It’s not hard. So why?

An associate pinged me with a link to The Future of AntiVirus, an article which mentions the AntiVirus Is Dead paper that I wrote for Bit9, and then quotes various people on the topic of the inevitable demise of AV.

It’s fair to say that my AVID campaign has been successful, not just in inserting the cat amongst the pigeons, but in getting people to think more intelligently about IT security. So why is it that many AV vendors simply don’t get it. Symantec and Kaspersky do, by the way, and they are evolving their products accordingly, but if the above article is to be believed, BitDefender is pretty much bottom of the class on this. (To understand what follows you may need to read some of the AVID articles, by the way, because I’m assuming you have).

Here’s a comment from BitDefender, drawn from the article.
Antivirus firms think their death is greatly exaggerated, thank you very much, even those that aren’t overly reliant on signatures, like BitDefender, which says that signature-based techniques account for only 20 percent of the malware it catches.

“Signatures aren’t dead you need them,” says Bogdan Dumitru, chief technology officer of the Romanian firm, which uses behavioral targeting techniques to stop the remainder of attacks.

I’m sorry Bogdan, but you’re blowing yourself to bits with your own words. If signatures only stop 20 percent of viruses, why use them at all? Are you suggesting that the 20 percent that signatures stop (and by the way that’s a horribly low figure) will not be stopped by behavioral techniques. If that’s so, your behavioral techniques are horribly flawed. And if it isn’t so, there’s no point in using signatures as a blocking technique. QED.

Fess up, Bogdan, you’ve got it completely upside-down and back-to-front. Behavioural techniques are a natural component of a whitelisting solution, the purpose of which is to recognize potential malware from its behavior, while it runs in a sandbox. A sandbox is and always has been a component of a whitelisting solution to deal with the software that is not “known to be good”. You’re doing it all backwards by adding behavioral techniques to AV signatures – which is a fundamentally wrong idea and doesn’t work, as we all now know.

In order to manage a sandbox properly, you’ll have to manage all the “permissions to execute” of all the software within the OS. But in order to do that, in a bullet-proof way, you’ll need to be able to recognise everything in the OS and know what it does. In other words, you’ll have to be managing a whitelist.

A further statement about BitDefender in the article fills me with fear (for BitDefender’s customers).

Its main research focus is to develop an “undo” feature that will let users hit by malware reverse its effects. BitDefender hopes to release this feature in 2008.

I’ll bet the hackers are rubbing their hands. This is not just a crock of an idea. It needs to be stopped. Please, nobody buy this. It’s worse than dangerous. Here’s why:

When you have been infected by malware, you cannot know or prove exactly what happened and what has been impacted (unless you are running whitelisting, in which case you’ll know if anything has been messed with when it runs). If I were a hacker I’d deliberately use BitDefender’s idiot cleansing product – assuming you were fool enough to use it – to get in under your radar. I’d write a virus and add a module that hid the piece of logic that I want to use somewhere (perhaps as a root kit in an invisible account) then having executed that code and inserted the code, I’d delete all traces of it from the virus. The cleansing product comes along, thinks it recognizes the virus and thus thinks its cleaned it up when it removes it. Now I’ve got you and you think you’re clean.

BitDefender has the idea that in some way it can know what a virus did. It can’t. The reverse engineering of software is hard enough anyway, but the reverse engineering of software that knows it’s going to get reverse engineered is fraught with peril and ultimately doomed to failure.

Apply whitelisting and the problem is solved, by the way.

Another quote worth commenting on in the article is from David Harley, administrator of Avien, the antivirus information exchange network (I wonder if he might have an axe to grind). He says:

“Whitelisting does seem to be advocated currently as the panacea du jour. I think this relentless search for The Answer, discarding one partially successful solution set for something else in the hope that it will eliminate the problem, is actually unprofessional.

I like the spin here. “Partially successful solution”? A chocolate teapot is a partially successful solution.

Nanotechnology, they say, will be a $1 trillion market and they (whoever “they” are ) are probably right. For the best part of a decade we’ve watched the genesis of an infant market, which is pretty much “all nanohat and no nanocattle” as regards world changing innovation. Still there are a number of start-ups, and even one or two established products and companies. So what are they doing?

The Thin Film Industry

If you count thin film technology as nanotechnology and you should, because it is, then nanotechnology is already big business. The early applications of nanotechnology were a matter of ‘improving” substances and surfaces. So there are body parts for vehicles and airplanes that are stronger and lighter because of nanotechnology. There are self-cleaning windows that use nano-engineering to keep dirt from sticking to glass and even materials from which clothes can be made that will repel stains. And, of course, thin film technology is a big part of the chip business.

So in this stream of things, nanotechnology is really an extension of materials science – or boring old materials science – as it is known by its detractors like me, who are far more enthused about nanotubes than thin films, because nanotubes stand a chance of being really cool as well as revolutionary.

Nanoladders

Nanotubes are one of those things, like calculus, that were discovered simultaneously by two people in different parts of the globe; Iijima (of NEC in Japan) and Don Bethune (of IBM, Alamaden). Nanotubes are “hexagonal lattices of carbon, wrapped in a tight cylinder”. They conduct electricity, so it is entirely possible that we will be able to use them to construct computers at some point.

However they also have other properties. They are very very very strong and although just a few nanometres wide, they can be up to a millimetre long. That doesn’t sound very long, but when compared to the width of a nanotube, it really is very long. For that reason it’s possible to treat nanotubes like long stands of wool or cotton and make extremely long lengths of nano-string.

Could that be useful?

Brad Edwards of High Lift Systems, which counts NASA as one of its investors, believes so. He is hoping to build an elevator into space made from a paper thin nano-ribbon about 1 meter wide and 100,000 kilometers long – and, by the way, this is not a wacky idea. The elevator could be ready within 10 years.

High Lift Systems intends to send a spaceship up into space containing rolls and rolls of nano-ribbon, which will not actually weigh much even if, in total, it’s 100,000 kilometers long, because its very very very thin – worse than anorexic. When it reaches a geostationary orbit (where gravitational force is exactly equal to centripetal force) it will start to unwind the ribbon in both directions, going away from earth the centripetal force will keep it taught, and going down to earth, gravity will have the same effect. The huge ribbon will stretch from each to space and appear to stand up in its own.

All you then need is an elevator carriage that can then be attached and will be able to move up and down the ribbon. High Lift Systems believes it can move the carriage at about 200 kilometers and hour – the speed of a very fast train. It estimates the construction cost at $10 billion, but says that such an elevator would reduce the cost of spaceflight by a factor of 400

For more information on this visit AmericanAntigravity.com.

A few weeks ago I spent an intriguing afternoon in the basement of Dan Teal, Founder and CTO of CoreTrace. While that might sound as though we were reviewing his private treasury of Civil War memorabilia, or his collection of antique farm implements or whatever, he was actually giving me a demonstration of Bouncer, the product he and his team at CoreTrace has built. He just happens to be able to do that from home and it was more fun than simply sitting in the boardroom and watching a canned demo.

The Role of Whitelisting

So what is Bouncer? I’m tempted to refer to it as a whitelisting capability, but to be honest it goes beyond whitelisting, and it heads off in a direction of which I approve. So let’s begin this by discussing whitelisting and the real reason for The AVID Campaign that I ran for 18 months, until the AV industry was forced to take notice and change direction.

The AVID campaign was a drumbeat aimed at repeatedly drawing attention to the fact that the primary IT security product, AV software, was inadequate and also, based on the wrong idea. Because I needed to run the campaign as a drumbeat, I rarely came right out and made the “defining point”. The defining point about IT Security is this.

You cannot break into a computer from a remote location and achieve anything at all without executing a process.

It’s also almost impossible to do anything without executing a process, even if you’re actually in the same room as the computer, but at least then you have the added possibility of physically taking it apart and, depending on how the computer works, you may be able to get at data somehow. Remotely you have no chance whatsoever without executing a process. Period. It really is that simple.

And consequently, in order to prevent intruders doing dastardly things directly (or indirectly through viruses), what you need to do is authenticate the software that is allowed to run and let nothing else run. Anti-virus is a poor IT Security solution because it doesn’t do that. Instead it tries to spot software it thinks is bad. Anti-virus comes from a bygone era and that is where it belongs. It is not enough to just recognize rogue software.

Neither is it enough to add behavioral recognition to AV software. That will improve things quite a lot, because it will trap a good deal of the rogue software that standard AV will miss, but unfortunately there are many pieces of software that can do dastardly things that are a legitimate part of the operating system. We have to do better than that.

So we come to whitelisting. Whitelisting is the implementation of software authentication. You start by authenticating a clean version of all the software you intend to use and then you don’t let any other software run except in a sandbox until it has been authenticated. There are different approaches to whitelisting, but the differences are in how you implement and how you authenticate. From a theoretical standpoint, all whitelisting products take the same approach.

Bouncer and The Globalization of Permissions

Bouncer is too complex a product for me to describe in a single posting, so just think of it as a whitelisting capability and I’ll describe three elements of it which I find impressive and which take it a little further than whitelisting normally goes.

1. Bouncer is designed as if it were an invisible root kit that is injected into the OS at the highest priority point and the earliest possible point after boot up. Basically it is designed to get in before anything else can and be invisible in every way. You will never know it is there and (in theory at least) it will never show up in any diagnostics of any kind.
2. Bouncer implements its sandbox and its whitelist directly by controlling and enforcing permissions. Bouncer can prevent all other processes from making changes to permissions. It can have total control. In other words it owns the local permission system completely and cannot be usurped.
3. Bouncer runs from sealed servers which self-protect and which can be configured to run in a fault-tolerant manner. It thus enforces a complete separation of concerns. You could say that, in a kind of metaphorical way, it virtualizes and globalizes the permissions system so that the IT Security of a network can be defined as a set of policies that are implemented by a separate system that oversees the corporate network.

So is Bouncer a whitelisting product? I’d say not. It’s more like an IT Security platform and it marks out the direction in which I believe other whitelisting products will inevitably evolve.