Results 1 to 2 of 2

Thread: executable files

  1. #1
    AO Curmudgeon rcgreen's Avatar
    Join Date
    Nov 2001
    Posts
    2,716

    executable files

    What is an executable file, and how does it relate to computer security?

    Some of us seem to know the answer almost intuitively, and think that this is a
    trivial question, but for others it is a mystery. The concept of the executable file
    is at the heart of the computer's amazing flexibility, and the source of all
    security problems.

    Like the comic book hero The Green Lantern, the source of his super powers
    is also his one vulnerability.

    Think about it for a minute. If all the executable code on the computer was
    embedded in ROM chips on the motherboard, and if the machine was wired
    in such a way as to be unable to run any code other than the built-in, tested,
    bonded and guaranteed software in that ROM, then there would be no viruses,
    no trojans, no spyware or other malicious or rogue code of any kind.

    But the world would be a boring place if you could not choose additional
    software to install on your computer, if you could not upgrade your software
    or write your own.

    So, when our computers were designed, the computer gods decided to take a
    chance and design an open architecture with a maximum of flexibility
    granting a maximum of power to the owner and user.

    Software, in the form of executable files, has almost total freedom to do
    whatever the programmer wants it to do, for good or ill.

    That having been said by way of introduction, let's take a quick survey of
    executable file types on IBM PC compatibles, with a few comments on
    security.

    Wnen the IBM PC was first introduced, with the PC-DOS (MS-DOS) operating
    system, it had three types of executable files. MS-DOS uses the concept
    of the "file extension" to identify various types of files on the system.
    In the FAT type file system of those days, you could use a max. of 11 characters
    in a file name, with the last 3 set off by a dot (period).

    In some file types, the extension was optional, but for executable files it was
    mandatory. You could make a text file named LETTER, but a file named PROGRAM
    would not execute. The three executable file types had the extensions .COM
    .EXE and .BAT


    The .COM file was the first and simplest type of executable file.
    These are its characteristics. First, it had no header or mandatory data field
    in it, and no "magic number", which is to say, it had no tell-tale signature anywhere
    in the file that could identify its contents to the OS or to any third party
    program. A .COM file is only bound by two mandatory rules, one, it must
    have the COM extension, or the OS will refuse to execute it. Two, the very first
    byte(s) of the file must be valid machine instructions, or it will crash.
    Other than that, there are no rules. Data can be embedded practically anywhere
    in the file, the program can read and write anywhere in the processor's memory
    map, whatever. When a .COM file is executed, its entire contents are loaded
    into memory, and the processor jumps to the beginning of the file and begins
    to execute the first instruction it finds there.

    Security problems related to a .COM file running on a real mode
    ms-dos system are practically unlimited. The ms-dos system had absolutely
    no security of any kind. The OS completely handed control of the machine
    over to the running program. If the program refused to eventually terminate
    and hand control back to DOS, there was nothing DOS could do.

    The second type of executable file had the .EXE extension. It was more
    sophisticated and more suitable for larger programs than the .COM file was.
    Due to "segment/offset" memory addressing, the .COM file type was best
    suited to situations where you needed no more than 64k, one segment, of
    memory. More than that, and the .EXE was more suitable. It has a header
    at the beginning of the file informing the OS about itself, how to set segment
    registers, which portions of the file are code etc. An EXE file also has a
    "magic number". The first two bytes of the file are always the characters
    MZ, therefore, the OS, or other utilities can scan and find this signature
    and know that it is an MS-DOS executable.

    Security risks with .EXEs are the same as with .COMs, the program
    has full authority to do as it pleases (when run in real mode DOS).

    The third type of executable file under MS-DOS was the .BAT (batch)
    file. This was a real gift to users, but also a playground for lamers, since
    you could accomplish a lot without much programming skill.
    MS-DOS was a "command-line" operating system. You got your work done
    at the keyboard, by typing in all sorts of commands.
    You executed programs by typing their names. you did housekeeping on the
    system by typing the commands of what you wanted to do.

    Two types of commands were available to you at the command prompt,
    executable file names, and "embedded" commands that were memory resident
    with the ms-dos command processor, COMMAND.COM.
    Both of these types of commands could be written to a text file with the
    .BAT extension, and then executed, as a "batch" of commands.

    There are also some expressions you can use in a batch file to loop, branch,
    make it interactive. In fact, in is like a primitive programming language
    you can use to automate many tasks on the system. People could also do a lot
    of mischief with batch files, because, like other executables, they have full authority
    while running, to do whatever the author wants.

    Enter the GUI

    Even though there was no security designed in to the system, there was a
    certain self-limiting feature that was perhaps psychological. As long as
    it was a command-line system, you had to type the names of any command
    you wanted to run. That is, you tended to know what you had running
    on your computer because you typed it out on the keyboard. If you knew the
    source of your software, it was unlikely that some strange executable would
    just "happen" to find its way on to your system. You could read batch files before
    running them, and not take software from sleazy strangers. Internet usage was rare.

    Back in those days, everyone was talking about being "computer literate".
    Parents obsessed over whether their kids would be left behind in the
    brave new world of technology. Of course, at that time, "computer literate"
    meant knowing your way around a DOS prompt.

    Steve Jobs to the rescue.

    Steve Jobs, of Apple Computer, listened to all this worried talk of the need
    to become "computer literate", and his response was, "baloney, I can make a
    computer that's so easy, even a child can use it!"

    In order to make the GUI based OS truly easy to use, designers have settled on the
    method of executing programs by "double clicking" on them, and this, along with a raft of new executable types, has caused users to be unaware of exactly what is running on their computer.

    Let's examine two ambiguous concepts that contribute to the ignorance and
    confusion. I'm talking about the activity of clicking, and the mysterious
    concept of opening a file or object.
    See also: http://www.richpasco.org/virus/exefile.html

    Gone are the days when you RAN a program, EDITED a text file, or whatever. Today, people simply double click everything
    You double click a zip file. you double click a document. you double click an e-mail.
    You double click an icon.(some systems are going to a single click, but you get my point)

    In each of these instances, the user is encouraged to use the all-purpose concept "I opened the file', but opening can mean anything, and nothing. Surely there is a difference between opening a batch file to write to it, vs. opening it to execute it, but users are not encouraged to make the distinction. they're just told to "open" this or that ie. to double click it.

    No wonder they can't understand how they got a virus from the e-mail. The entire concept of "executable" has never been introduced to them, so if you say "E-mail attachments are a security risk because they may contain executable content", their eyes roll back in their heads as if to say "thank you for the star trek jargon, but what the hell are you talking about?"

    Future:

    What about all those new executable file types, PIF, .VBS, .VBE, .SCR, .JS, .JSE, .WSF, .WSH,.REG.?
    Last edited by rcgreen; March 20th, 2007 at 06:37 PM.
    I came in to the world with nothing. I still have most of it.

  2. #2
    Senior Member
    Join Date
    Jul 2002
    Posts
    225
    And what about a.out, ELF, etc? Would y'all like the newest worm-carried LKM rootkit?
    \"Now it\'s time to erase the story of our bogus fate. Our history as it\'s portrayed is just a recipe for hate!\"
    -Bad Religion

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •