Full Disclosure mailing list archives

Re: Gödel and kernel backdoors

From: Valdis.Kletnieks () vt edu
Date: Mon, 20 Sep 2010 08:42:07 -0400

On Mon, 20 Sep 2010 01:03:21 PDT, Hurgel Bumpf said:

The solution could be a virtualized operating system, which has a control 
layer between the operating system and the hardware abstraction layer. Changes
to data could be non-persistent in the first step, and only written to
the hdd after a heuristic check of the changes and a interaction with the user.


Actually, that's a very useful tool that you can even deploy today: Just use
the 'checkpoint' feature of a VMWare or similar tool, and keep around some
checkpoints that you're reasonably sure contain no malware.

Unfortunately, it suffers from the same exact Godel issue as any other system -
you simply *cannot* make that "heuristic check" 100% guaranteed correct and
accurate. (In fact, by definition a heuristic check *can't* be 100% accurate -
if a heuristic was perfect, it would be called an algorithm).

The point that everybody seems to be missing is this:

Godel, Turing, and all proved that you can't make that check 100% correct. They
said *nothing* about the possibility of building a checker that's 99.99998%
accurate (and in fact, that's totally within the realm of mathematical
possibility).  There are *real* problems that Godel says *nothing* about but
the real world does:

1) Making that mathematically possible 99.99998% accurate checker may require
so much simulation and state tracking that launch times for programs will be
measured in years or decades - as a practical matter, users may not want more
than 2 or 3 nines.  Heck, they whinge about the overhead of *current*
anti-malware.

2) With the plethora of complicated objects on the average computer system,
raising the "is javascript/vi modelines/whatever  data or executable code"
issues, we don't even have a clue how to do better than 95% or so.  So as an
industry, let's not bother worring about that Godel issue until we know how to
get to 99% and still have users happy with the overhead involved.

Attachment: _bin
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Re: Gödel and kernel backdoors, (continued)
- Re: Gödel and kernel backdoors mrx (Sep 18)
- Re: Gödel and kernel backdoors Giuseppe Fuggiano (Sep 18)
  - Re: Gödel and kernel backdoors BMF (Sep 18)
  - Re: Gödel and kernel backdoors wmsecurity (Sep 20)
- Re: Gödel and kernel backdoors Pavel Kankovsky (Sep 19)
  - Re: Gödel and kernel backdoors Georgi Guninski (Sep 19)
    - Re: Gödel and kernel backdoors Berend-Jan Wever (Sep 19)
    - Re: Gödel and kernel backdoors Christian Sciberras (Sep 19)
- Re: Gödel and kernel backdoors Hurgel Bumpf (Sep 20)
  - Re: Gödel and kernel backdoors Georgi Guninski (Sep 20)
  - Re: Gödel and kernel backdoors Valdis . Kletnieks (Sep 20)
- Re: Gödel and kernel backdoors dave b (Sep 20)