---------- Forwarded message ---------- From: Guillaume SH gsh.debianlists@gmail.com Date: 2009/2/1 Subject: Re: A basic implementation for increased security in wine proposal To: Marcus Meissner marcus@jet.franken.de
Hi Marcus,
I stand corrected, as it appears I was way too naive in my understanding of software security, hence the example I provided.
Regarding you explanation justifying there is no need to protect API against misuse, I am still not convinced, but I will think about it and try to get to a thorough understanding.
Thank you for clarifying, Guillaume
2009/2/1 Marcus Meissner marcus@jet.franken.de
On Sun, Feb 01, 2009 at 10:41:25AM +0100, Guillaume SH wrote:
Hi Paul,
You asked me to actually describe the security I am concerned about, so I
am
going for it :
Imagine an ill-intentioned people, call it the attackers. By the mean of simply creating the following C application (based on classical "Hello word") :
#include needed header
int main (int argc, char * argv[]) { /* printf ( "Hello world!" ); */ GetOverlappedResult(0, NULL, NULL, FALSE);
return EXIT_SUCCESS;}
Running this application on wine, I get to have my crash, with the possibility of an exploit. So all I have to do know is to find a vector
to
make you and some other people willing to run my application.
I won't describe in detail the way to perform the exploit as : 1 - I don't know how to proceed and I don't want to 2 - It would be showing poor sense of responsibilities
If you can run an application ... it already can do everything!
No need to protect APIs against misuse, they run at the same privilege level as your code.
Ciao, Marcus
I stand corrected, as it appears I was way too naive in my understanding of software security, hence the example I provided.
IMHO the whole discussion is moot.
Any Windows app can easilly bypass *any* security measure in Wine by calling int 0x80, and there's nothing we can do against that other than running the .exe code in a real virtual machine(which would break the whole "Wine is not an emulator" thing).
And as Marcus pointed out, as soon as it is running it can already do everything the Linux permission allow. It doesn't have to use broken API calls to do bad things.
A point where we have to take a look at security concerns is when we get data from the application that is potentially from somewhere outside the app. E.g. Half Life 2 loads MOTDs from servers which are HTML pages and passes them to our HTML control. Or MS Paint opens a jpeg file and uses Win32 API functions to parse it.
Protecting Wine against the application won't work. Protecting Wine(and the application) against the application's data is what we have to do.
-
Guillaume SH -
Stefan Dösinger