Tuesday

Another take on the Anti-virus detection problem

As a followup on Is Anti-virus ineffective nowadays? (UPDATED). I read the proposal from Joanna Rutkowska.

With digital signatures we can "detect" any kind of executable modifications, starting form the simplest and ending with those most complex, metamorphic EPO infectors as presented e.g. by Z0mbie. All we need to do (or more precisely the OS needs to do) is to verify the signature of an executable before executing it.

I hear all the counter arguments: that many programs out there are still not digitally signed, that users are too stupid to decide which certificates to trust, that sometimes the bad guys might be able to obtain a legitimate certificate, etc...

But all those minor problems can be solved and probably will eventually be solved in the coming years. Moreover, solving all those problems will probably cost much less then all the research on file infectors cost over the last 20 year. But that also means no money for the A/V vendors.

A response from anti-virus rants:

first things first - this is essentially a whitelist technique (with the added bonus that the cryptographic component allows the proof of whitelist membership to be shipped with the file instead of requiring a lookup in a very big list) with all associated fundamental problems... think the problem of signing all good programs is small and will probably be solved? maybe for suitably large values of small... if you're going to focus on identifying good files instead of bad ones you have to keep in mind that the good files outnumber the bad by orders of magnitude and grows at an even faster rate... conceptually signing all good programs is simple, but in practice it's very, very hard...

I agree that blacklisting is not the solution anymore but whitelisting may prove as challenging. But Microsoft is already using Code signing. What could be the problem? Remember when Verisign was tricked into issuing two Class 3 code-signing digital certificates to someone fraudulently claiming to work for Microsoft? It's just an example but I agree with the comment on anti-virus rants that it's offloads the whole issue onto the signatory.

BONUS (04/09/2007): Did We Waste Billions Building File Anti-Virus Scanners? (McAfee Avertlabs)

Posted by Security4all at 4.9.07

Labels:

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)