SystemsSec 2018W Lecture 13
- Software judged to be "malicious", ultimately a value judgment rather than technical/function judgment
- Depends on your perspective
- Can be almost anything so, it is often hard to judge whether a particular software contains malicious code
- Mostly a problem for client machines because it is typically installed by users.
Vulnerability: A hole in defense that is exploitable
Exploit: Code that gets around vulnerability
Malware can use exploits to take advantage of vulnerabilities in the system but it is important to note that a vulnerability in software does not necessarily imply that it is malware.
Developers are often reluctant to take vulnerabilities seriously.
Exploits often used to increase access, i.e. privilege escalation.
Software that detects and removes malware. Often uses same mechanisms used in "spyware" or "adware". It "watches" users.
It is a political process. Platform owners e.g. Microsoft, Apple, Google ultimately decide what gets to run on their platforms.
The problem of anti-malware is really an undecidable problem. Anti-malware stops the wide spreading of malware which only matters on a platform that you can install arbitrary code.
So how is it solved in practice? There are a couple of basic strategies.
- Whitelist - a list of things that are allowed e.g. an invite list for a party
- Blacklist - a list of anybody but the people on the whitelist e.g. casinos keep a list of people who are not allowed inside the casino
Typical anti-malware for Windows use blacklists(i.e. "malicious" code patterns). The problem with blacklists is that you have to give a list of all the badness in the world. It is a hopeless proposition. They can't use whitelists because they are not in a position to dictate what is allowed.
Whitelist is much simpler because you just need to list what you think is good.
Security solutions based on whitelists:
- Signed code
- App stores
Modern app stores e.g. Google Play, Apple App Store use whitelists, i.e. code that is allowed on your system. This has limits too. How do you have a whitelist and have the number the number of applications scale? For each app submitted to the store, they have to go through a reviewing process that essentially does what anti-malware would do.
Why is Linux less subject to malware issues than Windows? Fewer targets. Also, people that use Linux typically install software from the distribution vendor which has been vetted.
If you are running Windows, what anti-malware should you run? Windows Defender, the anti-malware from Microsoft enabled by default is decent. You have to trust Microsoft anyways and they have incentives to make sure their anti-malware solution does not compromise the performance of their platform and that the big threats are taken care of.
- Apple takes aggressive steps to lock down system, they don't allow arbitrary code to be installed
- Provides system level virtualization
- Applications runs in containers each with their own copy of the file system.
You can get around the whitelist on iOS but you have to be a developer and decide which devices you want to run your code on.
This is very different from Android, where you instead get a very elaborate permissions model (i.e. capabilities).
- Remove software restrictions imposed by manufacturer (e.g. Apple)
- Eliminates system level virtualization (i.e. containers) so that processes can "see" each other
- Compromises the security of an iPhone
- Technical term that refers to BSD jails