anti-virus companies, please stay away from Linux

Posted Mar 15, 2004 23:15 UTC (Mon) by JoeBuck (subscriber, #2330)
Parent article: Mainstream means more malicious code for Linux (SearchSecurity.com)

Certainly Linux is vulnerable, and will become a more attractive target of the black hats as its popularity increases.

That said, we should reject the solutions offered by the anti-virus companies. Real security does not fit their business model, since its purpose is to extract maximum cash from the public, and actually preventing all malware would not do that. They would rather do what they do now, which is to offer their customers a list of "known criminals" to check against, which has the virtue (from their point of view) of requiring a subscription so that their customers can keep current, but does not interfere in the least with the ability of virus writers to write new malware, thereby generating new business for the anti-virus companies.

I see multiple demonstrations of the lack of ethics of some anti-virus companies every day, every time I see a bounce of one of the current crop of email viruses, followed by a warning that I am infected, saying that I have some anti-virus company's mail filter to thank for this "service" and strongly suggesting that I need to buy such a product to be safe. Of course, the designers of these mail filters know full well that the return address is forged, but they happily spam me anyway.

What we need to do instead is take a systems approach, focusing on eliminating whole classes of attacks. The Gnome and KDE teams need to be sure, when cloning features of Windows, to avoid cloning those features that are demonstrated to be vulnerabilities. No hiding of file extensions in an attempt to be "friendly". No self-extracting archive formats that basically tell the user to run an untrusted program. "Taint" analysis to be really paranoid about untrusted data. Audit libraries to the point where we can mathematically prove, say, that the conversion from a JPEG or PNG to a bitmap/pixmap for use in an application contains no buffer overflows, and work to continually increase the amount of trusted code.

And if a feature could conceivably be unsafe, work hard to make it safe or leave it out. And when the bugs come anyway, fix them quickly.

anti-virus companies, please stay away from Linux

Posted Mar 16, 2004 7:09 UTC (Tue) by eru (subscriber, #2753) [Link] (1 responses)

What we need to do instead is take a systems approach, focusing on eliminating whole classes of attacks. [...]

Also it is most important that distribution makers (who after all produce what most end-users perceive as "Linux") take the "secure by default" approach. A sloppy system configuration (like inappropriate permissions for some key files) would nullify whatever auditing and analysis has been performed by gurus on the components.

I wonder if the "stackguard" compiler techniques would cause too much overhead to use on normal distros by default? It is no silver bullet, but would cause one common exploit type to be detected before it causes serious harm.

anti-virus companies, please stay away from Linux

Posted Mar 18, 2004 15:19 UTC (Thu) by nix (subscriber, #2304) [Link]

StackGuard techniques?

I'd say that on distros that aren't targeted at slow systems, the ~5% overhead imposed by SSP/ProPolice/StackGuard and the like are entirely worth it, such that the biggest problem with them is the draining of /dev/random that they cause (32 bytes read from there for canary seeding whenever a process starts)...

... but even given that, and even given that I use it on my firewalls, I *still* think it's an ineleggant kludge, and there Must Be a Better Way.

(Well, there is. Stop using C...)

anti-virus companies, please stay away from Linux

Posted Mar 16, 2004 15:16 UTC (Tue) by HunterA3 (guest, #20241) [Link]

There was a developer that had an idea for a new breed of anit-virus program that would learn how all your programs behaved under normal conditions and if it detected a program not working as it should, it would terminate it and isolate it for an admin to check into, thus doing away with actual virus definitions and creating a self-sustained anti-virus program. Naturally, all the current anti-virus vendors shot it down with extreme prejudice because it would have jepordized their business model of making money off of insecurity. So you're concerns have merit.