davidf@cs.hw.ac.uk (David J Ferbrache) (12/12/90)
In reply to Jan Zawadzki's note on necessary knowledge for a UNIX virus writer I would like to make a few comments. Firstly, UNIX viruses have been reported dating back to Fred Cohen's early work in November 1983. This virus was reported (in Cohen's paper on Computer viruses: theory and experiments) as taking 8 hours to write, infecting in 5 seconds and consisting of 200 lines of C code. A number of other UNIX viruses have been reported to me in private communications dating back to 1987. While UNIX does provide an environment with hardware (and kernel) support for memory management and process segregation, it does not provide a sufficiently strict security model to prevent viral code propagation. Specifically the discretionary access controls (DACs) incorporated into standard UNIX are specified at the option of the user, and include the concept of a process run by the user inheriting his full privileges (excluding the setuid,setgid concept for the moment). Thus a virus need only be embedded within a useful utility program uploaded to a public area to achieve rapid spread throughout the UNIX filesystem. In Cohen's case the "vd" utility was infected and then uploaded to a public system area. A number of system administrators then decided to "try" the program, at which point the virus inherited the full permissions of the administrator and could infect any files within the system, irrespective of DAC permissions set by the owner (root users on UNIX bypass all file system protection attributes). A virus can also gain full system privileges through incremental penetration of the privilege levels. Specifically a "root" (privileged) user who runs a program under a lower privilege usercode (using substitute user "su"), will then infect all files in the directory of the low privilege usercode. If at some future time he is again in this directory, he may invoke an infected program accidentally with full root privileges. Thus a virus can incrementally penetrate security of DAC UNIX. It is also worth noting that a significant number of documented security loopholes exist within versions of UNIX. In a number of installations these holes may not be patched, and if exploited may provide a rapid channel for the acquisition of root privileges. (examples are the fingerd and sendmail bugs "features?" in the 4.3 BSD unix exploited by the Internet worm). With regard to higher security systems certified under the NCSC TCSEC criteria, virus propagation is not inhibited (again as indicated by Cohen) under the Bell LaPadula model which is the basis of the TCSEC mandatory access control (MAC) model. Thus a virus if run by a low clearance user may propagate to executable files at the top secret and strictest compartmentalisation. Indeed under MAC-only security models, virus propagation may be potentially more rapid. The model will however inhibit virus propagation to lower security levels. Thus a virus in a "CONFIDENTIAL" program will never infect a "UNCLASSIFIED" program but will infect a "TOP SECRET" program. The Biba extensions to the Bell LaPadula model specifically address the concept of hierarchies of program integrities, and would inhibit virus propagation to high integrity (critical) executables. Additional attacks are based on the "Trojan mule" attack of emulating a login session which is not addressed until level B-2 and B-3 in the TCSEC, with a view to acquiring valid user names and passwords; and on the exploitation of incorrect permissions on special files (such as the physical and kernel memory image files /dev/mem and /dev/kmem). Once a virus is active DACs will not inhibit the comprimise of data. Within the TCSEC MAC structure viruses can comprimise data by covert channel techniques at a rate of 0.1 bit per second without being subject to auditing at class B-2 for storage channels, and termination at class B-3. Just a few scriblings, basically UNIX viruses are not impossible, and with careless users or administrators will spread rapidly. The distributed trust features in the Berkeley "r" protocols will even permit rapid spread across local area networks using distributed trust (Cliff Stoll's ivy on a great oak tree). In summary therefore: 1. Viruses in UNIX are possible 2. Viruses embedded in useful utilities will propagate rapidly under DACs 3. Viruses will propagate to higher security levels and stricter compartments under Bell LaPadula MACs 4. A number of known bugs in UNIX permit rapid acquisition of root privilege 5. Viruses may freely comprimise data in DAC systems (class C1,C2) by overt channels 6. Viruses may freely comprimise data in MAC systems (class B1) by covert channels Please don't assume that because the hardware and OS kernel support a limited virtual machine with memory and process segregation that virus spread is impossible. It isn't. It just requires a little more time! - ------------------------------------------------------------------------------ Dave Ferbrache Internet <davidf@cs.hw.ac.uk> Dept of computer science Janet <davidf@uk.ac.hw.cs> Heriot-Watt University UUCP ..!mcvax!hwcs!davidf 79 Grassmarket Telephone +44 31-225-6465 ext 538 Edinburgh, United Kingdom Facsimile +44 31-220-4277 EH1 2HJ Cellular +44 831-223120 - ------------------------------------------------------------------------------