Tuesday, December 06, 2005

the 'behaviour monitor' fairytale

y'know, i'm starting to get a little sick and tired of the recent resurgence of
anti-virus software looks for suspicious behaviour so why didn't/couldn't it stop X
and
anti-virus software should look for suspicious behaviour so that it can protect us against Y


it's not a new idea - not by a long shot... it's more than 10 years old and used to be known as behaviour blocking...

way back in the day there were some programs that did this sort of thing (notably thunderbyte anti-virus) but the idea lost favour for some very good reasons...

the first is that if you allow the malware to run (which you need to do in order to take note of it's behaviour) then the malware can simply shut down the behaviour monitor and go on about it's merry malware way without having to worry about raising any alarms... this wasn't just a theoretical possibility, it happened... then it happened again, and again and again... even today, despite the lack of widespread use of this technique, viruses and worms and trojans and all sorts of other malware routinely are programmed to kill large lists of security-related processes... clearly, once the malware is running on the same cpu as your security software the window of opportunity for that security software to reliably stop the malware is closed...

another very good reason the idea fell out of favour is the false alarm problem... the software would have to decide whether or not to raise an alarm based on the number and severity of suspicious actions a suspect program takes - the lower the threshold is set the more sensitive it is to suspicious actions and the more likely it is to raise an alarm on something that is completely safe - the higher the threshold is set the less sensitive it is to suspicious actions and the more likely it is to let something bad slip through... letting bad things through is bad enough, but raising alarms on safe programs when the user has basically no real way to determine if the behaviour monitor's suspicions are warranted or not wastes the user's time on needless research and recovery - not to mention that most user's first instinct when faced with an alarm from their security software is something closer to panic than to reasoned analysis...

there are still a few products out there that use behaviour monitoring, but in general they're obscure products... the problem of being shut down by malware is mitigated by that obscurity (security by obscurity is no security at all, however) as the malware writers won't think to include those products in the large lists of processes to kill... the problem of false alarms is dealt with by - well, perhaps there's a good reason they remain obscure products (perhaps the problem isn't dealt with all that well at all)...

although behaviour monitoring does have some strength in areas where contemporary scanning technology is weak (new malware), it's weaknesses more than cancel out that strength...

(and yes, i'm fully aware that one way to deal with the problem of being shut down by the malware is to run the malware in a virtual environment instead of on the physical machine, but then we're no longer talking about simple behaviour monitoring - that's sandbox technology)

digital rights malware

you might think that there's a legitimate need for DRM... you might think that DRM gives users options and flexibility... you might think that the Sony BMG DRM rootkit fiasco was an isolated incident that would never happen again...

you'd be wrong...

digital rights management, or more accurately digital rights malware is a technology whereby people who provide the user with content exercise what they feel is their right to take some measure of control over the user's electronic equipment...

it doesn't prevent copying (it can't prevent copying), at best it prevents using copies on machines that the content providers (or DRM providers acting as agents of the content providers) don't think the user should be allowed to use the copies on... i say at best because it totally ignores the concept of the darknet which effectively renders copy controls useless as soon as one person finds a way around the controls...

DRM takes control of the user's equipment - not to the same degree (usually) as a remote access trojan, but it's still taking some control and it is doing so without the authorization of the user... even under those circumstances where the full extent of the DRM's behaviour is revealed in an End User License Agreement (EULA), the EULA will go unread (as they all do) because EULA's are so full of legalese that the ordinary person can't actually understand them...

DRM can't work without treating the user as an opponent, it's entire reason for being is to prevent the user from doing things that the user wants to do... there can be no legitimate need to install software on user-owned computers that acts against the user's interests unless you condone a copyright police state...

copyright should be protected by law, not technology, but the content providers don't trust the law to do that so they turn to DRM in order to gain more control... then they lobby for anti-circumvention laws to protect their DRM, effectively legitimizing the control they're grabbing in the eyes of the law and shifting the authority to make copyright policy away from the government and towards content providers (with all their vested interests)... but of course they don't trust the laws that protect DRM anymore than they do the laws that protect copyright so they employ additional offensive technology to protect their DRM as happened in the Sony BMG debacle, and as will continue to happen (though with better PR) and possibly even escalate... it has to keep happening or the content providers have to start relying solely on the law to provide protection, thereby giving up the control they so obviously desire...

ultimately what it comes down to is control... DRM is meant to usurp the user's (and, when combined with anti-circumvention laws, the government's) control and therefore is much deserving of the malware classification (even if anti-virus/anti-spyware/anti-malware vendors can't or won't deal with that particular class of malware (yet)...

the halting problem - why you should care

the halting problem is very technical and i'm certainly not going to do the technical aspects of it any justice here (and the technically minded really aren't the audience i'm writing this for anyways)... the short version is that the halting problem tells us what is not possible in the computing world...

the basic idea goes like this: there is no set of steps a person or computer can follow that will always determine if an arbitrary program will halt (terminate/exit/stop running)...since following steps (instructions) is all a computer can do, this is significant for computers and computer software...

the reason this is interesting and useful to us is that we can apply it to other things - by that i mean that if we can show that doing X is reducible to the halting problem then we've effectively proven that it is impossible to do X...

now, lets follow a simple progression... creating a set of steps that will always determine if an arbitrary program performs function Y is reducible to the halting problem - all you have to do is say that function Y is a halt function and you'll see it's trivially true... there's nothing special about code that causes a program to exit that would make it difficult to find, the problem is determining if it will ever get executed...

creating a set of steps that will always determine if an arbitrary program is a virus is redcuible to the halting problem.... to be a virus the program has to perform the function of self-replication and since you can't always determine (by following a set of steps) if an arbitrary program performs that function, therefore you can't always determine if that program is a virus...

creating a set of steps that will always determin if an arbitrary program performs any other virus-like functions is reducible to the halting problem... i'm sure by now you can guess why...

this probably looks pretty bad... it seems like we can't tell very much at all about arbitrary programs - and not only is that absolutely true, that's also the point... that's why the halting problem is important; it shows us what can't be done so that we can separate the impossible claims from the possible ones, so that we can understand what is preventing anti-virus developers from finding all possible viruses, and so that when someone comes along and says "well why can't it just look at the code to find out what it does" we can know why that won't work... knowing what isn't possible is probably the best tool there is when it comes to weeding out the hype and identifying snake-oil in the anti-virus field...

Monday, December 05, 2005

SANS is distributing malware? wtf?

no, i'm not going to point you towards the URL to see that their malware analysis quiz includes real malware... i'm not going to raise the search profile of malware that is apparently still effective (by virtue of how SANS acquired it in the first place)...

i can, however, post a url to a featured quiz answer sheet for one of the previous quizes in order to illustrate the nature of some of the malware SANS is making available to the public...

thank you SANS for providing malware to the masses and for showing me what you're really made of... clearly you folks belong to the wrong-headed full-disclosure for everything mindset... maybe you should take some time out of your busy schedules and examine what the classical benefits are for full disclosure and whether those benefits are achievable in the malware field...