[CentOS] compilers a security risk?

Warren Young warren at etr-usa.com
Mon Mar 8 14:34:14 UTC 2010


On 3/6/2010 4:04 PM, nate wrote:
>
> if you can upload source code,
> you can upload a precompiled binary

True, but most attacks are automated, and try to attack as wide a range 
of machines as possible.

If I were to write a bit of malware for *ix that needed a custom binary 
on the target machine, I'd at least consider distributing it as C code, 
banking on the fact that most *ix systems have a C compiler installed by 
default these days.

The core assumption here is that it's easier to write C code for an *ix 
system that will compile on a wide range of OSes than it is to craft a 
binary that will run on as many systems.  One of the biggest problems in 
the *ix world is a reliance on source-level compatibility.  Other OSes 
-- Windows in particular -- take a different tack, providing ABI-level 
compatibility over the course of decades.  That has pluses and minuses. 
  For a malware writer, it means it's far more reliable to distribute 
binaries than C code.

That being said, I always find it to be a colossal PITA to work on an 
*ix system without a C compiler.  Again, source vs. ABI-level 
compatibility.  Too often, I need to install something that isn't 
available as a binary package for that particular system, or I need it 
to install in a nonstandard way, so I have to build from source.

You might find that this is one of those security risks you're prepared 
to accept.  Just because you identify a risk doesn't mean you have to 
defend against it.  You should always do the cost-benefit calculation 
before you decide.


More information about the CentOS mailing list