Saturday, May 16, 2009

fred cohen says anti-virus doesn't work

the EICAR (european institute for computer antivirus research) conference was held earlier this week and something which may at first blush seem quite curious happened... fred cohen (a keynote speaker, the father of computer viruses, and the man behind the seminal academic treatment of the subject) said that anti-virus doesn't work...

i wish i'd been there to see that (actually no i don't, i almost certainly would have rolled my eyes, crossed my arms and gone to sleep), but since i'm not part of the industry and flying over to berlin on my own dime is kinda out of the question i had to miss out... it seems i wouldn't have even heard about it if not for randy abrams posting about it here... i've waited patiently for a couple of days now for anyone else to write something about it so i could get more details of what was actually said, but that doesn't seem to be forthcoming... even eicar's site only tells me that the title of his talk was supposed to be "Computer Virology: 25 Years From Now"...

so, since i don't have first hand experience of the conference to give me a clue as to what on earth he was thinking, i went and did some research to see if anything he's said or written in the past might give me a clue and i believe i've found what i was looking for...

in an article on his site titled "Unintended Consequences" it starts to become clear that he feels the computer security industry is in the practice of detecting and reacting to bad things instead of preventing and deterring them, and he paints that in a rather negative light... when i read this i was struck - if he thinks anti-virus (probably one of the most mainstream parts of the computer security industry) is about detection and not prevention then he's doing it wrong!... in my earlier post on defensive lines in anti-malware i illustrate pretty clearly how anti-virus technologies (both the ones that security numpties consider av and the ones they don't) are employed as preventative measures, preventing such things as access to threats, execution of threats, and behaviour of threats (among other things)...

the thing is, fred cohen is really not the sort of person you'd expect to be using av wrong... thankfully i found a pair of interviews with him - one called "Three Minutes With Fred Cohen, Virus Trends Tracker", and the other "Fred Cohen - Not all virus writing is a crime"... although anti-virus is certainly used for prevention, it's underlying mechanisms are largely detection-based - however when cohen talks of prevention he's referring to the type where the underlying mechanism is sort of like an immunity... it all became clear to me when he said we should be using systems that are less susceptible to viruses in the first place - systems that have more limited functionality... this relates back to his 1984 paper Computer Viruses - Theory and Experiments where, in the section on prevention (i really should have looked there earlier) he discusses the 3 key properties of a system that allow viruses to spread - sharing, transitivity of information flow, and the generality of interpretation...

systems with limited functionality refers specifically to the third of these properties - the generality of interpretation - by limiting the functions that a system can perform you limit what can be done as a result of interpreting data as code... cohen poses the examples of turning off macros in ms word, or turning off javascript in the browser - i would follow those up with more contemporary examples such as microsoft recently announcing the disabling of autorun for flash media, or the increasing trend (at least among security conscious users) to use alternate PDF viewers as opposed to Adobe's own Acrobat Reader which has been bloated with unnecessary (and frankly unsafe) functionality for a long time...

i'm not going to try and detract from his arguement by saying the idea doesn't have merit - it does... i even considered whether my defensive lines post needed another line regarding system immunity, though i later realized that limited functionality is already covered by existing lines (as it's just another method of preventing exection and/or particular behaviours)... the problem isn't that his argument in favour of using this technique has merit, the problem is figuring out how he could think anti-virus is broken and this technique isn't - or what he thinks the security industry can do about limiting functionality...

the very existence of the security industry underscores the fact that there has historically been no (and largely still is no) place for security in the rest of the computer industry... limiting functionality is the domain of the original product developers, not 3rd party security companies - the norton's and mcafee's of the world don't have the freedom to cripple Acrobat Reader for example (at least not without getting sued)... and the original product developers by and large aren't limiting functionality because that goes against consumer expectations for technology... technology is supposed to empower us to do more, to do things better/faster, etc - so it's a given that when we choose something we expect to empower us, we aren't going to go with the less powerful option... this is born out by history as well because there have always been less functional/powerful options available and the market has consistently selected against them in favour of the bloated product suites and application platforms...

furthermore, limiting applications is all well and good but there's plenty of malware out there that exists as native binary executables, and limiting the operating system's functionality (or worse, that of the hardware itself) to prevent things like self-replication or botnet command and control communication is a far trickier proposition...

so given the difficulty in getting more adoption of limited systems and given the fact that even cohen isn't suggesting limiting things to the point of systems with fixed first order functionality, i can't help but wonder how he could consider this any less flawed an approach in practice than anti-virus... it is clear to me that it will be just as possible to work around the limitations he's proposing as it is to work around anti-virus technologies, and limited functionality defenses are a lot less agile than things like known-malware scanning so when those special cases come along it will cost a great deal more to redesign a system to further limit functionality so as to deal with such special cases...

that should give you a clue as to my opinion of limited functionality-based defenses - they have promise as a complement to anti-virus techniques... anti-virus may not work in the sense that it's not completely effect at preventing malware infestation, but limited functionality systems aren't either... anti-virus may not work in the sense that it's a computationally expensive approach to prevention, but limited functionality has logistical costs for development, marketing, and maintenance that we may never completely overcome... i fully endorse the idea of selecting software that only has as much power and functionality as you need and no more, but i still think you should use anti-virus right along side that...

frankly, at the end of the day, the main difference between systems that are designed to have more limited functionality and ones where anti-virus is deployed is that the former's limitations are baked in while the latter's limitations are bolted on (because like it or not when an anti-virus stops a piece of malware from executing on your system it is effectively limiting your system's ability to perform the function that malware represents)... that appears to be what cohen's real contention is about - that baked in is better than bolted on... in some ways that may be true, but in others (like the matter of agility) it's definitely not (because it's easier to change the bolt than it is to change the whole system)...

8 comments:

Vess said...

Don't be too hard on good ol' Fred. :) Remember - he's an academician first and everything else second. After all, this is the man who has proven mathematically that it is not possible to distinguish between computer viruses and other programs and that the traditional security (the discretionary access control model) cannot prevent a virus from spreading (he's not talking just about scanners, if you're left with such an impression).

The fact that his proof doesn't preclude the possibility of, say, distinguishing between viruses and normal programs for all viruses smaller than 10 terabytes, or that "precluding the virus from spreading" fails if the virus spreads to just one user on a 1000-user system and after you've told him "run this file" and he's stupid enough to do so - such minor practical annoyances are beneath the great theoretical thinking of the good doctor... ;)

David Harley said...

I don't think people want limited functionality defences. They cling to an image of AV that never existed, as a product that defends against all present and future malware without limited functionality and false positives. They often get enraged because AV can't really do all that, but stick with it anyway because they see it as promising them a solution where they don't have to take responsibility themselves for breaches.

I was at EICAR, but didn't catch the Cohen keynote. While you can't detract from the man's achievements in the beginning, and in other fields subsequently, I don't altogether get the feeling he wastes a lot of time thinking about this field. Like Schneier, his view is strictly 30,000 feet...

kurt wismer said...

@vess:
was i being hard on him? i threw away almost the entirety of my first draft in an effort to avoid that (i don't even do multiple drafts, usually)...

@david harley:
i agree with you, i doubt very much that people want limited functionality defenses - who chooses the less powerful option? who says to themselves "well y'know what, that's good enough"? not many people have that discipline...

i see tactical advantages to an approach that blends limited functionality with more conventional methods, but it would be difficult to get the average person to use such an approach...

the comparison to schneier is interesting but with schneier i feel fairly confident that when it comes to his specialty (crypto) he definitely knows what he's talking about... i get the feeling from both of you that you don't think viruses are really cohen's specialty - though that seems odd considering his background in the field...

Anonymous said...

proper punctuation would be nice.

Kyan Jim said...

Have you try out Kaspersky before?

kurt wismer said...

@anonymous:
i'll get right on that.

@ryan:
yes i've tried kasperky's product before - a long time ago when it was still called AVP.

i've heard good things about their more recent versions, i'm sure if that's what you're using it will serve you well. just don't put your eggs all in one basket - use non-scanning based tools and techniques in addition to the scanning based ones.

Rob Lewis said...

"when an anti-virus stops a piece of malware from executing on your system it is effectively limiting your system's ability to perform the function that malware represents" does that signify that AV controls are an either-or choice with no graduated scale in between?

I know that our technology looks uses context as the basis for behavior enforcement. I just don't know enough about AV to know if that exists in the AV realm. It seens to me that if it existed in AV you would not be able to make that statement.

As far as stripped down systems go, exokernels are very tailored stripped down, hardened OSes for specific purposes. I imagine that if they were used for say, ATMs, or evoting machines, they might be useful, or at least more secure than windows XP.

kurt wismer said...

@rob lewis:
"does that signify that AV controls are an either-or choice with no graduated scale in between?"

i'm not sure i see what you're getting at - i'm guessing you mean does av only block or allow the entire malware rather than blocking parts of the malware's function. some av products (specifically behavioural ones) are able to block individual functions that the malware attempts to carry out.

"I know that our technology looks uses context as the basis for behavior enforcement. I just don't know enough about AV to know if that exists in the AV realm. It seens to me that if it existed in AV you would not be able to make that statement."

behavioural enforcement does, yes. the degree to which context is included in the deliberation of whether to block or not block varies by implementation.

"As far as stripped down systems go, exokernels are very tailored stripped down, hardened OSes for specific purposes. I imagine that if they were used for say, ATMs, or evoting machines, they might be useful, or at least more secure than windows XP."

they'd be safer, for sure, and perhaps more secure - but perhaps not. coming back to the subject matter of this post, if the stripped down OS is still running on commodity hardware (traditional computer hardware) then there's still plenty of functionality left for malware to take advantage of. bootsector viruses are the perfect example as they execute before the operating system and are often OS agnostic (though they may not continue to operate properly after the OS has loaded).