Why are our systems so weak?

Whenever you set your computer power on and connect it to the Internet, maybe there are varieties of computer virus “around” your computer which are monitoring and preparing to infect it all the time, so the outside world is very dangerous, I think. However, if we do not connect our computers to the Internet, then computers are useless to us. Therefore, most of people install some a kind of anti-virus software on their computers to protect it from the threat induced by computer virus, maybe some a kind of firewall software is setup as well. Even so, our computer systems are still infected by computer virus very frequently. Why? Is the anti-virus software not intelligent enough to scan out all kinds of virus residing in our computers? Or is the firewall software not effective enough to interrupt the real-time communication issued by a worm? There is a principle in the field of information security which can not be broke: the advance of anti-virus technique always falls behind the evolution of virus. As a result, we can not rely the security of one software (operating system) on another software (anti-virus software).

No matter you believe it or not, the security environment of our system is very complicate. System management, user space application, malicious code, anti-virus software, real-time firewall exist in our system simultaneously, what’s more, we would log in and off the system from time to time, then, which roles do the above components play in the system? And how do these components cooperate with each other? Maybe there are some people who should ask why we must focus on the cooperation of these components. Let’s look at the following scenario:

Everyone who has some a kind of anti-virus software installed in his/her system may often get warning messages, say something like “threat from xxx.dll”, however, the anti-virus tool does not delete this DLL file straightly, it just warns login user of this security-related message and give the user several choices to deal with this case, such as “ignore the threat” or “delete related files”. Then we want to ask a question whether the user really know how to deal with the warning message. If no, which step does he/she would take, “just ignore” or “delete”? If the user takes the “delete“ choice, then anti-virus tool deletes the suspicious file, however, the suspicious file may not be infected by any virus, and what’s worse, the “delete” action may incurs some system resource unavailable, then who should take this fault, anti-virus or user? Now, you can see the importance of the cooperation of the components.

Since the cooperation of the above referred components is just to complete the computational task indicated by login user, let’s dig into the essence of the cooperation. First, we must make the conception of “cooperation” clear. A full “cooperation” contains the following steps: (1) login user indicates a task (2) a process or several processes are delegated to complete this task (3) the processes interact with other components to map the input into the output (4) login user get output from the processes. We also call the above process “Session”. Since the source of a session is the login user, so the identity of the login user is very important, because the power of user depends on the user’s identity, for instance, the “Administrator” user’s power is superset of the “Guest” user’s. Next, we concentrate on another question: how do the components interact with each other? It is “function call”. If we want to employ a utility of other component, the only VALID and INVALID way is “function call”, however, in x86 platforms, the “CALL” and “JMP” instructions are both able to call other functions, and then what’s the essence of “function call”? Stack. Why? Function call must rely on stack. Now, we have uncovered the inner face of the session. However, our topic is system security, thus why user’s identity and stack are security-related, the reason will appear shortly.

(I) login user’s identity

As Operating System Textbook says, operating system maps user’s identity into user’s power, in other words, different identity has different power, and some identity’s power scope covers others’, this is just like “Set” in mathematics. We also know that a process’s privilege inherits from the power of the user who runs it. That is to say, the more the user’s power, the more the process’s privilege. If a user has “Administrator” identity in Windows System, then any process he/she runs are eligible to do anything, even harmful to system, under the monitoring of the system security management. Although sometimes systems would give us warnings when we do something subtle, we can simply ignore these warnings and then continue to do what we want to do. So, if we trap “Administrator” user to run our malicious code, then what will happen? Our malicious code gets the very privilege to do something harmful, such as installing backdoor software.

Then how to trap user to do what we want he/she to do? This is not difficult, I think. Imagine that every time you browse web page or download software from some website that you do not know before, if the web page redirects your browser to some harmful URL, or the software you download contains malicious code and you run it, then your system is no longer secure. And there is good news to the attackers, this is we almost login Windows system with the “Administrator” identity every time.

(II) Stack

As we all know, “function call” can change the execution flow of program, but the program status before “function call” and variables declared in function body must be stored somewhere, so stack is introduced. In a nutshell, stack is the very data structure that makes “function call” true and “function call” is the key to the cooperation of different system components. So, if we disrupt the data stored in stack, then we will successfully disorder the cooperation of different system components and change the execution flow of program to run any code.

Now you can see that “stack” is almost “bare” so that attackers can easily intrude systems via overwriting stack. Although “non-executable-stack” is added to some Linux kernel patch, “return-to-libc” is still able to bypass this mechanism. It is certainly that system, which stack is non-executable, secured by StackGuard or StackShield makes attackers suffering. However, there is still possibility for attackers to get “root shell” via overwriting pointers.

So please audit your code, this may waste some time but you'll surely increase the security of the programs you're writing. And remember that “Be perfect, be protected, or let the others laugh at you.”