[CentOS] compilers a security risk?
warren at etr-usa.com
Mon Mar 8 14:34:14 UTC 2010
On 3/6/2010 4:04 PM, nate wrote:
> if you can upload source code,
> you can upload a precompiled binary
True, but most attacks are automated, and try to attack as wide a range
of machines as possible.
If I were to write a bit of malware for *ix that needed a custom binary
on the target machine, I'd at least consider distributing it as C code,
banking on the fact that most *ix systems have a C compiler installed by
default these days.
The core assumption here is that it's easier to write C code for an *ix
system that will compile on a wide range of OSes than it is to craft a
binary that will run on as many systems. One of the biggest problems in
the *ix world is a reliance on source-level compatibility. Other OSes
-- Windows in particular -- take a different tack, providing ABI-level
compatibility over the course of decades. That has pluses and minuses.
For a malware writer, it means it's far more reliable to distribute
binaries than C code.
That being said, I always find it to be a colossal PITA to work on an
*ix system without a C compiler. Again, source vs. ABI-level
compatibility. Too often, I need to install something that isn't
available as a binary package for that particular system, or I need it
to install in a nonstandard way, so I have to build from source.
You might find that this is one of those security risks you're prepared
to accept. Just because you identify a risk doesn't mean you have to
defend against it. You should always do the cost-benefit calculation
before you decide.
More information about the CentOS