Re: standards status in the industry - opinion?

[Nick FitzGerald <nick () virus-l demon co uk>]

Drsolly to me:

> > Have you ever wondered whether we may be scanning for the wrong thing?
> >
> > Known virus scanning is not the only "signature scanning" approach -- 
> > as Fred Cohen suggested close to (or is that now "more than"??) two 
> > decades ago, by far the best solution to the generic problem of 
> > detecting the execution of unwanted code (of which, the problem of 
> > "detecting malware" is a sub-set) is to "fingerprint" the installed/ 
> > allowed code and prevent unknown code from being run.  Thought of in a 
> > different way, this is the firewall equivalent of a default-deny rule 
> > for the program loader...
>
> That wasn't practical then (think stealth boot sector viruses), ...

I agree it was not practical then -- there were far too many 
impediments due to slow processors (4-12MHz 808[68]/80286 that people 
already felt were "far too slow"), small amounts of RAM and less "free" 
to play with than anyone wanted, slow drives, no memory protection, 
etc, etc...

> ... and became
> even less practical with the first Word macro virus.

Not at all.

Even before (MS' crappy, largely broken) VBA code signing (which you 
should be able to choose to proxy for "proper" whitelisting in a well-
designed whitelisting system), VBA macro viruses present no more of a 
"problem" for whitelisting approaches than any other kind of code.

Whitelisting is all about _thinking about_ the code that you allow to 
run on your systems.  Of course, historically, few people have bothered 
to do that, which is why we have such _easily_ virusable and other 
forms of malware-able systems.  It is why MS designed such shockingly 
crap applications as VBA _THEN_ encouraged other security-blind 
companies to embed it into their own applications and file formats.  It 
is why we have script-embedded-HTML _WITH_ an object model that 
_encourages_ writing self-modifying code (grrrrr; did the folk who 
"designed" this have a single security clue among them?  Nope...  
Complete security morons.).

Whitelisting is about taking back control from the morons who not only 
don't know better, but want you to not know anything important about 
how your system runs or what runs on it and just let them make the 
decisions for you.

To digress slightly, these are the same folk who want to be making the 
decisions for us if/when the "trusted computing platform" idea settles 
in.  They (partly) feel comfortable in that role because they have 
effectively been playing that role for a couple of decades now _and_ no-
one has seriously questioned that, _OR_ their, IMNSHO shockingly bad, 
performance of it so far.


Regards,

Nick FitzGerald

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.