AntiVirus?

[Gregory Maxwell]

On Sun, 20 Mar 2005 19:48:01 +0000, Mike Hearn <mike at navi.cx> wrote:
> On Sun, 20 Mar 2005 11:11:09 -0500, Gregory Maxwell wrote:
> > Fixes don't magically appear... But code to detect instances of
> > exploitation of the bug are magically written, and magically appear on
> > systems?
> 
> Well, this is a good point. It's possible though to write generic scanners
> that detect suspicious behaviour. Also generally AV definitions are much
> smaller than software patches. Binary patch RPMs could help with that.

Sure but generic scanners become easier to work around.. it's really
is a fundamentally hard problem to determine what a program is doing.
 
> I think it is often easier to write a AV detection update than a bugfix
> update though, especially if the flaw is a design issue and not a simple
> typo/mis-use of strcpy.

Nah.. It's easier to catch a specific instance of an exploit than to
write a fix in some cases, but to write generic detection code you
must understand the bug..   It's pretty uncommon for security holes to
be difficult to fix, except in a few cases with insecure protocols...
and in those cases it's easier to just put exploit detection code in
the app, until you can get around to replacing it with something
secure.

> I'm not so sure, some fixes can be quite large. But I don't have any
> numbers either way so maybe you are right.

I've used xdelta in the past on update rpms... they are small.. but
with current practice of not backporting fixes, they might end up
bigger.
 
> Yes, I know. Still there are many viruses (as opposed to spyware) which
> just exploit a buffer overflow and replicate, or even just mail/IM
> themselves to people in the address book.

It's useless to only attack viruses, spyware is by *far* the bigger
problem on windows desktops these days, and antiviruses are usually
ineffective at stopping worms (since the whole internet gets infected
before someone can identify the spreading method).
 
> Indeed, you are right that it's an arms race. Unfortunately we are in the
> unfortunate position here: without some way to try and clean up after a
> widespread outbreak we are relying on getting lucky every time, but the
> bad guys only need to get lucky once or twice.

It's not even an arms race.. Once someone has gotten root priv code to
run on your system  it's terribly difficult to remove it.  There are
quite a few linux rootkits today that are harder than a reinstall to
remove, and even once you've done that you fundamentally can't be sure
that the system is secure.
 
> Yes, that's true if it's still maintained. But most exploits are for the
> OS or OS-level services. How often do you hear about Photoshop viruses? Or
> Half-Life viruses?

I'd say the majority of malicious code on windows desktops these days
is coming in via outlook and internet explorer... often exploiting
bugs there.   It's much easier to make the basic OS secure than the
apps..  This is why things like SE linux are important, if we can
sufficiently sandbox all the applications it might not matter that
much if we can secure them or not.

> Well ClamAV is a server product for detecting Windows viruses, right? It's
> not an end-user level product for the Linux desktop.

ClamAV is a cross platform antivirus package that supports both server
scanning techniques (such as operating as a milter) and desktop style
virus scanner support (intercepting file IO).  It has definitions for
the existing linux viruses and worms, in addition to all the windows
cruft.  As I said, it's a solved problem.

There are quite a few host based IDS systems that do a pretty good job
of anomaly detection... from tools as simple as tripwire, to much more
complex tools like the monitoring code included with the honeypot
toolset and snort.

None of this makes it possible to be sure your machine is secure once
it's been exploited.

> > It's an entirely different game in windows. The system is fundamentally
> > insecure, and users have been conditioned through years of social norms
> > to perform unsafe behaviors.  It's very difficult to live a life as a
> > windows user without routinely downloading executing binaries from
> > unaccountable random places on the Internet. With linux, it's quite
> > reasonable to only run software that comes from a handful of widely used
> > package repositories.
> 
> Oh well I'm not convinced that works better either :) After all, who
> audited all the code going into Fedora Extras? Including all 100,000 lines
> of configure script? Hmm, I think we trust upstream ...

Perhaps no one did... but it's likely that it *could* be caught... If
I toss up some website with nasty windows binaries I could get
thousands of people with very little risk of detection, and very
little accountability chain to track me down.

You mentioned before that you thought it would be interesting to write
antivirus software, but since thats already been done, ... might I
suggest something more interesting:

Write software code that tracks changes to packages and detects
changes that might introduce security weaknesses.  It's also a
difficult problem, but probably an easier problem than antivirus in
the long run... It would be useful today (since as you pointed out,
bugs are added, often unintentionally), and isn't quite as vulnerable
to the antivirus arms race.