Wednesday, September 01, 2010

of logic and malware

i've been accused of (among other far more odious things) having formal training/education in the area of logical debating. i don't actually have said training, but i do know a thing or two about logic, so when i read ed moyle's post on security curve about the industry's flawed logic as it relates to malcon it didn't take me long to realize how ed's logic (rather than the industry's) had gone pear-shaped.

to quote:
  • Major premise:  All conferences that provide details on how to create malware are a “bad idea”
  • Minor premise:  Blackhat/Defcon provide details on how to build malware (e.g. the Invisible Things Blue Pill presented at Defcon 2006; stated goal, “creating 100% undetectable malware”)
  • Conclusion:  Blackhat/Defcon is a “bad idea”.
i can use a similar pattern to equally questionable results:
  • major premise: cats are furry
  • minor premise: marmaduke is furry
  • conclusion: therefore marmaduke is a cat
this is the sort of logic statement i recall seeing on tests as a child. often they'd be worded in such a way as to be tricky so as to test our ability to judge the validity of a supposed logical argument. in my example the primary problem is the major premise. while it is true, it's not specific enough to be useful; many things other than cats are also furry.

likewise ed's premises have problems. starting with his minor premise, the details about how to make the blue pill were actually not given out. those details were behind a pay-wall rather than being freely handed out at the talk. furthermore, the classification of the blue pill as malware is questionable at best. just because it's a so-called 'rootkit' doesn't mean it's malware - the reason being that current use of the term 'rootkit' has become so twisted (by which i mean anything that hides things gets called a 'rootkit' now) that even anti-malware products got called rootkits. the blue pill was a novel stealth proof of concept. it could have been used in conjuction with actual malware, but the blue pill itself was not malware.

that tells me, at the very least, that the blue pill was the wrong example for ed to use. we can correct that, however, by using a better example. the race to zero would be a much better example because it involved the creation of actual malware (modifying existing malware to make something that has never been seen before is for all intents and purposes the creation of new malware), which is precisely what malcon aims to facilitate and so makes for a much closer analogy.

unfortunately, even if we replace the reference to the blue pill with a reference to the race2zero, ed's minor premise is still problematic. is the race to zero still not a good enough example? is there a better one? the fact is, no matter what blackhat/defcon presentation you select as an example you will never be able to improve the premise because it would still be just one presentation. blackhat/defcon are about more than just the race to zero or the blue pill. the blackhat/defcon conference pair focus on a wide variety of security issues, many of which not only deserve to be highlighted but also contribute to the betterment of the security condition in three well defined ways. they highlight problems that:
  1. should not have happened
  2. can be fixed
  3. can be avoided in future designs now that we know what to watch out for.
by way of contrast (since ed's argument compares blackhat/defcon to malcon simply by substituting one for the other in his logical framework above), malcon focuses explicitly and exclusively on the advancement of malware creation which is (in general) incapable of providing the same contribution to the security condition. this is the age old distinction between vulnerability research and malware 'research'. with the exception of exploits, malware can't be fixed or avoided because it relies on properties that are intrinsic to the general purpose computing platform.

we also gain no technical benefit by supposedly trying to open a dialog between malware writers and anti-malware researchers.
  • for reactive defenses the only prospective benefit would be to help analysts understand the malware. but going back as far as 2006, the average piece of malware could be processed in as little as 5 minutes, so understanding malware doesn't really seem to be something analysts need help with. 
  • for proactive defenses the hypothetical benefit would be in letting the analysts know what sort of things are coming so that anti-malware products can catch them before they've even seen them. unfortunately this model is based on predicting the future precisely enough that we'd know specifically what to look for and, as such, is unworkable. the proactive defenses that work are the ones that actually know less, not more, about specific threats whether past present or future (thus why they're called generic techniques).
now, before i stray from the immediate topic any further, let's get back to ed's logical problems. the major premise that "All conferences that provide details on how to create malware are a “bad idea”" is a poor premise as demonstrated by the blackhat/defcon example. one of the necessary properties of a premise is that it's something both parties in an argument can agree on, but this premise is overly broad. as discussed above, blackhat/defcon covers a wide variety of things - can we really say blackhat/defcon is bad as a whole because one of those things might be bad? that seems pretty ridiculous. malcon, on the other hand, is much more narrowly focused on just that one bad thing; so if we rewrite the premise to be more specific, perhaps something like "All conferences that exist solely to provide details on how to create malware are a “bad idea”", then we can include malcon and exclude blackhat/defcon.

now the question one might be asking is, if ed's logic is flawed, what logic would be better? well, for starters i really don't like the major premise, minor premise, conclusion construct - i prefer the premise, inference [, inference...], conclusion construct.
  • premise: malware is bad
  • inference 1: since malware is bad, creating malware is bad (with the exception of benign exploits)
  • inference 2: since creating malware is bad (with one exception), helping others create said malware by doing things that can reasonably be avoided is bad
  • conclusion: since malcon will help people create malware by doing something that could reasonably be avoided, malcon is bad.


David Frier said...


You paraphrase Bill to say
1. All A are B
2. C is an example of A
3. Therefore C is B

If 1 and 2 are true then 3 is valid. But you "demolish" his argument with

1. All A are B
2. C is B
3. Therefore C is an A

NOT the same thing. 1 and 2 being true here does not imply 3 is true... but it doesn't matter!

kurt wismer said...

sorry if you were expecting me to show an example that was flawed in exactly the same way ed's was flawed. i thought about it, but ed's flaw was more subtle and i just wanted to show that just because something is framed as a logical statement doesn't necessarily mean the logic is valid. that's why i went with the marmaduke example.

and you're right that it doesn't matter, since i deconstructed 1 and 2 in ed's own logic statement and showed that neither were true (making 3 irrelevant).

David Frier said...

Suit yourself but I will say that the fundamental discrepancy between Ed's argument chain and the Marmaduke example brought my reading of the remainder to a screeching halt. So if that's the effect you were going for, good job.

And of course I'll offer no opinion on whether you accomplished what you say in the rest of the piece :)

kurt wismer said...

well i explicitly say "similar pattern" not "same pattern".

if you think "similar" should mean "same" that's just something you're going to have to deal with yourself.

brtkrbzhnv said...

The inference you are attacking is sound, and the inference you are claiming it is similar to is unsound. I stopped reading after that, as I got the impression that you lack an understanding of the basics of first-order logic.

Anonymous said...

I will post one FINAL comment in this now-ridiculous thread:

If by "similar" you mean "logically opposite" then you're All Set, as we say in Rochester.

(this is still me but not bothering to sign in)

kurt wismer said...

the inference i am attacking is recognized even by it's originator as leading to a false conclusion. either the inference is not sound or the premise is invalid or both.

had you kept reading instead of trying to be a pedant you would have seen that it's both.

kurt wismer said...

@Anonymous (Kahomono):
there are more ways to compare logical statements than by their logic alone.

both are logic statements, both are fundamentally flawed - one more obviously than the other simply to demonstrate that just because something is expressed as a logical statement doesn't mean the logic is valid.

if i'd known that logic pedants would descend on this post i would have gone with this example instead

major premise: rats are bad
minor premise: pet stores have rats
conclusion: pet stores are bad

but, like the quoted statement, the flaw here is more subtle and i wanted something so obvious (marmaduke is most certainly not a cat) that it beat the reader over their head with it's invalidity.