  2. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    The OS can do it allready. it can be set through Access control list/setting integrity level and through GPedit or registry yourself (the 1806 trick).

    See (credits to Sully) http://blog.case.edu/bes7/
     
    Last edited: Aug 11, 2010
  3. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343

    Linux has been doing this since it was developed in 1991. Other *nixes have been doing it for much longer.
     
  4. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    standard user + default execution deny, using Software Restriction Policies, AppLocker, Pretty Good Security, Comodo Internet Security, etc.
     
    Last edited: Aug 11, 2010
  5. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    Has it? How can I use those features in Linux AFAIK, firefox can download anywhere and run files?
     
  6. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    Uh, Firefox does not have access to anything outside of the user account, so it can't "download anywhere." And if being restricted to the user account is not enough for you, then you can enable AppArmor (a form of a MAC system) that will lock Firefox down to where it can't even do much within the user account.

    Code:
    sudo aa-enforce /etc/apparmor.d/*firefox*
     
  7. wat0114

    wat0114 Guest

    Just one of the many awesome, user friendly ways of configuring things in linux :rolleyes:
     
  8. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    Yes, I meant inside the user acount; and there malware can steal personal info etc.
    Unfortunately apparmor seems to be dead, and unavailable in debian lenny; so I'm downloading selinux right now :p
     
  9. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,954
  10. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    It might be dead in Debian, but it ain't dead as a project. In fact, it is slated to finally be added to the upstream kernel sources at the next kernel release, which means every Linux distro will then have it.
     
  11. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667

    Thats awesome!!
     
  12. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Aigle, you will finally have you HIPS in Linux!
     
  13. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    AppArmor, SELinux, grsecurity, SMACK, TOMOYO -- none of them are new. It's just most people have never heard of them and don't want to learn them. AppArmor has been there for years for those who used he right distros. It's just that now all distros will have it built-in. I have tried to explain this to Aigle numerous times before, but he doesn't listen. :(
     
  14. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    Who is Aigle? :doubt: :doubt:
     
  15. katio

    katio Guest

    More like Sanboxie, Applocker and SRP, but not quite. Not at all comparable to HIPS.
    You can "confine" certain risky apps, that is mainly internet facing services, browsers, pdf viewers (but I've read it can do RBAC and user confinement now too) Apparmor profiles specify which folders and files a program can read, write and execute. A restrictive firefox profile for example would prevent having write and execute permission in the same folder stopping any kind of dropper attack, now block access to perl, python and the like and you can stop the script attack vector as well. In the case something still gets through that it can't do anything to your system because you've only allowed write access to ~/Downloads, tmp and .mozilla/firefox/your.profile.
     
  16. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    Thanks katio for the simple explanation. It looks like AppArmor is EXACTLY what I am looking for, it'll stop drive by attacks dead in their tracks :D
    I really like how specific access is given to specific apps on where they can write/read and execute.

    Cant wait for it to be integrated into the kernel.

    In the meantime, I'll be looking at SeLinux. Anyone have any tutorials on how that operates and any tips?


    Is their a corresponding AppArmor like app for windows?
     
  17. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    SELinux is much more complicated and more capable than AppArmor. SELinux is a true MAC system and can also do RBAC as well as MLS (multi-level-security).

    A HIPS would be the closest thing. I don't consider AppArmor like Sandboxie because AppArmor is not a virtualization app.

    The creator of AppArmor gave a talk several years ago illustrating what it can do. You can find it here.
     
Loading...
Thread Status:
Not open for further replies.