Another virus-in-wine story
dgerard at gmail.com
Sun Oct 25 16:25:36 CDT 2009
2009/10/25 Nicholas LaRoche <nlaroche at vt.edu>:
> From a usability standpoint, adding switches to wine for sandboxing is a
> good thing. But it seems to only cover the APIs exported by wine. A
> specially crafted win32 wine-aware malware app could leverage sys_open(1)
> and sys_write(4) via int 80h to bypass this isolation and install itself
> anywhere in the users home directory.
> e.g. this malware could open ~/.bashrc and install linux specific malware
> that executes the next time you open a shell.
Yes. It would be exceedingly foolish to claim to offer security that
cannot be delivered.
(I'd sugest big warnings. "WARNING: any Windows app can do anything on
your system that the user it is running as can do. If you want to
study malware, use WineZero or similar.")
> Perhaps the app-specific package that you mentioned can be shipped with an
> AppArmor/SELinux profile that prohibits syscalls from originating anywhere
> in user code. (Assuming that the other sandboxing changes are made to wine).
This would need some really serious testing before making such a
promise, of course. i.e., will Wine itself still work?
More information about the wine-devel