Death of antivirus software imminent

Steven M. Bellovin smb at cs.columbia.edu
Wed Jan 2 21:38:53 EST 2008 

On Wed, 2 Jan 2008 21:26:47 +0000 (UTC)
Jason <jason at lunkwill.org> wrote:

 
> On the other hand, writing an OS that doesn't get infected in the
> first place is a fundamentally winning battle: OSes are insecure
> because people make mistakes, not because they're fundamentally
> insecurable.
> 
~~20 years ago, after the Internet Worm, I went and reread the Orange
Book.  I concluded, to my horror, that *nothing* in it, including an
A1-rated system, would have stopped the worm from spreading.  Being
rather new to the theoretical security game (though I'd caught my first
hackers around 1971), I asked someone older and wiser.  "Oh, no; a B2
system would have prevented it."  I asked how.  "B2 requires a thorough
search for bugs."

Worms and viruses have essentially nothing to do with the operating
system.  As long as whatever context the vulnerable application is run
in -- the mailer, the browser, the word processor, whatever -- can
write to the network or to a file, the malware can spread.

Another approach is to run such things at a lower privilege level.
(Vista does that with IE7.)  The problem is that you sometimes have to
cross the barrier; that's another way the malware can spread.
> 
> The maddening part is that security as an industry is almost always
> forced to fight on the losing battlefields, even though we've had
> beautiful, efficient, impregnable fortresses available for many
> years.  Any crypto book from 20 years ago can show you how to send an
> unforgeable email or sign a binary, yet these notions still haven't
> widely caught on (and when they have, as in the Xbox, they get
> hijacked for things like DRM and privacy invasion).
>
Cryptography provides authentication and integrity.  It does not
provide authorization, nor does it provide protection against bugs.
Your suggested approach -- better OS and better crypto -- is exactly
what's failed for the last 25 years.

If you included all applications as part of the OS, you'd be right --
except that it isn't possible to secure such a code base.

References:
http://www.csl.sri.com/users/neumann/insiderisks06.html#196
http://www.cs.columbia.edu/~smb/papers/sub-browser.pdf
http://vx.netlux.org/lib/vtd01.html
http://homes.cerias.purdue.edu/~spaf/tech-reps/823.pdf


		--Steve Bellovin, http://www.cs.columbia.edu/~smb

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list