[cap-talk] Polaris: Virus Safe Computing for Windows XP

Karp, Alan H alan.karp at hp.com
Tue Dec 7 18:17:54 EST 2004 

Well, I've done a bit of research on the shatter attack.  It's an
interesting way to use the GUI hole to mount an attack, but I now
believe it's beyond the set of problems that Polaris claims to address.
My first reading led me to believe that windows accepted a "run these
bits" command.  I no longer think this is the case.  I base this opinion
on the following from http://security.tombom.co.uk/moreshatter.html:
 
"You say this is unfixable. So why publish it?
 
This is more or less unfixable by microsoft. To fix all of these
problems in one fell swoop would require a change in the Win32 API,
which you can't do. However, the vendors can fix each specific problem
as it arises, and write code that's inherently secure against these
types of attack. Hence publishing the paper - if people know that you
can do this, then people will know to code around it. NAI certainly
didn't know about it, regardless of how well Microsoft claim to have
documented it."
 
A Windows application can be attacked through any of its communications
channels - a socket, a pipe, COM, or the GUI hole used by the shatter
attack.  However, the attack can only succeed if the application has an
exploitable flaw.  It is clearly beyond the scope of Polaris to do
anything about flawed applications, although a successful attack against
a polarized application can't do much harm.
 
We are quite clear in stating near the start of the paper what attacks
we deal with when we say, "Unlike some malware that depends on security
holes in a piece of code, these kinds of viruses aren't exploiting
flaws; they're using the system the way it was designed to be used."
This statement clearly excludes the shatter attack as I understand it.
 
In order to prevent others from being confused about what Polaris claims
to protect against, I've added a sentence to the last paragraph under
"Future Work".  The whole paragraph now reads
 
"A problem we don't have a solution for is the GUI hole.  Due to a
fundamental design flaw in Windows, any application can read GUI events
sent to any window on the screen.  This flaw is exploited by keyboard
sniffers, for example.  Any application can send GUI events to any
window on the screen.  These messages can be used to attack flaws in an
application or the kernel, a problem beyond the scope of Polaris.  These
messages can also be used by a virus to send requests for additional
authorities to the PowerBox and select any file on the system.  However,
if Polaris gets adopted widely enough that virus writers are attacking
the PowerBox, we'll have achieved our goal of making the world far safer
from viruses than it is today."
 
I decided to change the title to avoid being accused of claiming too
much.
 
________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
https://ecardfile.com/id/Alan_Karp
http://www.hpl.hp.com/personal/Alan_Karp

-------------- next part --------------
A non-text attachment was scrubbed...
Name: Karp, Alan H.vcf
Type: text/x-vcard
Size: 433 bytes
Desc: Karp, Alan H.vcf
Url : http://www.eros-os.org/pipermail/cap-talk/attachments/20041207/6b092abc/KarpAlanH-0001.vcf

More information about the cap-talk mailing list