Dear LittleSnitch users!
First of all thank you for your patience! I came back on Sunday and
Johannes brought me up to date regarding the discussion and the
questions that arose here.
1.
I will try to answer all questions as detailed as possible, but
please understand that there are some technical details I can not
reveal. This is not security by obscurity, but if we threw every
technical detail of LittleSnitch out to the public we could as well
send the source code of LittleSnitch to our competitors and close our
business.
2.
The fact that in 10.4 LittleSnitch can be bypassed by killing it is
due to limitations introduced in the 10.4 kernel interface. We are
trying hard to reintroduce the protection LittleSnitch had in 10.3
and will fix this issue in the next release of LittleSnitch.
3.
There is no such thing as "100% security". We will protect
LittleSnitch from most kinds of attacks, but there are limits to
this. The definitive limit is a process attacking LittleSnitch which
has root privileges. A process with root privileges on a Unix system
can do _everything_ - once you managed to have a malicious process on
your system and it gains root privileges there is nothing it can't
do. One can make it cumbersome or a bit harder for this process but
one will not be able to stop it from doing what it's up to...
On Oct 7, 2005, at 22:06, Arno Hautala wrote:
Also, I've never seen _anything_ that ignores all kill attempts.
And granted I'm not very versed in kernel programming, but I'm not
looking for a tutorial. At most a brief overview or intro to how
LS protects itself. Just some info on how LS did, or will continue
to protect itself... if it's not secret. :) I wouldn't expect
ObDev to distribute that sort of info or an extensive tutorial. If
it's public and the dev is willing I'd follow up on that off list.
I can say that much:
On the kernel level things are a bit different than on the user
(application) level - you can do things in the kernel that are
impossible to do in an application.
LittleSnitch can not and will not protect itself against other kernel
extensions as installing and loading a kernel extension requires root
privileges (see point 3).
Protecting the daemon (a user level process) against unauthorized
kills can be done on the kernel level - or better: Could be done in
10.3 and we hope to find a way again in 10.4 again.
Killing the daemon does not have to mean letting all network traffic
through. In the next minor release of LittleSnitch we will fix the
daemon kill issue. In the long run we will change the responsibility
assignment of the kernel extension, the daemon and the preference
pane. Then simply killing the daemon will _not_ "disable" LittleSnitch.
On Oct 7, 2005, at 22:15, [EMAIL PROTECTED] wrote:
I have tried SnitchCTL under 10.3 and indeed the daemon cannot be
killed (at least not with the few commands I've tried - kill, kill
-9, killall). But there's a glitch, first I don't find this
behaviour normal, imho anything should be killable by root what if
it's making a conflict with another app.
The LittleSnitch Daemon can be terminated also in 10.3 if you do it
the way it's supposed to be: By simply going to the LittleSnitch
Preference Pane and clicking on the "Stop" button. If you try to kill
it by sending it kill signals from the Terminal.app LittleSnitch must
protect itself.
On Oct 7, 2005, at 22:15, [EMAIL PROTECTED] wrote:
Second thing is that it is easily defeated as unlike in 10.4, you
can kill the kext (extension) which in turn will kill the daemon.
There is no way of "killing" a kernel extension. You can _unload_ a
kernel extension - if you have root privileges. But once an attacker
has root privileges...see point 3 in the introduction....
On Oct 7, 2005, at 22:15, [EMAIL PROTECTED] wrote:
To make it worst, you can't start it back after you've unloaded the
kext, a restart is required. Indeed, loading the LittleSnitch.kext
located in the Contents of the prefpane will say it's missing
dependencies, try and load the ODKUControl.kext will result in a
panel saying the app is not authentic and that is cannot be loaded.
The LittleSnitch kernel extension _can_ be loaded if it is loaded
correctly. A restart is _not_ required to load it, if you give the
correct parameters when loading it.
On Oct 10, 2005, at 3:10, [EMAIL PROTECTED] wrote:
After building the proof of concept that SnitchCTL is I thought I
should help the users who are scared because of the issues it
brings up. This is why I came up with VeriSnitch: http://
snitchctl.smurfturf.net/index/verisnitch/
This is a good way to protect LittleSnitch until we fix this issue in
the next release. It's definitely better if such a tool comes from a
third party, because if it came with LittleSnitch, attackers would of
course simply kill the tool and then kill the LittleSnitch daemon. If
it comes form a third party chances are better that attackers do not
know about it. If you're extremely cautious you might want to rename
VeriSnitch after installation to some name an attacking program can't
guess.
I hope I was able to answer your questions to your satisfaction.
Please let me know if you have any further questions.
Yours
Karl Schwarzott
--
Objective Development Software GmbH
http://www.obdev.at
_______________________________________________
Littlesnitch-talk mailing list
[email protected]
http://at.obdev.at/mailman/listinfo/littlesnitch-talk
