Uninformed: Informative Information for the Uninformed

Vol 4» 2006.Jun

The Problem

From the very start, if one is familiar with network programming, such a goal would appear to be very difficult to practically achieve. For instance, many programs send data in a compressed or encrypted form, and there is no common way to process such data without writing specialized software for each target application. This immediately limits the effectiveness of the Privacy Service software's generalized information sanitization process to programs that have a) had specialized handler code written for them, or b) send information to the Internet in plaintext. Furthermore, the very act of modifying an outbound data stream could potentially cause an application to fail (consider the case where an application network protocol includes its own checksums of data sent and received, where arbitrary modifications of network traffic might cause it to be rejected).

The problem with McAfee Internet Security Suite goes deeper, however. The mechanism by which Internet Security Suite intercepts (and potentially alters) outbound network traffic is through a Windows-specific mechanism known as an LSP (or Layered Service Provider).

LSPs are user mode DLLs that "plug-in" to Winsock (the Windows sockets API) and are called for every sockets API call that a user mode program makes. This allows easy access to view (and modify) network traffic without going through the complexities of writing a conventional kernel driver. An LSP is loaded and called in the context of the program making the original socket API call.

This means that for most programs using user mode socket calls, all API calls will be redirected through the Internet Security Suite's LSP, for potential modification.

If one has been paying attention so far, this approach should already be setting off alarms. One serious problem with this approach is that since the LSP DLL itself resides in the same address space (and thus has the same privileges) as the calling program, there is nothing technically stopping a malicious program from modifying the LSP DLL's code to exempt itself from alteration, or even bypassing the LSP directly.

Unfortunately, the flaws in the McAfee Privacy Service do not simply end here. Already the technical limitations of an LSP for securely intercepting and modifying network traffic make this approach (in the author's opinion) wholly unsuitable for a program designed to protect a user from having his or her private data stolen by malicious software.

Specifically, there are implementation flaws in how the LSP itself handles certain socket API calls that may cause otherwise perfectly working software to fail when run under McAfee Internet Security Suite 2006. This poses a serious problem to software vendors, who are often forced to interoperate with pervasive personal security software (such as Internet Security Suite).

The Windows Sockets environment is fully multithreaded and thread-safe, and allows programs to call into the sockets API from multiple threads concurrently without risk of data corruption or other instability. Unfortunately, the LSP provided by McAfee for its Privacy Service software breaks this particular portion of the Windows Sockets API contract. In particular, McAfee's LSP does not correctly synchronize access to internal data structures when sockets are created or destroyed, often leading to situations where a newly created socket handed back to an application program is already mistakenly closed by the flawed LSP before the application even sees it.

In addition, the author has also observed a similar synchronization problem regarding the implementation of the `select' function in the Privacy Service LSP. The select function is used to poll a set of sockets for a series of events, such as data being available to read, or buffer space being available to send data. The McAfee LSP appears to fail when calls to select are made from multiple threads concurrently, however. It often appears to switch a socket handle specified by the original application program with an entirely different handle. In Windows, the same handle space is shared by socket handles and all other types of kernel objects, such as files or processes and threads. This subsequently results in calls to select failing in strange ways, or worse, returning that data is available for a particular socket when it was in fact available on a different socket entirely.

Both of these flaws result in intermittant failures of correctly written third party applications when used in conjunction with McAfee Internet Security Suite 2006.