Ubuntu Wiki

• Launchpad Entry: https://blueprints.edge.launchpad.net/ubuntu/+spec/security-karmic-malware-stopping

• Created:

• Contributors:

• Packages affected:

Summary

This should provide an overview of the issue/functionality/change proposed here. Focus here on what will actually be DONE, summarising that so that other people don't have to read the whole spec. See also CategorySpec for examples.

Release Note

This section should include a paragraph describing the end-user impact of this change. It is meant to be included in the release notes of the first release in which it is implemented. (Not all of these will actually be included in the release notes, at the release manager's discretion; but writing them is a useful exercise.)

It is mandatory.

Rationale

This should cover the _why_: why is this change being proposed, what justifies it, where we see this justified.

User stories

Assumptions

Design

You can have subsections that better describe specific parts of the issue.

Implementation

This section should describe a plan of action (the "how") to implement the changes discussed. Could include subsections like:

UI Changes

Should cover changes required to the UI, or specific UI that is required to implement this

Code Changes

Code changes should include an overview of what needs to change, and in some cases even the specific details.

Migration

Include:

• data migration, if any
• redirects from old URLs to new ones, if any
• how users will be pointed to the new way of doing things, if necessary.

Test/Demo Plan

It's important that we are able to test new features, and demonstrate them to users. Use this section to describe a short plan that anybody can follow that demonstrates the feature is working. This can then be used during testing, and to show off after release. Please add an entry to http://testcases.qa.ubuntu.com/Coverage/NewFeatures for tracking test coverage.

This need not be added or completed until the specification is nearing beta.

Unresolved issues

This should highlight any issues that should be addressed in further specifications, and not problems with the specification itself; since any specification with problems cannot be approved.

BoF agenda and discussion

Gobby notes (no spec url yet):

IRC: #uds-security on Freenode

Context: malware prevalent on Windows, look at ways to protect Ubuntu users proactively malware as normal user can try to capture passwords, and other private data which is often a means to raise privileges

* Defending against

• consider if get into $HOME, you've won. Privacy is very important
• botnets

Attack vectors: * Email:

• consider privacy and phishing
• email/html rendering component flaws (kmail forces click to view html)
• malicious attachments
• Do we need to scan email for phishing/malware sites? (clamav)
• Email authentication technologies

* Web pages:

• browser flaws
• downloads
• plugins
• apt handler in browser
• trust anchors

* Network:

• open ports
• tcpip stack/kernel vulnerabilities
• MITM: OS updates, auto-updating software

* Instant messaging:

• software flaws
• downloads

* Desktop:

• Execute bit (DAC is well known by Unix admins)
  • - CDs don't even have execute bit. Accessing a CD is a direct action - define MIME-handler policy (how to behave in a safe manner not well-defined)
    • - MIME handler for executables has different implications than data files
    - Prompting to enable upon first run

    • - .desktop https://launchpad.net/bugs/153438

      • - Implemented by nautilus now: http://outflux.net/desktop-warn.jpg

      - EXE (Wine) https://launchpad.net/bugs/309214

      • - how to present that user is executing a program without causing too much
        • hoop-jumping but conveying implications of potentially untrusted code

        - proposal for Wine: http://yokozar.org/blog/archives/75 - wine marks execute bit after install, but installer needs a message - clamav integration with Wine

      - .jar https://launchpad.net/bugs/313439 - .desktop files currently prompt if execute bit not set - possibly have a single executable for handling this and have applications

      • talk to it

      - possible dialog: http://farm3.static.flickr.com/2262/1752383637_922f99d19e_o.png

      • (needs extra data, possibly extended attributes)
      - possibly look at firefox dialog
• REQUIREMENTS
  • - protect against accidental clicks and 'hidden' applications (eg kitty.jpg.desktop) - don't force jumping through hoops and convey explicitly what the action is,
    • possibly saving the answer for other similar applications)
    - set icon policy to help protect against fake dialogs - clamav/wine integration must be careful and not cause too many performance problems
    • (eg clamfs)
  - ACTION: possibly talk to DUX about dialogs - ACTION: investigate clamav performance issues with scanning on load of Wine
  • executables
• Spoofing the gtksudo password window
  • - effects
    • -can do everything on the system that sudoers allows for that user - move to policykit will help mitigate this in that the attack vector
      • is more complicated
      - sudo session around for 10 minutes
    - possibly limit applications communication with policykit (eg after pk
    • has the password and is allowed to run, what if it turns around and talks to pk again)
• Spoofing the update notification window/notification area icon
  • - could steal password
• Modify menu launchers to capture the gtksudo password
• Applications that auto-update
• Auto-installed printer drivers/PPD
• Policykit expiration (make configurable, see other session)
• sudo expiration/notification
• Removable storage permissions
• Bluetooth transfer permissions
• ptrace (one user's process taking control of a second process)
  • ACTION: make ptrace configurable

* Other

• BIOS hacks (needs root, often outside OS, Wine won't have hardware access to
  • run the .exe updaters)

* What if a password is captured?

• Should sudo be disabled?
• What about su?

Further discussion

(from a somewhat followup session "mime execution policy"

There is currently a lack of consistency on the Ubuntu desktop regarding the handling of downloaded content which has to be executed to be useful. Some content is executed automatically, some is not handled at all. Security and ease-of-use need to be balanced, and a consistent policy developed, that can guide development of MIME handlers in Ubuntu.

Principles

• MIME handlers should not ever run executable code
  • does this cause Java Web Start to fail?
• files that are executables, and have the executable bit set, should be handled via the kernel (binfmt-misc) - not via MIME
  • this includes application-specific macros: vim macros, OOo macros, ...
  • this also includes desktop files in some cases!
• Files downloaded from a web browser, mail client, etc. should never be saved as executable
• executable code that is not marked executable:

  • do not provide a workaround to run them anyway automatically - i.e., never juxtapose <long explanatory text> with <easy button that bypasses the text>

Goals

• Programs that download executables from the internet should mark them with extended attributes saying where they're from, when, and what user, as well as not marked +x

The error message when trying to open an executable file should:

• - explain why this may be a dangerous file - tell you how to change its permissions - not give you the option of launching it anyway
  • - nautilus shows this option for desktop files
  - maybe give you the option of looking for trusted software instead
• CDROMs: CDs without Rock Ridge extensions have all files marked executable, so this doesn't block this.
  • same with USB sticks

CategorySpec