funsec mailing list archives
Re: standards status in the industry - opinion?
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Mon, 09 Jan 2006 11:40:09 +1300
Drsolly to me:
Have you ever wondered whether we may be scanning for the wrong thing? Known virus scanning is not the only "signature scanning" approach -- as Fred Cohen suggested close to (or is that now "more than"??) two decades ago, by far the best solution to the generic problem of detecting the execution of unwanted code (of which, the problem of "detecting malware" is a sub-set) is to "fingerprint" the installed/ allowed code and prevent unknown code from being run. Thought of in a different way, this is the firewall equivalent of a default-deny rule for the program loader...That wasn't practical then (think stealth boot sector viruses), ...
I agree it was not practical then -- there were far too many impediments due to slow processors (4-12MHz 808[68]/80286 that people already felt were "far too slow"), small amounts of RAM and less "free" to play with than anyone wanted, slow drives, no memory protection, etc, etc...
... and became even less practical with the first Word macro virus.
Not at all. Even before (MS' crappy, largely broken) VBA code signing (which you should be able to choose to proxy for "proper" whitelisting in a well- designed whitelisting system), VBA macro viruses present no more of a "problem" for whitelisting approaches than any other kind of code. Whitelisting is all about _thinking about_ the code that you allow to run on your systems. Of course, historically, few people have bothered to do that, which is why we have such _easily_ virusable and other forms of malware-able systems. It is why MS designed such shockingly crap applications as VBA _THEN_ encouraged other security-blind companies to embed it into their own applications and file formats. It is why we have script-embedded-HTML _WITH_ an object model that _encourages_ writing self-modifying code (grrrrr; did the folk who "designed" this have a single security clue among them? Nope... Complete security morons.). Whitelisting is about taking back control from the morons who not only don't know better, but want you to not know anything important about how your system runs or what runs on it and just let them make the decisions for you. To digress slightly, these are the same folk who want to be making the decisions for us if/when the "trusted computing platform" idea settles in. They (partly) feel comfortable in that role because they have effectively been playing that role for a couple of decades now _and_ no- one has seriously questioned that, _OR_ their, IMNSHO shockingly bad, performance of it so far. Regards, Nick FitzGerald _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- RE: standards status in the industry - opinion?, (continued)
- RE: standards status in the industry - opinion? Nick FitzGerald (Jan 08)
- Re: standards status in the industry - opinion? Nick FitzGerald (Jan 08)
- Re: standards status in the industry - opinion? Barrie Dempster (Jan 08)
- Re: standards status in the industry - opinion? Nick FitzGerald (Jan 08)
- Re: standards status in the industry - opinion? Barrie Dempster (Jan 08)
- Re: standards status in the industry - opinion? Valdis . Kletnieks (Jan 08)
- Re: standards status in the industry - opinion? Barrie Dempster (Jan 09)
- Re: standards status in the industry - opinion? James Kehl (Jan 09)
- Re: standards status in the industry - opinion? Barrie Dempster (Jan 09)
- Re: standards status in the industry - opinion? Drsolly (Jan 08)
- Re: standards status in the industry - opinion? Nick FitzGerald (Jan 08)
- Re[2]: standards status in the industry - opinion? Pierre Vandevenne (Jan 07)
- Re[2]: standards status in the industry - opinion? Drsolly (Jan 07)
- Re: Re[2]: standards status in the industry - opinion? Nick FitzGerald (Jan 07)
- Re: Re[2]: standards status in the industry - opinion? Drsolly (Jan 08)
- Re: Re[2]: standards status in the industry - opinion? Nick FitzGerald (Jan 08)
- Re: Re[2]: standards status in the industry - opinion? Valdis . Kletnieks (Jan 07)
- Re: standards status in the industry - opinion? Blue Boar (Jan 07)
- Re: Re[2]: standards status in the industry - opinion? Drsolly (Jan 08)
- Re: Re[2]: standards status in the industry - opinion? Valdis . Kletnieks (Jan 08)
- Re: Re[2]: standards status in the industry - opinion? Drsolly (Jan 09)