What is an executable file, and how does it relate to computer security?
Some of us seem to know the answer almost intuitively, and think that this is a
trivial question, but for others it is a mystery. The concept of the executable file
is at the heart of the computer's amazing flexibility, and the source of all
Like the comic book hero The Green Lantern, the source of his super powers
is also his one vulnerability.
Think about it for a minute. If all the executable code on the computer was
embedded in ROM chips on the motherboard, and if the machine was wired
in such a way as to be unable to run any code other than the built-in, tested,
bonded and guaranteed software in that ROM, then there would be no viruses,
no trojans, no spyware or other malicious or rogue code of any kind.
But the world would be a boring place if you could not choose additional
software to install on your computer, if you could not upgrade your software
or write your own.
So, when our computers were designed, the computer gods decided to take a
chance and design an open architecture with a maximum of flexibility
granting a maximum of power to the owner and user.
Software, in the form of executable files, has almost total freedom to do
whatever the programmer wants it to do, for good or ill.
That having been said by way of introduction, let's take a quick survey of
executable file types on IBM PC compatibles, with a few comments on
Wnen the IBM PC was first introduced, with the PC-DOS (MS-DOS) operating
system, it had three types of executable files. MS-DOS uses the concept
of the "file extension" to identify various types of files on the system.
In the FAT type file system of those days, you could use a max. of 11 characters
in a file name, with the last 3 set off by a dot (period).
In some file types, the extension was optional, but for executable files it was
mandatory. You could make a text file named LETTER, but a file named PROGRAM
would not execute. The three executable file types had the extensions .COM
.EXE and .BAT
The .COM file was the first and simplest type of executable file.
These are its characteristics. First, it had no header or mandatory data field
in it, and no "magic number", which is to say, it had no tell-tale signature anywhere
in the file that could identify its contents to the OS or to any third party
program. A .COM file is only bound by two mandatory rules, one, it must
have the COM extension, or the OS will refuse to execute it. Two, the very first
byte(s) of the file must be valid machine instructions, or it will crash.
Other than that, there are no rules. Data can be embedded practically anywhere
in the file, the program can read and write anywhere in the processor's memory
map, whatever. When a .COM file is executed, its entire contents are loaded
into memory, and the processor jumps to the beginning of the file and begins
to execute the first instruction it finds there.
Security problems related to a .COM file running on a real mode
ms-dos system are practically unlimited. The ms-dos system had absolutely
no security of any kind. The OS completely handed control of the machine
over to the running program. If the program refused to eventually terminate
and hand control back to DOS, there was nothing DOS could do.
The second type of executable file had the .EXE extension. It was more
sophisticated and more suitable for larger programs than the .COM file was.
Due to "segment/offset" memory addressing, the .COM file type was best
suited to situations where you needed no more than 64k, one segment, of
memory. More than that, and the .EXE was more suitable. It has a header
at the beginning of the file informing the OS about itself, how to set segment
registers, which portions of the file are code etc. An EXE file also has a
"magic number". The first two bytes of the file are always the characters
MZ, therefore, the OS, or other utilities can scan and find this signature
and know that it is an MS-DOS executable.
Security risks with .EXEs are the same as with .COMs, the program
has full authority to do as it pleases (when run in real mode DOS).
The third type of executable file under MS-DOS was the .BAT (batch)
file. This was a real gift to users, but also a playground for lamers, since
you could accomplish a lot without much programming skill.
MS-DOS was a "command-line" operating system. You got your work done
at the keyboard, by typing in all sorts of commands.
You executed programs by typing their names. you did housekeeping on the
system by typing the commands of what you wanted to do.
Two types of commands were available to you at the command prompt,
executable file names, and "embedded" commands that were memory resident
with the ms-dos command processor, COMMAND.COM.
Both of these types of commands could be written to a text file with the
.BAT extension, and then executed, as a "batch" of commands.
There are also some expressions you can use in a batch file to loop, branch,
make it interactive. In fact, in is like a primitive programming language
you can use to automate many tasks on the system. People could also do a lot
of mischief with batch files, because, like other executables, they have full authority
while running, to do whatever the author wants.
Enter the GUI
Even though there was no security designed in to the system, there was a
certain self-limiting feature that was perhaps psychological. As long as
it was a command-line system, you had to type the names of any command
you wanted to run. That is, you tended to know what you had running
on your computer because you typed it out on the keyboard. If you knew the
source of your software, it was unlikely that some strange executable would
just "happen" to find its way on to your system. You could read batch files before
running them, and not take software from sleazy strangers. Internet usage was rare.
Back in those days, everyone was talking about being "computer literate".
Parents obsessed over whether their kids would be left behind in the
brave new world of technology. Of course, at that time, "computer literate"
meant knowing your way around a DOS prompt.
Steve Jobs to the rescue.
Steve Jobs, of Apple Computer, listened to all this worried talk of the need
to become "computer literate", and his response was, "baloney, I can make a
computer that's so easy, even a child can use it!"
In order to make the GUI based OS truly easy to use, designers have settled on the
method of executing programs by "double clicking" on them, and this, along with a raft of new executable types, has caused users to be unaware of exactly what is running on their computer.
Let's examine two ambiguous concepts that contribute to the ignorance and
confusion. I'm talking about the activity of clicking, and the mysterious
concept of opening a file or object.
See also: http://www.richpasco.org/virus/exefile.html
Gone are the days when you RAN a program, EDITED a text file, or whatever. Today, people simply double click everything
You double click a zip file. you double click a document. you double click an e-mail.
You double click an icon.(some systems are going to a single click, but you get my point)
In each of these instances, the user is encouraged to use the all-purpose concept "I opened the file', but opening can mean anything, and nothing. Surely there is a difference between opening a batch file to write to it, vs. opening it to execute it, but users are not encouraged to make the distinction. they're just told to "open" this or that ie. to double click it.
No wonder they can't understand how they got a virus from the e-mail. The entire concept of "executable" has never been introduced to them, so if you say "E-mail attachments are a security risk because they may contain executable content", their eyes roll back in their heads as if to say "thank you for the star trek jargon, but what the hell are you talking about?"
What about all those new executable file types, PIF, .VBS, .VBE, .SCR, .JS, .JSE, .WSF, .WSH,.REG.?
And what about a.out, ELF, etc? Would y'all like the newest worm-carried LKM rootkit? :)