Differentiating ReactOS security from Windows security

The place to bring up any design issues, or post your own creations

Moderator: Moderator Team

gordonf
Posts: 17
Joined: Mon Jun 04, 2007 8:06 am

Post by gordonf »

Reacter wrote:You've got to give away source to make applications (Or a manual on the API). So there is no way to get past viruses.
This is quite the falsehood, or we'd see far more Linux viruses than we currently do. And I'm not the only one who's told people about this for years... tell me: How do anti-virus vendors get past viruses on their own networks? They have to use their own products as a matter of corporate policy; aren't these the same products they sell to their customers?

The answers will probably surprise you:
http://www.vmyths.com/column/1/2003/6/11/

Just because you can see the source code to something, doesn't mean you can find a flaw with it. PGP for years was available as source code, even before GnuPG, yet there hasn't yet been a recorded crack of a PGP message due to a flaw in PGP itself. A lock you can see the mechanism for yet still have a hard time breaking is a strong lock, indeed.

This is why I wanted to show off the locked down Win2K I posted about earlier. Anyone with any Windows security experience can see exactly what I've done, and go, "oh geez, I can do that."

So, guess what? There is a way to get past viruses, and spyware, and other unwanted software. Even if you give away the source code to the host OS, or publish a manual on its API.

But this is digressing again. My point to all of this is, most of us can't do what I do, because most of us have to deal with badly designed applications that don't work with the before-the-fact protections built into Win2K through Vista. ReactOS' developers do not need to fix broken applications to work with their chosen security model; that job belongs to the broken apps' publishers.

Arnie
Posts: 8
Joined: Tue Jun 26, 2007 10:38 pm

Post by Arnie »

My answer is simple: the arguments for your security model are valid. Get Linux, then you have what you want. Different arguments for the Windows security model are also valid. Get Windows (or ReactOS which is the alternative) if that's what you want.

There is absolutely no reason to argue which model is better, because it is simply unacceptable to shut out all those Windows applications that won't work on a strict security model. Even though they are badly designed as far as the security model integration is concerned! Shutting out all those applications would seriously abase the idea why ReactOS is being made in the first place. That's why I said: if you want a strict security model, go for Linux.

So I argue that ReactOS modifications to the Windows security model can only be made within the boundaries where they will not affect any Windows software from functioning properly. (Properly meaning: at least as they would on Windows. And yes, there are many applications that would work fine under the normal model but not under the strict one.) If that's possible with your special 2000 installation, great. Since you have the expertise it's up to you to lay out the differences with the normal 2000 to the developers. But making two different editions of ReactOS is too much work and would create division.

Don't try to make this a Linux clone. It is a Windows clone. If you're not happy with that, then don't use it. Yes, the security model you're suggesting is better, generally speaking. But it is completely unfit for the nature of and ideas behind ReactOS itself. An unacceptable conflict.

BOT_ev
Posts: 140
Joined: Fri Nov 26, 2004 11:48 pm
Location: Sofia, Bulgaria

Post by BOT_ev »

Arnie wrote: Don't try to make this a Linux clone. It is a Windows clone. If you're not happy with that, then don't use it. Yes, the security model you're suggesting is better, generally speaking. But it is completely unfit for the nature of and ideas behind ReactOS itself. An unacceptable conflict.
I think u are right. I`m both Linux and Windows user, i have quiet enough experience with security issues with these two systems. My personal opinion is that Linux has better security model (obviously its not just my opinion :wink: ), but i don`t think this way is workable for Windows clone.

gordonf
Posts: 17
Joined: Mon Jun 04, 2007 8:06 am

Post by gordonf »

Arnie wrote:There is absolutely no reason to argue which model is better, because it is simply unacceptable to shut out all those Windows applications that won't work on a strict security model. Shutting out all those applications would seriously abase the idea why ReactOS is being made in the first place.

Don't try to make this a Linux clone. It is a Windows clone. If you're not happy with that, then don't use it. Yes, the security model you're suggesting is better, generally speaking. But it is completely unfit for the nature of and ideas behind ReactOS itself. An unacceptable conflict.
Just one problem:
Arnie wrote:there are many applications that would work fine under the normal model but not under the strict one.
The so-called "strict" model is the "normal" model for stuff "Designed for Windows XP" and "Designed for Windows Vista." That a majority of products aren't certified in this manner isn't Microsoft's fault. Or yours.

Remember that my original post came from reading the UserSecurity article on the Wiki. My concerns come from ReactOS developers suggesting they want to differentiate their security model from the current Windows security model, yet also wanting to make broken stuff work:
UserSecurity wrote:We could possibly give the OS the ability to prompt a user for alternative logon credentials in "access denied" scenarios, giving the user the ability to "bump up" their access for the process that is running into the problem.
This behaviour simply encourages users to demand the administrator password from their admins and consultants. This happened over the last four years I consulted for travel agencies, and it took several months of testing and explanation to convince them otherwise. This is hardly differentiating ReactOS security from Windows security.
UserSecurity wrote:When a process tries to do something unauthorized/dangerous (Eg. Create raw sockets, write the bootsector, write the registry, add something to startup, integrate with the shell, etc, etc) ROSExp display the full info (name, path (both if it's a script), icon?, action, etc, etc) and have a heuristic "thermomiter" or something similar that gagues the likelihood that it's maliscous
Since when are Raw Sockets, for example, malicious by themselves? And why are regular apps writing to the boot sector, adding things to Startup or integrating things to the shell? These are installation / admin functions.
UserSecurity wrote:we need to give the user the ability to "elevate" his/her priviledges temporarily within a specific context, not actually change what user the program is running "as," [as well as do this for] certain executables [that] should be configured [this way] by default, like "setup.exe", as well as applications that are known to not work in XP's "Limited User" mode, like Quicken 2000, etc.
ok... if applications like Quicken 2000 are known not to work with limited accounts on XP, why try to make them work on limited accounts on ReactOS? As the makers of Quicken, this is Intuit's fault, not yours. Fortunately, they finally released a version of Quickbooks in 2007 that works. If I were testing apps under the security model, I'd test Quickbooks 2007 and not earlier releases of it.

And (ironically, just like Vista) this suggests I'd just need to rename a bad program to "setup.exe" to make it bypass security. Yeah. Right. rename happy99.exe setup.exe.

My point to all of this? Much of the discussion in UserSecurity talks about lobotomizing the security model in the name of compatibility. Making ReactOS permit admin stuff to non-admins, just because bad apps exist, will make ReactOS worse than Windows security-wise.... well, I suppose that'd be one way to differentiate ReactOS from Windows in this respect. Who'd have thought there'd be a less-secure OS than Windows?

Arnie
Posts: 8
Joined: Tue Jun 26, 2007 10:38 pm

Post by Arnie »

I repeat that there is no need to explain why the security model you're ranting about is not good, generally speaking. If you are not happy with a Windows clone, which you seem to imply, then by all means go for Linux but do not bother the ReactOS developers who have a different audience. (Of which I am a part, and I hereby testify that your ideas would diminish the value of ReactOS for me in terms of usability. That's why I'm taking the effort to reply in the first place.)

And the whose-fault-is-this question is not at all relevant to the discussion! It's nice to blame application writers and whoever you want - that does not help the end user in any way. A mamed Windows clone with strict security will just not do any good: the tiny audience that it would appeal to, will find most of their needs (and joys) in Linux anyway. Or OpenBSD for that matter. Perfect for users that prefer security over compatibility / availability of common applications - and you seem to be one of them.

There's no need to make stupid useless security design flaws, but in my opinion compatibility must not be sacrificed. That, I repeat, defeats the purpose of the project. And I don't care if it's the software developer's fault. Then you might as well say: those companies should have released the source code or at least a Linux binary of their apps, so we aren't going to make a free OS that will run them. Their fault. Exit ReactOS.

Haos
Test Team
Posts: 2954
Joined: Thu Mar 22, 2007 5:42 am
Contact:

Post by Haos »

I repeat that there is no need to explain why the security model you're ranting about is not good, generally speaking. If you are not happy with a Windows clone, which you seem to imply, then by all means go for Linux but do not bother the ReactOS developers who have a different audience
I think you should not speak for ReactOS developers, but only for yourself, Arnie. What can i say bout devs, is that they`re open for any opinion, if only the author has a good knowledge in the particular field. I wouldn`t call it bothering (it is easy to do so, as bothering appears here more often, than some nice deep discussions).

gordonf
Posts: 17
Joined: Mon Jun 04, 2007 8:06 am

Post by gordonf »

Arnie wrote:If you are not happy with a Windows clone, which you seem to imply, then by all means go for Linux but do not bother the ReactOS developers who have a different audience.
If I wanted Linux I'd be using Xandros. And I'm already running 2K quite securely. I have an interest in ReactOS because over and over again I've been asked why Windows is so expensive. I want to be able to recommend ReactOS as a Windows-alternative to people who are familiar with Windows, but can't afford it. I also happen to have an agenda of my own...

ok I need to digress for a moment because I've not made that agenda clear. The average people I deal with daily are afraid of their computers. They are afraid of breaking them with the wrong keystroke, or visiting the wrong web site. They are afraid because they are taught to be afraid. By comparison, I do not want people afraid of their computers. I want my mom or my sister or any of my clients to walk up to a PC, and use it without fear of breaking it.

Right now, I can't do that with Linux and that's because Linux was written by geeks for geeks. I can't do that with MacOS because Macintosh PCs cost too much and people here are cheap. I can do that with Windows, but only if they're prepared to buy it, and also buy into safer devices and applications. The cheapness factor applies here, too. Only if I can convince a client to spend more money up front can I give them something they're not afraid to break. At the same time, most people I work for are familiar with Windows.

Enter ReactOS. A free alternative to Windows, or at least the potential to be so. It looks like Windows, it feels like Windows and everything you've learned on Windows applies, almost. They're not afraid of it, and it's cheap to use even in 0.3.0 Alpha. So what's missing? Well they're still afraid to break something because there's no security model yet. That's fine, it's still in Alpha after all.

It's here where I hope to influence the security model somewhat, to make ReactOS closer to what I expect from Win2K in terms of less fear. I want to give my Mom a ReactOS PC some day that she won't be afraid of breaking, because it looks like Windows and it's super cheap and it won't let her break it.

Now, to this end, I've posted all of the commentary I've posted so far. Going through 15 user account control prompts to install something, as Reacter's pointed out, is scary. I'd rather see a Run As or something. However, even a Run As feature presents a formidable obstacle to scary, unwanted software. This lessens the fear of the PC, that the user knows the PC's going to stop the user from doing something really stupid.

Run As, for instance, is great for doing one-time admin things while you're in the middle of doing something else. Such as installing an update to World of Warcraft while you're catching up on WoW forums. What I'm reading in UserSecurity is that Run As should get used for running day-to-day programs too, which I disagree with. It will encourage users to use Run As for everything else, or just skip that entirely and just log on to the shell with Admin anyway.

All of the other suggestions to make day-to-day programs work are weaker, security-wise, than Run As would be, and would still eventually drive users to running daily as Admin.

You don't have to sacrifice compatibility for security or vice-versa. The current path of making everything work and then bolting on the security seems silly to me, but if it's tested enough it'll have to do. I'm aware that you can't have both all the time. However, I believe ReactOS should let me choose security over compatibilty just like Windows does.

Now, this may mean that ReactOS security will never really differentiate itself from Windows security, which was my original concern. If so, that's ok; if I can lock down a ReactOS install like I can lock down a 2K install, I'll be happy.

Perhaps this is too much to ask. Maybe secretly, all geeks want average ignorant folks to be afraid of the geek craft that is the PC.

Reacter
Posts: 326
Joined: Tue Feb 06, 2007 9:57 pm
Location: Tornado Alley

Post by Reacter »

Someday, someone will create file-repair system, like Vista shadow copy and automatic file replace. Build in a bootup file replace, and with a small backup of the registry, it's nearly impossible in that since to break. Backup everything else, and you just can't really break ROS. The only way to break this is to have a virus, and later when we have a backup/restore Wizard, just reinstall ROS(if even necessary), and run restore Wizard for files. Also, any security-ignorant app should have a little stamp saying what it does, how it does it, or it is terminated, but that is just my opinion :).
Last edited by Reacter on Wed Jun 27, 2007 9:34 pm, edited 1 time in total.
More ReactOS, please!

Arnie
Posts: 8
Joined: Tue Jun 26, 2007 10:38 pm

Post by Arnie »

Gordonf, I am in a comparable situation to you where many people's computer problems have made them afraid to use their computer. On the other side is the annoying kind that loads their pc full with spyware time after time. I share your dream of fearless pc usage, but I'm not so optimistic that I believe computers will be without complicated menus for the next decades.

The problem is one can do so much things on a computer, that not everything can be straight-forward. It's either 12 menus or a command of 12 characters, so to speak. Some operations just need a big configuration window with clarifying text, and can't be done in a smooth, intuitive way. We can make the system a bit more adapted to the home user, but the user will have to grow up a bit as well.

However I do agree that future applications should be written with a correct security model in mind. I'm not experienced with Vista but what I've heard suggests that it is enforcing this. But at least for the next decade there will be software in common use that isn't yet compliant to this. As I said, as long as the compatibility remains, I am all for security enhancements. I guess this is as far as the two of us will get in this topic, don't you agree?

P.S. (to Haos) I have made it clear that I am speaking for myself several times, but do you honestly want me to include "imho", "I think", "according to me", "in my view", etc. etc. in EVERY sentence I'm writing? You can't have any serious debate like that. And you don't have to be a phorumsphorus to see that I'm not associated with the official team, with my 6 posts.
I wrote:but in my opinion compatibility must not be sacrificed.
I wrote:have a different audience. (Of which I am a part
I wrote:My answer is simple
I wrote:So I argue that ReactOS modifications
If it's not clear to you that I'm speaking on my own accord here, then you haven't taken the time to read what I'm saying in the first place.

Or if you mean that I'm defining the audience of ReactOS: be my guest and oppose my statement that ReactOS' audience is people wanting a Windows clone. That looks like a clear fact to me.

mf
Developer
Posts: 368
Joined: Mon Dec 27, 2004 2:37 pm
Location: Eindhoven, NL
Contact:

Post by mf »

gordonf wrote:The average people I deal with daily are afraid of their computers. They are afraid of breaking them with the wrong keystroke, or visiting the wrong web site. They are afraid because they are taught to be afraid. By comparison, I do not want people afraid of their computers. I want my mom or my sister or any of my clients to walk up to a PC, and use it without fear of breaking it.
Get them to buy a Mac. It's the computer you shouldn't be afraid of (tm). a.k.a. that overpriced thing that just sits there being pretty while you can't do much more than browse, read email and process text because all the useful programs are written for Windows. But hey, at least it doesn't have bluescreens!
It compiles, let's ship it!

gordonf
Posts: 17
Joined: Mon Jun 04, 2007 8:06 am

Post by gordonf »

Arnie wrote:Gordonf, I am in a comparable situation to you where many people's computer problems have made them afraid to use their computer. On the other side is the annoying kind that loads their pc full with spyware time after time. I share your dream of fearless pc usage, but I'm not so optimistic that I believe computers will be without complicated menus for the next decades.
Hm, this is straying away a bit from security comparisons to a general design problem with software. There are actually far better critics of this problem than I, and I learned about Why Software Sucks only today. It boils down to software being written by geeks for geeks, and not for average fearful users.

The security problem is just one small part of this much larger user-hostile environment we call the PC. I can only claim experience in the security aspect, but I can lend that much at least to ReactOS' development.
Arnie wrote:We can make the system a bit more adapted to the home user, but the user will have to grow up a bit as well.
I love to compare computers to automobiles when this kind of statement comes up. It's a valid concern to have the user "grow up a bit," because software can get too expensive to develop if it hand-holds the user too much. But where do you stop hand-holding the user?

One day we'll make our kids take a required computers-ed course in middle school much like kids today have to take drivers-ed in high school where I live. We'll still have reckless kids on the 'information highway,' but they will get fewer and far between. Until then, there's peer hand-holding. Or, we can make the computers do the hand-holding for us. This is what I make Win2K do for me. The "dream" of fearless PC usage was a reality for my clients on Windows for the past four years, at least with respect to hack attacks and malware. I'd hate to see that go away when ReactOS becomes a truly viable Windows alternative.

And ultimately, whether I wish it or not, I'm going to be supporting ReactOS deployments in the field when it does become viable, simply because some clients will want to try it at least once. It's in my best interest to catch potential problems now.

I'm going to be offline for a couple days, so I want to say thanks in advance for all of the chatter here. It might seem meaningless, but it's these kinds of discussions between camps (in this case the compatibility and the security camps) that catch potential problems before they're chisled in code. So, don't get discouraged.

oiaohm
Posts: 1322
Joined: Sun Dec 12, 2004 8:40 am

Post by oiaohm »

Please let this die.

Alex ion and me had a disagreement over this very topic.

Linux has good defaults and a strict culture of not running as root/Administrator.

Linux does have viruses most die because there exploits get removed but a bigger threat to linux is root kits. Most linux distributions are weak forms of linux. Scary bit weak for of Linux is stronger than Windows default. Mac OS X also has lower viruses.

Microsoft uses the smoke screen of market share. The problem is that is not the only factor. Live span of a exploit.
Data stealing people are normally the first to get a exploit. This covers the forms of malware spyware on-line user tracking and root-kits... Highly profitable usage of exploits.
Viruses are down the track. Bad news its normally 12 months from profit makers using exploit to virus writers creating virus.

Most Anti-Virus software works by detecting virus and removing virus. This has major problems. Since the exploit is still there all the virus writer has to do is recreate virus and do it all over again. It is nothing uncommon on windows to have 1000+ viruses using a single security flaw.

If Reactos patches flaws quickly it will be more protected from a virus.

Having a system to allow users to operate as a lower user masively reduces damage.

Making applications have to be permitted to do particular things can reduce the effectiveness of virues. Process Injection control yes you can inject code into running applications in linux. You need to be root or a permitted user or application in soft distribution. Hardened form only approved applications can inject code into other processes.

Limiting some operations to permitted applications only will stop lots of viruses dead.

Note a lot of viruses use process injection. Reason lets them hide in the task manager.

FSX
Posts: 63
Joined: Sat Jun 02, 2007 12:23 am

Post by FSX »

oiaohm wrote:Note a lot of viruses use process injection. Reason lets them hide in the task manager.
There should be a box that pops up when a app is doing something naughty. To take gordonf's Warcraft example, it wouldn't complain about warcraft3.exe writing to C:\Program Files\Blizzard\Warcraft III (its home directory), but if the same program happened to be writing to C:\ReactOS\system32, it would say "warcraft3.exe could be attempting to damage ReactOS. Would you like to quit it? If you do not know what to choose, it is recommended you choose Yes." And then Mr. Notafraid says yes and it goes bye-bye.

oiaohm
Posts: 1322
Joined: Sun Dec 12, 2004 8:40 am

Post by oiaohm »

FSX you are now thinking like apparmor and selinux addons to linux. That kind of tech is required to fight rootkits. Scanning for something you don't know does not work. Detecting something doing what it should not be does.

This would have been so much simpler if profiles of normal operations of applications were required by Microsoft.

Reacter
Posts: 326
Joined: Tue Feb 06, 2007 9:57 pm
Location: Tornado Alley

Post by Reacter »

HiJack this is useful in finding some of that crap, but if you have no clue what processes to look for, don't try reading it, let a tech look at it.
More ReactOS, please!

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest