Tuesday, April 18, 2006

malware and disclosure

some time ago i made the argument that it was wrong and irresponsible to publicly disclose viral materials or to share them in any lesser capacity with those you don't know and trust... the argument was essentially that making those materials more widely available increases everyone's risk of being exposed to viral materials while failing to hasten the closure of the window of exposure because the window of exposure for something inherent to the general purpose computing platform cannot be closed... basically, since the problem cannot be fixed, telling people how to exploit it and giving them the tools to do so has very significant dangers and no real benefits....

the question then arises - do my arguments against virus disclosure apply to other forms of malware?

while we don't (as far as i know) have the benefit of mathematical proofs that other forms of malware are just as inherent to general purpose computers, there is strong reason to believe they are and that the arguments against virus disclosure are just as applicable to other forms of malware...

take, for example, trojan horse programs... fundamentally they just do undesirable things that violate user expectations... since it is not possible for a computer to be able to examine any arbitrary program and determine all it's functions (thanks to the halting problem) it is therefore not possible for a computer to guarantee that any arbitrary program functions in a way the user would expect or that the user is adequately informed of the program's actual function... further, since all undesirable actions are only undesirable in certain contexts, and desire is beyond the computer's ability to accurately measure (we ourselves often don't know that something is undesirable until after we're exposed to it), so a computer cannot prevent programs from taking undesirable actions... therefore the ability to support trojan horse programs is inherent to general purpose computers and are not 'fixable'... therefore the window of exposure for trojans, in general, cannot be closed...

now the observant reader might have noticed that i classify most malware under the trojan category, so this result is fairly broad in it's scope, but maybe individual subcategories of trojans can be 'fixed'...

let's see - any system that accepts input (which is basically any computer worth considering and certainly all general purpose computers) can support rogue programs accepting that input... throw in the ability to store data and you have instant support for some kinds of spyware... throw in the ability to communicate with other computers over any kind of network and you cover all the rest of spyware as well as all remote control software like RATs and botnets... if the computer can produce some kind of human usable output then you have inherent support for adware...

the recent results from microsoft concerning virtual machine 'rootkits' are particularly damning... if the machine's hardware layer is capable of running virtualization software (and i see no reason why any general purpose computer wouldn't be capable of this) then any protection mechanism built into an operating system can be subverted, any function (high or low level) that the operating system can perform can also be used for ill gain, and the operating system itself can be forced to lie about all of it to the user...

and none of these things represent mistakes... they are all parts of fundamental limitations and intractable problems, things that cannot be overcome under our current models of computation... the conventional wisdom is that creating and publishing these types of malware helps to fix the problems that allow these types of malware to exist but it is done without trying to identify what that underlying problem is or trying to figure out whether that underlying problem is one that can be solved... many people in the computer industry are apparently ignorant of the fact that some problems are theoretically unsolvable, and while many instances of malware do indeed utilize genuinely fixable and avoidable mistakes those mistakes can be publicly disclosed by themselves without making malware out of them...

so, since the problems that allow malware to exist cannot be fixed, and the problems that can be fixed can be publicized without making malware out of them, the sharing of malware materials with those you don't know you can trust cannot possibly help to advance the security goals of the population and quite obviously (by putting attack tools where criminals can get them) increases the risk of exposure for everyone and is therefore wrong-headed/unethical/irresponsible...

not all vulnerabilities were created equal - people shouldn't be surprised that some aren't as susceptible as others to the security process known as full disclosure...

0 comments: