Since I plan to use Internet on HAIKU. I was wondering what software can protect it or does it come with that software build in.
1 Like
No antiviral software required under Haiku.
Interesting questions, maybe some of Haiku developers answer it?
During the virtualizing of the system, viruses can not write on the program files. Haiku is a very smal system with a very smal userbase. There are no companys using haiku. The virus creators should not have fun to creat virus for haiku, because they can not make so much terror on users and companies. But impossible is not right. All files who can write to the harddisk can be a virus.
2 Likes
Actually, if you are worried about your data being corrupt or stolen, I would recommend to stay away from Haiku. The only protection you get is “security by obscurity”, which is known to not be enough.
So, an attack is unlikely, but once someone decides to target Haiku, it can be quite easy to break through all protections. This is due to a combination of not enough efforts in making things secure (although we got some improvements to this, for example when we added ASLR support) ; and a legacy of BeOS we can’t easily part with yet (things such as the single user having root permissions, or the API allowing to open a file by its inode number even if you are not supposed to have access to its path, which allows breaking outside a chroot, for example).
This is something we will have to put effort in in the near future.
5 Likes
i supose cause Beos was not so secure too… if haiku r1 will be like beos security was not the priority… but r2 should be multi user i suppose.
I think getting a port of ClamAV would be something worthwhile so we at least have a CLI tool for such at our disposal.
I have discussed this with a few folks I know that might be willing to work on such a project over some beers and pizza at a leisure pace with no aggressive timetable. The idea would be to deliver a Haiku package submitted for consideration into the official Haiku apps repo. Also, maybe develop a simple GUI application that could/would utilize the CLI packaged app (as a dependency) that would expose some functionality like updating virus definitions, adding/removing directories for scanning, and scanning desired directories with simple logging output.
1 Like
In order to create effective protection for haiku (viruses, etc), such a case must be known. It is not enough to port a linux or windows virus program on haiku, since these systems are very differently structured and their effectiveness on Haiku are not at all or only partly given or could be.
It would be very helpful, however, if we can monitoring the network movements (internet as the highest level), so you will are asked for certain (user-adjustable) events whether access to the internet is allowed. That would be a good start.
https://dev.haiku-os.org/ticket/10727
A first useful function of a anti-virus program on haiku would be a check of all writable files. On the first run the size of the files are determined and archived, on the next test these data are compared with the new ones. If a file, which should be larger, be larger, this can be by a bad software.
!!!There is an ancient port of clam av on beos (somethere on a repo server or BeShar iirc!!!)
Firewall: Your router, if you have one…i think so, have a firewall, so you are protected. Check your ports you have opend.
I think haiku doesn’t even have W^X? ASLR is good.
I suspect that BeOS binary compatibility prevents things like stack cookies/canaries (fstack-protector and friends) in the 32-bit port, but now recent versions of gcc are being used it could presumably be enabled for 64 bit? And what about gcc2h for the “h” part? (Maybe it is already used?)
It’s worth noting that haiku also uses a lot of open source software, and can therefore sometimes be targeted by the same or similar malware that targets vulnerabilities in those components on other systems, e.g. the heartbleed bug in SSL.
Virus scanners are a waste of time… by the time a virus scanner finds a virus it is already on your system, so the system already failed to protect you. They are fine as a manual tool to run if you suspect something is wrong (e.g. after a user invites a trojan into his system and things start going strange, or you want to check a particular suspicious file), but the situation in windows where they have to running all the time is just crazy.
the main problem for the stack protector with BeOS compatibility is that gcc2 doesn’t support it. Stack protection is a per-function thing so in theory we could enable it for newly compiled code.
Execution disable should already be there, I think, but I don’t remember. I don’t see anything that would prevent it.
As for actually enabling the stack protection, we need to either write some OS support, mostly to tell what to do when a stack corruption is disabled. In our case, we may want to use an alert message like when the app crashes, for example. Osdev has a nice overview of this: http://wiki.osdev.org/Stack_Smashing_Protector . As of now we have neither the gcc’s libssp nor our own implementation, so programs trying to use stack protection will fail to link (and in fact we disabled the feature in several haikuports recipes).
Uber has released an open source privacy tool for database search facilities. Since Haiku has a database-like filesystem with a search facility, could this tool be adaptable to work on the filesystem as a unique privacy-security feature that no other OS has?.
Uber has released an open source privacy tool for database search
facilities. Since Haiku has a database-like filesystem with a search
facility, could this tool be adaptable to work on the filesystem as a
unique privacy-security feature that no other OS has?.
The database-like filesystem is one of the things of Haiku/BeOS, which would it make easy for viruses.
Like you can see on the program “people” you can create empty files, where all informations are in the unlimited attributes (double unlimited: Unlimited number of attributes with an unlimited size of each attribute).
So you don’t know how many disc space a file really uses (file size + attributes size), because the program “ls” and other programs only show the file size.
The big part of a virus can so be as attribute on every file. And only a little part direct part on every file, which starts the code in the attribute.
The next problem is, that Haiku/BeOS isn’t a multi-user system. The one and only user have root rights. But I think, this will change with Haiku after Release 1.
But the high risk file system will still being there.
And this file system is not only a problem for Haiku. If I have seen it right, Magenta, the kernel of Googles Fuchsia Operating System, using the BeOS filesystem, too.
I don’t know much about viruses or security, but I doubt the output of “ls” or the “Size” column in Tracker windows are a good indicator for a virus infection. The fact that those don’t reflect the size of addtional attributes, doesn’t mean that there’s no way for a tool to get that information to monitor changes in files+attributes. (If that is what anti virus software does… I have no idea.)
Apart from what humdinger said - other popular file systems support arbitrary-size file metadata too, e.g. Windows’ NTFS and MacOS’ HFS+.
What makes BFS special is not that it has attributes - most file systems these days do - it’s that the file system itself can also index the attributes and do fast queries on them.
Multi-user (several user accounts) and security (give or take specific permissions to processes) are separate issues and IMO should be treated as such. However, what happens there after R1 is not yet determined.
Some internet exploits are enabled because of Javascript. It’d be nice for Web+ to have a way to turn Javascript off.
Web+ probably work a lot better w/o js, because the third party connections that usually cause it to hang would not exist with Javascript turned off.
No, that’s unrelated. There are crashes in the HTTP code because our HTTP implementation has two many threads (one per request) and concurrency issues. There are also crashes because the media code in WebKit is just a quick hack and also has concurrency problems, and because the support for streaming in media kit is still not complete and some things will block waiting for downloads to complete. In either case, Javascript is not involved.
1 Like
Not entirely IMO. Javascript code is responsible for multiplying the number of connections. On a number of UK news sites, for instance, the number of connections that are being attempted drops from a few dozen down to maybe five or six w/o Javascript. So, I’d have to imagine less “concurrency” issues with fewer connections.