Did We Waste Billions Building File Anti-Virus Scanners?
Tuesday September 4, 2007 at 3:54 am CST
Posted by Nishad Herath
Well, Joanna Rutkowska, in this “short philosophical comment” claims exactly that. Joanna believes that digitally signing all executables would have been a much more “elegant” solution than building file Anti-Virus scanners. In fact, she goes on to claim:
“I hear all the counter arguments: that many programs out there are still not digitally signed, that users are too stupid to decide which certificates to trust, that sometimes the bad guys might be able to obtain a legitimate certificate, etc… But all those minor problems can be solved and probably will eventually be solved in the coming years. Moreover, solving all those problems will probably cost much less then all the research on file infectors cost over the last 20 year. But that also means no money for the A/V vendors.”
What exactly are you saying here Joanna? It sounds a bit like you’re saying Anti-Virus vendors have concocted an elaborate conspiracy over the past couple of decades to extort innocent users! I don’t think you have to be a security industry insider to recognize the insanity of this accusation.
Now let’s for a moment leave all the historical background on how file Anti-Virus scanners were born at a time when computing infrastructure couldn’t support widespread adoption of digitally signed executables. Let’s even ignore how these scanners organically evolved into what they are today, adapting every step of the way to protect users from the latest threats. We could also leave out how, for the past couple of decades, billions of users all over the world enjoyed a safer computing environment made possible by these solutions. We’ll just take a look at what’s involved in relying entirely on digitally signed executables in a world without fancy-schmancy file Anti-Virus scanners.
To do that, we have to imagine a world where all executable content could be digitally signed, not just some types of executable files (as it is the case today). We could also imagine a utopia where every executable file producer signs their own executables. And of course, all executable file producers in this reality, we know and trust to have our best interest at heart. Would this actually be a world where we could put our old faithful file Anti-Virus scanner to rest?
There are literally millions executable files out there, from various vendors. These vendors range from multi-billion dollar corporations with hefty security budgets to the most humble open source projects with virtually no additional resources to divert towards securing their infrastructure. As long as we know that the executable content came from any one of these vendors (who we’ve assumed wishes nothing but what is best for us), could we be sure it’s safe? Are we really willing to assume that the security at these vendors are so impenetrable that bad guys couldn’t possibly have messed with the content at the production end? With Joanna’s “elegant” solution, all that a cybercriminal needs to do is to compromise an application vendor to create an infected binary, signed by the vendors certificate and viola! Users will trust the signature and run the executable without asking any questions. In fact, the cybercriminal doesn’t even have to spend time developing new malware because the old ones will work just fine. There are no file Anti-Virus scanners anywhere to identify the infection after all! Yes, in one word, ridiculous.
Even in the highly unlikely utopian reality we imagined for the sake of the argument, it is clearly evident that Joanna’s “elegant” solution is in fact far from being a solution. Besides, file Anti-Virus scanners are increasingly being augmented by cutting edge behavioral scanners, to protect users from “malicious intent” no matter where the executable content comes from. I personally prefer a world where my client security infrastructure protects my computing environment from malicious activity, rather than asking me to place my trust on hundreds of external sources and assume all is well.
I have much respect for Joanna’s technical abilities. However, I think as responsible security professionals, we all need to stay focused on protecting users from digital threats.
September 4th, 2007 at 9:26 am
Isn’t the statement “digitally signed executables cannot be hacked” equivalent to “DRM’d A/V content cannot be played or copied without permission”, from a technical perspective? I know I’ve certainly never seen or heard of broken DRM systems.
Joanna’s “solution” also ignores viruses in “non-executable” content, which can exploit things like buffer overflows or other errors in non-malicious code to gain privileges and bypass any code-signing mechanism on a turing machine.
September 5th, 2007 at 6:58 am
The more checks the Anti-Virus and Anti-Spyware systems do, the slower my machine gets. I’d really rather not have to spend even half of my computer’s horsepower scanning files, memory, and behavior profiling executing code just to run Office, especially considering what a resource hog the operating system (not to mention Office itself) itself has become.
Can digital signatures take the place of anti-virus? Not without creating and entrusting some gigantic bureacracy that’s guranteed to be corrupted and impossible to maintain. Is Trusted Computing the answer? We’ve seen that DRM doesn’t work, so locking the user out of their PC or software isn’t the answer either. However, the current system of reacting to viruses is unwieldy and inelegant at best and guaranteed to fail for at least the several hours a truly new virus goes without signatures.
September 10th, 2007 at 3:52 pm
I’m really getting sick of all those “super” researcher who raise the finger and yell into the world that the current security solutions are a) obsolete and outdated and/or b) do not represent the needed protection. Now listen very carefully: I can also raise my finger and complain about Audi or Volkswagen that they didn’t build a vehicle yet which is able to fly if there is a traffic jam! We all *DO* know that the current solutions are not 100 percent “fool-proof”. That’s not a secret and i think every AV company even admits that. BUT HERE’S THE DIFFERENCE: At least we try to protect our customers with Software and not only with a online article or PoC Articles on a piece of paper what later only sees the trashbin! If you complain about something then provide a better solution. Not only in theory but in praxis. It’s easy as this.
September 10th, 2007 at 11:39 pm
It’s indeed funny that someone with this much knowledge and skills in a security field gives out such statement.
We’ve seen malicious stuff being digitally signed (!) and i also don’t see how it can be realistic to digitally sign not just few but literally trilions of excutables produced daily (new executables and we also have to take modified/updated into consideration since digital signature is broken on such files and you have to update it). Imagine the number of files to sign, possible delay for companies and users who make such programs and in the end, will companies which sign such files be qualified enough to decide what should be signed and what not?
In the end you get the feeling that antivirus companies should do that, resulting in a pretty much plain and simple whitelisting protection scheme (which always proved to be problematic on its own, read below why…).
But problem of whitelisting was always the number of legit files to process, so it’s pretty much useless in such way. Whitelisting (and digital signing) should only be used to help blacklist tools (ie antivirus programs).
Users also tend to run stuff anyway even if antivirus is screaming like insane that file contains malware. I’ve seen quiet few situations where users disabled antivirus just so they could run the file. So digital signing would have to be strictly enforced, not allowing to execute ANY non signed files. Besides, when user executes such (malicious) file, there is no way going back because damage control is non existent. If something does slip by the checking (which to all methods to date always happened), who will stop and clean the infection? Digital signing companies? I doubt it. Digital signatures only protect you at the front door, antiviruses protect at the front door and inside your house. What would you trust more in the end? So to return few lines back. Even if user disables the antivirus for the time being he/she can always clean up the mess later by using On-Demand scan. What will clean up the mess when something gets by the digital signature checking?
I’m not saying antiviruses are perfect, but if you look back they’ve traveled a long way and evolved in lots of areas, protecting users more efficiently with less and less requirements for user to decide what to do when malware is detected. Primary usage of digital signing should remain as it is, to a limited, more sensitive set of files and secured webpages.
September 13th, 2007 at 4:22 am
In fact, digital signatures is the tool that allow to securely identify the malware’s module developer
I mean, you may buy stolen passport, register your company with it, buy a digital certificate to this company’s name and sign your malware is it. Easy and simple. You will get at least week or so untill AV labs will get the sample and certificate root organization will revoke the signature. And you will never been caught!
November 26th, 2007 at 5:14 pm
Regardless of the merits of Joanna’s arguement, I believe something has to be done about the overhead virus scanners are placing on the operation system or more specifically hard disk access. I know very little about how security software works but can you read ahead and use RAM to do the work instead to mitigate the disk usage?
As someone working as an in house developer in a corporate environment, my PC is already stretched running the IDE, database, web server etc without having to compete for disk time with virus software.
There are also the mysterious locking issues where temporary files are locked by (as it turns out after I’ve burned time investing) virus software. Eg being unable to switch working branches in subversion:
http://svn.haxx.se/dev/archive-2004-02/0829.shtml
The solution here is for McAfee (I’m using version 8.0 and yes I get this problem) to use the FILE_SHARE_DELETE flag when reading a file because if some other process wants to delete it why should you bother scanning it!