Dailydave mailing list archives

I love PKI :) (was Some Propaganda.)

From: Joanna Rutkowska <joanna () invisiblethings org>
Date: Thu, 16 Nov 2006 19:39:36 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

dan () geer org wrote:

Joanna Rutkowska writes:
 | ...snip...
 | Existence of such tools, as Piotr is working on, should really convince
 | and encourage *all* developers to digitally sign their executables.
 | 


May I assume that if a signature is good, then code will be run
while if a signature is bad, then code will not be run.


You should rather think of it this way - once the signature is broken
(or doesn't exist in case of a Windows system file) then it's relatively
easy to detect that something is wrong in the system. So, attacker
should have not interest in breaking or removing signatures.

However, would Vista remember that a bit of code used to have a
signature wrapped around it and now, magically, does not?


I don't think that Vista tracks such an information (and I'm too lazy to
try). However, in the ideal world we could assume that all executables
must have a signature, so anything without a signature would be easily
detectable and suspected. No, Microsoft didn't pay me to write this;)

Just to make it clear - I don't think that enforcing the use of digital
signatures on all executables is an effective way to *block* malicious
code execution. That would never work in 100%, as there is always a
possibility to find a bug (in a signed application) and exploit it, not
to mention that anybody could buy a signature and sign his or her
malicious code with it.

But I think that having digital signatures is the only way we could
(start) building a reliable and systematic *integrity verification* tool
for our OS (note that I didn't write "compromise detector"). Of course,
that would allow us only to detect type I malware, but we need to start
from something, right? ;) Focusing on type II malware detection, without
first solving the problem of detecting type I malware doesn't make much
sens.

Also, it should be clear that signatures would not solve the problem of
type 0 malware - i.e. will not detect a potential malicious executable
(which is not interested in modifying other process or system kernel,
but still is "malicious") signed with a valid signature. But type 0
malware detection is not really an OS integrity verification issue and
this is something I leave to the "classic" A/V industry :)

joanna.
-----BEGIN PGP SIGNATURE-----

iD8DBQFFXLAqORdkotfEW84RAnTYAJ9qIRsCHbHO87UCYxy14UzwtbiV+QCeNOuW
WGI+qXL/Yu7L1L1zuOccDUM=
=EesH
-----END PGP SIGNATURE-----
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

Some Propaganda. Piotr Bania (Nov 14)
- Re: Some Propaganda. Arun Koshy (Nov 14)
- Re: Some Propaganda. Joanna Rutkowska (Nov 15)
  - Re: Some Propaganda. Halvar Flake (Nov 15)
  - Re: Some Propaganda. dan (Nov 15)
    - I love PKI :) (was Some Propaganda.) Joanna Rutkowska (Nov 16)
    - Re: I love PKI :) (was Some Propaganda.) ergosum (Nov 17)
    - Re: I love PKI :) (was Some Propaganda.) Danny Quist (Nov 19)
- <Possible follow-ups>
- Re: Some Propaganda. Piotr Bania (Nov 15)
- Re: Some Propaganda. Piotr Bania (Nov 15)
- Some Propaganda. Piotr Bania (Nov 15)
- Re: Some Propaganda. Marek Bialoglowy (Nov 16)