AntiVirus?

[Gregory Maxwell]

On Sun, 20 Mar 2005 14:16:18 +0000, Mike Hearn <mike at navi.cx> wrote:
> On Sat, 19 Mar 2005 16:51:43 -0500, Gregory Maxwell wrote:
> > If an untrusted source can execute code on your computer the game is over.
> 
> Web browsers do that all the time with JavaScript. So it's not over, you
> just have to be careful.

The context you removed my text from was referring to 'removing'
malicious after it's loose on a system... Fundamentally it's a very
difficult problem, and it has no relation to running sandboxed code.
 
If, through things like SElinux, someday we find the typical system is
running almost entirely sandboxed software than the rules change
substantially in the favor of security. But once something has escaped
it's sandbox we're back to it being very difficult to remove.

> No, anti-virus makes sense because the moment a bug is fixed the
> fix does not appear on peoples systems. Online update for most Linux
> distros is useless for dialup users, and worse most online update sites
> can be taken down by a well timed DDoS anyway.

Fixes don't magically appear... But code to detect instances of
exploitation of the bug are magically written, and magically appear on
systems?

If download times are really the crux of the issue, then we should
develop a binary patching service. Xdelta diffs for little bug fixes
will likely end up being much smaller than 'anti-virus' definitions.
 
> > The viruses and worms that have grown up on windows have now reached a
> > level of sophistication that simple pattern matching isn't good
> > enough...
> 
> I disagree. While it's true that you can write very sophisticated viruses,
> the most prevalent viruses are actually very simple. A virus scanner
> doesn't have to work 100% of the time to be useful.

The malware of the day on windows these days is binary patching the
shell to hide their files, and the task manager to hide their
operation. Some are patching the kernel now, but thats not supercommon
yet, but thats only because it's not needed to defeat the current
generation of antivirus protection.

Long before windows ends it's reign of terror this arms race process
will have caused  superior malware which is near impossible to remove
to become commonplace. There is no  reason to think the malware
authors will forget all their skills when they reset their sights on
Linux desktops.

> As already pointed out, bugfixes don't instantly appear on peoples
> desktops. There are still a significant number of people running
> completely unpatched, out of the box Red Hat 9 installs. This situation
> will not change anytime soon, no matter how much we might like it to.

Antivirus software and antivirus updates don't instantly appear on
peoples desktops.

Any solution that makes antivirus updates instantly appear can make
bug fixes instantly appear.  Furthermore, as microsoft has found out
because of their shoddy fixing practices: There can be instances of a
bug exploit per security bug... If you write detection code to catch
an instance, a new one will just come out much faster than you can
write more detection code.. You need to match the security hole.. but
once you've done that, you might as well fix it.

> >                Virus scanners don't generally solve the problem of
> > one-off attacks by qualified and determined adversaries, which is a much
> > more dangerous threat in many ways...  Fixing bugs stops them and they
> > also stop the bulk spreading stuff, and fixing bugs is something we can
> > do in the free software world that is much harder in the proprietary
> > code world.
> 
> If that was true then nothing on my desktop would ever crash, and
> everything would have wonderful usability. That's clearly wrong, therefore
> I think it's also wrong that being open source gives people immunity to
> bugs (of which there will always be more).

**shrugs** I have had no crashes on my fc3 laptop. :) But of course,
in using linux since 1994 I've seen my share of buggy code....  I
wasn't claiming that free software was bug free, but rather this:

In the windows world, If I'm someone concerned about security and I
detect a hole in some windows program. .. My only legal options are to
scream and cry about it, and maybe write some anti-virus code to catch
it being exploited. If the creator of the software doesn't care, I'm
pretty much out of luck for getting a real fix.

In the free software world, if I find a bug I have the right to fix
it, and the ability to share my fix... Which will likely be quickly
accepted into the mainline code, since I did all the work already.
 
> Developing a native anti-virus system *now* before the shit hits the fan,
> can only be a good idea.

It's already done, see clamav, so it's a moot point. Also other tools
list host and network based IDSes can be put to work on this
application.

[snip]
> Saying that bugfixing is a suitable
> replacement implies that Windows users who enabled automatic update don't
> need a virus scanner anymore, which I'm not convinced is true.

It's an entirely different game in windows. The system is
fundamentally insecure, and users have been conditioned through years
of social norms to perform unsafe behaviors.  It's very difficult to
live a life as a windows user without routinely downloading executing
binaries from unaccountable random places on the Internet. With linux,
it's quite reasonable to only run software that comes from a handful
of widely used package repositories.

This whole discussion is really offtopic for this list, I feel stupid
for participating in it. :)