Open Source Security
Welcome at » 2009 » March

During my lab admin days as an undergrad, people used to come into the computer lab with virus infected 5 1/4″ diskettes and (inadvertently) try to infect the lab machines. (It doesn’t feel like it was THAT long ago!) Next, viruses were commonly spread attached to email. More recently, viruses have been propagated through music sharing. All of these infection vectors have one thing in common – a proper virus requires a host to carry the malicious code. Colloquially many people have become used to calling all malware viruses, but this is not correct terminology and I do believe that it is important to be pedantic on this point.

So here is a definition of virus in my own words: A virus is a piece of code which attaches to a host file and when executed performs an action that the user does not desire (including replicating itself to other hosts).

Wikipedia says: “A computer virus is a computer program that can copy itself and infect a computer without the permission or knowledge of the owner. The term ‘virus’ is also commonly but erroneously used to refer to other types of malware, adware and spyware programs that do not have the reproductive ability. A true virus can only spread from one computer to another (in some form of executable code) when its host is taken to the target computer; for instance because a user sent it over a network or the Internet, or carried it on a removable medium such as a floppy disk, CD, DVD, or USB drive. Viruses can increase their chances of spreading to other computers by infecting files on a network file system or a file system that is accessed by another computer.”

Anti-virus software was created to detect signatures for existing known viruses. Before any file was opened, anti-virus software scanned it for these known signatures. So viruses morphed, they changed their signatures by compressing the executable code (compression viruses), by rewriting their codebase each time they were attached to a new host (polymorphic viruses), even encrypting their code (encrypted polymorphic viruses). Anti-virus software has morphed too, and that will be a topic for another post.

Wikipedia has a more in depth discussion of the definition of computer virus and a list know viruses (few hundred in the wild to tens of thousands known) and a separate list of know Linux viruses (22).

I ran my previous blog entry past a co-worker and he said, in effect, all you are saying is that you don’t think that anti-virus is necessarily on Linux. What about all those rants out there from people who believe that they need anti-virus so strongly that they believe that they got a virus that could have been prevented by anti-virus software?

That’s when I realized that my previous blog post was adding heat rather than light to the issue of anti-virus software on Linux. The real goal of my previous post was to point out that some common anti-virus software for Linux requires the user to disable stronger security mechanisms, a practice which I find intolerable and inexcusable. I also wanted to make the minor point that people asking about anti-virus software are often trying to adhere to the letter of the policy rather than rethinking the intent of the security policy.

As a new blogging experiment, I’ll attempt to explain why I think that anti-virus software is unnecessary starting from first principles. To do this, I’ll add short daily blog postings on relevant topics that will eventually add up to my conclusion.

In this series, I will address questions like

  • What is a virus?
  • What is a worm?
  • What is malware?
  • What does anti-virus software do?
  • Do Linux viruses exist?
  • Has anyone ever caught a Linux virus in the wild?
  • What attacks have been successful against Linux?
  • What happens on Linux if you were to catch a virus?
  • Are you claiming that Linux is impervious to all malware?
  • What anti-virus software would you recommend for Linux?

As a general rule, the topic of anti-virus software is probably my least favorite security topic. I’d much rather argue about SELinux usability any day. Nonetheless, I hope that this experiment will prove useful as an in-depth explanation as to why the consensus of Linux security practitioners is that you really don’t need anti-virus software on Linux.

The question about Linux security that is most frequently asked of me is

What anti-virus software do you recommend for Linux?

This question makes Linux security people crazy. The obvious answer is NONE. Unfortunately, the people who are willing to accept that answer are never the ones who ask the question. People asking this question almost always have a security policy in place that requires anti-virus software. They are not thinking deeply about real threats to their system or counteracting real risks. They are trying to adhere to the letter of the law that says that they must have anti-virus software.

The best result that we can hope for with this group of people is that they do not inadvertently reduce the security of their system by choosing a vendor that forces them to do perverse things like disabling SELinux and ExecShield.

clamav fits this need but is not included is existing customer support contracts with key distros. Both Symantec and Kapersky require disabling SELinux. AVG is also a supported possibility.

Some of the heat and light of the discussion about the “best” anti-virus solution for Linux are shown in this thread which includes several additional product possibilities for anti-virus on Linux.

Ultimately, the person asking this question will have to evaluate their options and make their own decisions. My request is that if you find yourself asking this question, think deeply about the threats and attacks that you are trying to counter, consider your requirements, and please, do not weaken your security with the pretense of improving it.

While looking at SSL/TLS in a little more detail, I noticed that many websites default to RC4 which Firefox characterizes “High-grade Encryption” (Tools->Page Info, General and Security Tabs) but which is characterized by Wikipedia as “RC4 has weaknesses that argue against its use in new systems”. RC4 is used because it is much faster than AES. (Web servers can drive 15-20% more traffic with RC4 (128) than with 3DES (EDE). Based on actual results, but YMMV.) Example websites using RC4 include my credit union, a well known online savings account provider, and my 401K provider. Algorithm negotiation is built into the TLS protocol, so you can tweak your Firefox configuration so that your browser no longer offers to use the RC4 protocol. To change your Firefox configuration, surf to about:config and promise to be careful. Search on rc4
security.ssl2.rc4_128 default boolean false
security.ssl2.rc4_40 default boolean false
security.ssl3.ecdh_ecdsa_rc4_128_sha default boolean true
security.ssl3.ecdh_rsa_rc4_128_sha default boolean true
security.ssl3.ecdhe_ecdsa_rc4_128_sha default boolean true
security.ssl3.ecdh_rsa_rc4_128_sha default boolean true
security.ssl3.rsa_1024_rc4_56_sha default boolean false
security.ssl3.rsa_rc4_128_md5 default boolean true
security.ssl3.rsa_rc4_40_md5 default boolean true

Double click on the ones that are marked true to turn them off. Surf out to your bank and voila, you are now (most likely) using AES instead of RC4. (In my Firefox configuration, turning off only RC4 left 3DES still enabled, so if you want to be sure to use AES, you have to turn off the DES options also. Even with DES still enabled, AES-128 was the negotiated algorithm for the financial institutions that I tested.)

Do I think that this is necessary? No, not really. I *do* wonder why an algorithm suite as weak as 40 bit RC4 combined with MD5 is still turned on by default, but in general I believe that crypto is the least of your security worries. But I enjoyed the experiment and I consider this a silent vote for better web security which is now cast every time that I surf out to a secure site.

If you run a webserver, you can tweak your SSLCipherSuite setting to remove RC4 from the algorithms that you offer. See the Apache documentation at http://httpd.apache.org/docs/2.0/mod/mod_ssl.html.

If you are interested in a more rigorous treatment of the performance aspects of this topic, I highly recommend the paper by Li Zhao, Ravi Iyer, Srihari Makineni, and Laxmi Bhuyan entitled Anatomy and Performance of SSL Processing.

Thinking about the future and browsing Wired, I got distracted by two articles by Bruce Schneier. This first describes my favorite security concept ever: “turtles all the way down”! “The World Wide Web sits on top of a turtle, and then below that is an older turtle, and that sits on the older turtle. You don’t have to feel fretful about that situation — because it’s turtles all the way down. Now, we don’t have to think about it in that particular way. The word ‘turtles’ makes it sound absurd and scary, like a myth or a confidence trick.” OK, so Bruce is using it to describe an architecture here and not a security concept, but this may be my favorite turtle quote of all time. It achieves the heretofore unachievable invoking the thought of turtles as scary!

For the obligatory security content of this posting, consider this article from Bruce Schneier about “How Perverse Incentives Drive Bad Security Decisions” with this key quote: “All security decisions are trade-offs, but the motivations behind them are not always obvious: They’re often subjective, and driven by external incentives. And often security trade-offs are made for nonsecurity reasons.”

It’s turtles all the way down!

Also, Happy Birthday, Dr. Seuss!