Raw Sockets Gone in XP SP2 - Thursday 12 August, 2004, 2:07 PM
http://www.interact-sw.co.uk/iangblog/2004/08/12/norawsockets
Well, not strictly gone, but their power has been reduced in certain respects.
While it might make Steve Gibson happy, I'm not utterly delighted by this particular change service pack 2 brings to Windows XP.
Security expert and fellow DevelopMentor instructor Dominick Baier drew my attention to the fact that Windows XP service pack 2 (which I just installed) reduces the power of raw sockets. This has had no direct impact on me, since nothing I did uses raw sockets. But there are a couple of groups of users that this will affect.
The good news (and the justification for the removal of the feature) is that this change will prevent certain network attack tools used by crackers from running on Windows XP. These tools are easier to write if you have a full raw socket facility. But it won't impede them much of course - presumably they'll just go and use some other operating system. The limitations on the raw socket facility in Windows XP don't make XP any more or less vulnerable, they just make it slightly less suitable as a platform for launching certain kind of attacks. But that really won't stop a determined hacker - it's not like it's that hard to find an OS that supports full raw sockets. Linux supports them for example. (So if Steve Gibson was right in his original rather sensationalist article, Linux will now supplant Windows XP as the "denial of service tool of choice for internet hackers everywhere" as he put it... Not that Windows XP ever fulfilled his prophecy of doom, as far as I know.)
In fact there's no reason a cracker couldn't add the functionality back into Windows if they're prepared to write a suitable device driver. I don't think there's anything stopping you writing a kernel mode device driver that plugs into the NDIS stack and communicates directly with the network card device driver. That would let you send any ethernet packet you like, which would give you at least as much power as the original unencumbered raw sockets API. (In practice they'll probably just use an OS such as Linux which still supports the feature.)
The other group this affects is security professionals - the restriction of the raw sockets API prevents certain penetration test tools from running. For example, Dominick pointed out that certain features of nmap won't work on Windows XP once you've installed service pack 2. This means you can no longer use Windows XP to discover whether a particular system on your network is vulnerable to certain kinds of attacks.
The justification for limiting raw sockets is that they provide a tool for the attackers. That sounds reasonable enough until you realise that raw sockets are also a tool for the defenders. Now that I've installed service pack 2 I'm deprived of ability to use this tool to defend myself, unless I have some other systems around that still support raw sockets. Meanwhile I can be absolutely sure that those who would attack my networks *do* have systems that support raw sockets.
So this change appears to have made Windows XP less useful for detecting security flaws without putting up any significant new barrier to determined attackers. Doesn't that make me less secure, on balance?
(Of course this is just a minor niggle - on the whole, I think the security improvements of XP SP2 are a Very Good Thing!)
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 如何编写易于单元测试的代码
· 10年+ .NET Coder 心语,封装的思维:从隐藏、稳定开始理解其本质意义
· .NET Core 中如何实现缓存的预热?
· 从 HTTP 原因短语缺失研究 HTTP/2 和 HTTP/3 的设计差异
· AI与.NET技术实操系列:向量存储与相似性搜索在 .NET 中的实现
· 10年+ .NET Coder 心语 ── 封装的思维:从隐藏、稳定开始理解其本质意义
· 地球OL攻略 —— 某应届生求职总结
· 提示词工程——AI应用必不可少的技术
· Open-Sora 2.0 重磅开源!
· 周边上新:园子的第一款马克杯温暖上架