[cap-talk] Polaris: Virus Safe Computing for Windows XP
david.nospam.hopwood at blueyonder.co.uk
Tue Dec 7 18:44:34 EST 2004
Karp, Alan H wrote:
> Well, I've done a bit of research on the shatter attack. It's an
> interesting way to use the GUI hole to mount an attack, but I now
> believe it's beyond the set of problems that Polaris claims to address.
> My first reading led me to believe that windows accepted a "run these
> bits" command. I no longer think this is the case. I base this opinion
> on the following from http://security.tombom.co.uk/moreshatter.html:
> "You say this is unfixable. So why publish it?
> This is more or less unfixable by microsoft. To fix all of these
> problems in one fell swoop would require a change in the Win32 API,
> which you can't do. However, the vendors can fix each specific problem
> as it arises, and write code that's inherently secure against these
> types of attack. Hence publishing the paper - if people know that you
> can do this, then people will know to code around it. NAI certainly
> didn't know about it, regardless of how well Microsoft claim to have
> documented it."
> A Windows application can be attacked through any of its communications
> channels - a socket, a pipe, COM, or the GUI hole used by the shatter
> attack. However, the attack can only succeed if the application has an
> exploitable flaw. It is clearly beyond the scope of Polaris to do
> anything about flawed applications, although a successful attack against
> a polarized application can't do much harm.
I'm confused. I thought the whole point of Polaris was to run applications
in a least-privilege environment *despite* application flaws. If not,
then what is it supposed to do?
Remember that <http://security.tombom.co.uk/moreshatter.html> is talking
about using shatter attacks for privilege escalation in the context of an
ordinary, very much not-least-privilege Windows environment. In that
environment, the only applications that need to protect against attack
in the way described are applications that explicitly run code in more
than one user account (typically things like firewalls, anti-virus
software etc.) One way to interpret what the above page is saying
is to note that *Polaris itself* is such an exploitable application,
because it doesn't -- and can't -- have enough control or knowledge of
the code it runs to adequately filter messages on its behalf.
In a few days, I could write a reusable exploit that would break any
version of Polaris that relied on Windows inter-account privilege
boundaries (I'm not going to, but others are just as capable of doing
this). This is a *complete break* of the current version of Polaris,
and fixing it requires a major redesign to use VM-based isolation instead.
I don't see how you can claim that it is "beyond the scope of Polaris",
unless its scope is uselessly narrow.
David Hopwood <david.nospam.hopwood at blueyonder.co.uk>
More information about the cap-talk