操作系统或程序如何实际验证文件的类型?
我很好奇——主要是操作系统如何实现安全性——如果我向您发送图像,操作系统如何验证该文件实际上是图像。或者,如果您打开以 .pdf 结尾的文件,则该文件实际上是编码的 pdf。我发现每个文件都有一个声明文件类型的标头,但是是什么阻止我在标头中写入我的文件是 jpeg,然后编码一堆恶意代码。操作系统如何确定一个文件是否可以安全打开以及是否确实是它所说的文件类型?
I'm curious--mainly for how operating systems implement security around this--how an OS verifies that if I text you an image, the file is actually an image. Or if you open a file that ends in .pdf that the file is actually an encoded pdf. I've found that each file has a header that declares the type of the file, but what stops me from writing in the header that my file is a jpeg and then encoding a bunch of malicious code. How do OS's decide whether a file is safe to open and is actually the type of file it says it is?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
即使在今天,操作系统也不会验证这些。在 Windows 上,当您启动可执行文件时,系统可以进行一些验证,例如它来自哪里、是否知道来源或扫描它以检查是否存在恶意软件。您的计算机完全容易受到用户模式攻击。
人们常常误解,认为内核与用户的分离可以为现代操作系统提供安全性。从用户模式,人们可以访问整个文件系统(除了其中的某些特权部分)。大多数人会将他们的文件存储在文档文件夹或没有特权的地方。在消费类计算机中,内核与用户的分离确实没有意义。也许它可以帮助避免某种深层恶意软件,这些恶意软件会自行安装在操作系统的根目录中,并且可以避免一些损害,但大多数情况下它并不能阻止恶意软件监视您或加密您的数据以勒索赎金。
就其本身而言,pdf 等文件存在已知问题,但这些问题与操作系统正在进行的检查无关。这些与用于解释这些 pdf 的软件有关,例如 Adobe 或 Firefox。像 pdf 这样的文件可以嵌入一些在 Adobe 提供的沙箱中执行的 JavaScript。如果软件存在漏洞,则可以逃逸该沙箱。这不会允许零日漏洞(恶意软件可以访问内核),但它可以允许逃脱沙箱以访问充满错误的完整用户模式环境,逃脱沙箱的软件可以利用这些错误最终进入内核。
当您启动 pdf 文件时,pdf 的路径将传递给可执行文件的 main 函数,该可执行文件被指定为默认启动该类型文件的函数。真的就是这么简单。如果默认为 adobe,当您双击 pdf 时,pdf 的路径将传递给 adobe 可执行文件的主函数,该函数本身负责提供安全性。操作系统与此无关。
就其本身而言,不是可执行文件的文件不会造成太大威胁,因为它不会被执行。内容将在沙箱中解释但不会执行。该软件的沙箱可能存在错误和可能的漏洞,但目前大多数已修复,并且您自己很难发现。
Even today, operating-systems don't verify any of this. On Windows, when you launch an executable, the system can do some verification like where it comes from, if it knows about the origin or scan it to check for malware. Your computer is completely vulnerable to user mode attacks.
It is often a misconception that the kernel-user separation is providing security on modern operating-systems. From user mode, one can access the whole filesystem (except some privileged portion of it). Most people will store their files in the documents folder or somewhere that is not privileged. In consumer computers, there is really no point to have a kernel-user separation. Maybe it can help avoid some kind of deep malware that will install itself in the root of the operating-system an can avoid some damages but mostly it doesn't prevent a malware from spying on you or encrypting your data for ransom.
In itself, there have been known issues for files like pdfs but these are not related to the check up that the operating-system is making. These are related to the software that is used to interpret those pdfs like Adobe or Firefox. Files like pdfs can embed some javascript that is executed within the sandbox provided by Adobe. This sandbox can be escaped if there are vulnerabilities in the software. This won't allow a zero day exploit (where the malware has access to the kernel) but it can allow to escape the sandbox to access the full user mode environment that is riddled with bugs which the software that escaped the sandbox can then exploit to eventually end up in the kernel.
When you launch a pdf file, the path to the pdf is passed to the main function of the executable that is specified to be the default to launch that type of file. It is really that simple. If the default is adobe, when you double click a pdf, the path to the pdf is passed to the main function of the adobe executable which is itself responsible to provide security. The operating-system has nothing to do with this.
In itself, a file that isn't an executable doesn't pose much threat because it will not be executed. The content will be interpreted in a sandbox but not executed. The software's sandbox can have bugs and possible exploits but mostly these are fixed today and quite hard to find by yourself.