Path: utzoo!utgpu!watmath!clyde!att!ulysses!smb From: smb@ulysses.homer.nj.att.com (Steven M. Bellovin) Newsgroups: comp.protocols.tcp-ip Subject: Re: Virus - did it infect "secure" machines Message-ID: <10846@ulysses.homer.nj.att.com> Date: 13 Nov 88 23:08:42 GMT References: <881107224915.20c01427@Sds.Sdsc.Edu> Organization: AT&T Bell Laboratories, Murray Hill Lines: 56 I've been thinking a lot about that question; tentatively, I don't see how most ``secure'' machines would have escaped. Consider, for example, a B1-level UNIX system -- there are several, such as System V/MLS, undergoing certification. What would be accomplished by equipping such a system with a TCP/IP that adhered to the Trusted Network Interpretation of the Orange Book? B1 provides two notable capabilities: extensive logging, and ``mandatory access controls''. The logging might have helped trace the bug, or may have helped alert system administrators, but obviously wouldn't have blocked it. What about the access controls? Would they have helped? Probably not, except in a minor way. Mandatory access controls prevent a process from reading a file ``more classified'' than the process's label, or writing to a file less classified (in order to prevent leakage of classified information). For the most part, no such information was used by the worm. It couldn't have gotten at hashed passwords -- they're in a shadow file, not /etc/passwd -- nor, most likely, could it have looked at .rhosts files or .forward files. But the major means of transmission were the fingerd bug and the sendmail bug, and unless /etc/hosts were marked classified -- not likely, unless you want to say that only classified applications can talk over the net! -- attempts to exploit those bugs would not have been affected. The IP security option(s) can carry classification labelling information. A process can only talk to a peer at the same level. If fingerd or sendmail were eligible to run at the unclassified level, the worm could have infiltrated itself via those channels. To be sure, the worm executable would only have access to unclassified channels -- but that's all it needs to spread further. Fundamentally, what we had was a denial of service attack, which is very difficult to guard against. The heart of any secure system is a small, simple, ``security kernel''. *All* access decisions must be made in this kernel; with luck, it's small enough, and simple enough, that one can have reasonable confidence in its correctness. The danger points are in the other ``trusted programs'' -- programs (like mailers) that of necessity must cross security boundaries of some sort. But this worm didn't use any trusted programs, nor did it call the security kernel. Rather, it exploited bugs -- which we can't eliminate -- in two network applications, and then behaved as an ordinary user process. The TNI would (assuming correct implementation) have kept the worm out of the classified areas of the system, but would not have kept the system functional. (I don't accept the argument that the sendmail bug was known, and that fingered wouldn't be run by a secure system. True but irrelevant -- the real lesson here is that a competent and determined individual can find bugs; the exact location of these particular ones is mostly irrelevant. Remember that this worm did not use root privileges; as such, arguments about the inherent insecurity of the UNIX system are not germane.) I keep looking for a system model that would have blocked this sort of attack. Except for some sort of ``fairness scheduler'' -- one that would have kept any one user, such as daemon or nobody from chewing up the whole CPU -- I don't see one. I'd like to, though. --Steve Bellovin