On Sun, 20 Mar 2005 19:48:01 +0000, Mike Hearn <mike@xxxxxxx> wrote: > On Sun, 20 Mar 2005 11:11:09 -0500, Gregory Maxwell wrote: > > Fixes don't magically appear... But code to detect instances of > > exploitation of the bug are magically written, and magically appear on > > systems? > > Well, this is a good point. It's possible though to write generic scanners > that detect suspicious behaviour. Also generally AV definitions are much > smaller than software patches. Binary patch RPMs could help with that. Sure but generic scanners become easier to work around.. it's really is a fundamentally hard problem to determine what a program is doing. > I think it is often easier to write a AV detection update than a bugfix > update though, especially if the flaw is a design issue and not a simple > typo/mis-use of strcpy. Nah.. It's easier to catch a specific instance of an exploit than to write a fix in some cases, but to write generic detection code you must understand the bug.. It's pretty uncommon for security holes to be difficult to fix, except in a few cases with insecure protocols... and in those cases it's easier to just put exploit detection code in the app, until you can get around to replacing it with something secure. > I'm not so sure, some fixes can be quite large. But I don't have any > numbers either way so maybe you are right. I've used xdelta in the past on update rpms... they are small.. but with current practice of not backporting fixes, they might end up bigger. > Yes, I know. Still there are many viruses (as opposed to spyware) which > just exploit a buffer overflow and replicate, or even just mail/IM > themselves to people in the address book. It's useless to only attack viruses, spyware is by *far* the bigger problem on windows desktops these days, and antiviruses are usually ineffective at stopping worms (since the whole internet gets infected before someone can identify the spreading method). > Indeed, you are right that it's an arms race. Unfortunately we are in the > unfortunate position here: without some way to try and clean up after a > widespread outbreak we are relying on getting lucky every time, but the > bad guys only need to get lucky once or twice. It's not even an arms race.. Once someone has gotten root priv code to run on your system it's terribly difficult to remove it. There are quite a few linux rootkits today that are harder than a reinstall to remove, and even once you've done that you fundamentally can't be sure that the system is secure. > Yes, that's true if it's still maintained. But most exploits are for the > OS or OS-level services. How often do you hear about Photoshop viruses? Or > Half-Life viruses? I'd say the majority of malicious code on windows desktops these days is coming in via outlook and internet explorer... often exploiting bugs there. It's much easier to make the basic OS secure than the apps.. This is why things like SE linux are important, if we can sufficiently sandbox all the applications it might not matter that much if we can secure them or not. > Well ClamAV is a server product for detecting Windows viruses, right? It's > not an end-user level product for the Linux desktop. ClamAV is a cross platform antivirus package that supports both server scanning techniques (such as operating as a milter) and desktop style virus scanner support (intercepting file IO). It has definitions for the existing linux viruses and worms, in addition to all the windows cruft. As I said, it's a solved problem. There are quite a few host based IDS systems that do a pretty good job of anomaly detection... from tools as simple as tripwire, to much more complex tools like the monitoring code included with the honeypot toolset and snort. None of this makes it possible to be sure your machine is secure once it's been exploited. > > It's an entirely different game in windows. The system is fundamentally > > insecure, and users have been conditioned through years of social norms > > to perform unsafe behaviors. It's very difficult to live a life as a > > windows user without routinely downloading executing binaries from > > unaccountable random places on the Internet. With linux, it's quite > > reasonable to only run software that comes from a handful of widely used > > package repositories. > > Oh well I'm not convinced that works better either :) After all, who > audited all the code going into Fedora Extras? Including all 100,000 lines > of configure script? Hmm, I think we trust upstream ... Perhaps no one did... but it's likely that it *could* be caught... If I toss up some website with nasty windows binaries I could get thousands of people with very little risk of detection, and very little accountability chain to track me down. You mentioned before that you thought it would be interesting to write antivirus software, but since thats already been done, ... might I suggest something more interesting: Write software code that tracks changes to packages and detects changes that might introduce security weaknesses. It's also a difficult problem, but probably an easier problem than antivirus in the long run... It would be useful today (since as you pointed out, bugs are added, often unintentionally), and isn't quite as vulnerable to the antivirus arms race.
