10 July 2006

"Safe" Should Be Boilerplate

You can think of "safe should be boilerplate" as a rule to avoid a basic conceptual error that leads to bugs and exploits.

Now that the shoe has dropped (ITW malware is killing Safe Mode by deleting the registry content that defines it), I can be a bit more public about this concept - that if something is to be "safe", it can't be defined by editable baseline data. Examples:
  • Web browser "blank" page
  • Safe Mode startup axis
Safe Mode was a bit safer in Win9x, because there was no startup axis; the whole idea was to load no non-core drivers and run no startup axis integrations at all (this was true as long as the "* trick" wasn't applied).

But XP's Safe Mode is flawed in several ways that create opportunities for malware:
  • Entries can be added to (or persisted into) its startup axis
  • It uses a different user account, therefore different per-account settings
  • It runs a screensaver, which can be re-defined
  • File associations now allow per-user overlay
  • The "Cmd Prompt Only" shell can be re-defined
  • The whole thing depends on a re-definable registry subtree
Some malware now destroys XP's Safe Mode by deleting the registry content that defines it. I found this blog link that describes the problem and offers solutions:

http://didierstevens.wordpress.com/2006/06/26/restoring-safeboot/

I have a case like this at the moment, and will be trying a "case 4" approach as I described as a comment to that blog entry. If it works, and I can remember the exact method I use, I may write that up as a new blog entry here :-)

A less-obvious example of the "Safe should be boilerplate" rule is the option not to use a password. Normally that's done as a "blank password", rather than a true boilerplate absence of a password - and that becomes absurd when coupled with the usual "to set a new password, first enter the current password".

The trouble with the "Safe should be boilerplate" rule is that it precludes any fix-it-later patching. You have to make your boilerplate perfect, even if that means simplifying your code towards triviality in order to approach that perfection!

3 comments:

Didier Stevens said...

That's a clever idea, booting from a Live CD and getting the registry backups from "System Volume Information".
I did a quick test:
1) Boot from a live CD
2) start REGEDT32
3) Load a HKLM copy from the SVI directory
4) Look for the Safeboot key (of course, there's no CurrentControlSet)
5) Export the Safeboot key

You'll need to edit the registry paths in the exported REG file to point to the correct ControlSet and remove the keyname you provided when loading the hive, before merging it.

Simon Scatt said...

Many programms include spyware modules. Use anti-spyware for protect your privacy.
As for me, I like professional anti-spy software like PrivacyKeyboard by Raytown Corporation LLC.
You can download it here: http://download.softsecurity.com/1/14/prvkbd.zip (~4MB)

Chris Quirke said...

Going back in time, this is the fourth similar post from "Simon Scatt" advocating a keylogger-blocker from a vendor that also makes a keylogger.

Let's do a Google( "Simon Scatt" )...
yep, similar spam-posts across all sorts of blogs.