14 DAY TRIAL // Is Windows Vista antivirus a waste of money, effort and time? Are all Windows security solutions for that matter? Well, one security researcher indeed seems to think so. Joanna Rutkowska, CEO of Invisible Things Lab opined that the industry has taken a wrong path investing and building polymorphic virus detection, advanced emulators for analysis of infected files and complex heuristics, when there is a more simple solution at hand - digital signatures. Just to be clear, nowhere does Rutkowska claim that there is no need for security solutions to be deployed alongside the operating system be it Windows XP, Vista, a distribution of Linux or Mac OS X. She only stated that digital signatures associated with all executable files could be a much less expensive endeavor than what the security industry has to offer currently.
I tied this with Windows Vista because of the mandatory driver signing model introduced into the 64-bit versions of Microsoft's latest operating system. x64 Vista requires all Kernel-mode software to feature a digital signature in order to load into the core of the operating system. Additionally Microsoft informed that all boot-start drivers must come complete with an embedded signature. Well, there is quite a difference between a driver loading into Vista's kernel and an executable, but the overall concept of digital signatures is similar. Software products would deliver digital signatures in order to both verify the producer, but also the integrity of the code. For the time being the mandatory kernel driver signing in x64 Vista does just the first, while Rutkowska was in fact referring to checking the legitimacy of the software and nothing more.
"Does it mean we get a secure OS this way? Of course not! Digital signatures do not protect against malicious code execution, e.g. they can't stop an exploit from executing its shellcode. So why bother? Because certificates allow to verify that what we have is really what we should have (e.g. that nobody infected any of our executable files). It's the first step in ensuring integrity of an OS," she stated, while the conclusion sounded a tad differently. "So, do I want to say that all those years of A/V research on detecting file infections was a waste time? I'm afraid that is exactly what I want to say here."
The fact of the matter is that Rutkowska herself proved at this year's BlackHat conference that digital signatures account for no actual protection when she ripped through legitimately certified ATI and NVIDIA drivers into the core of x64 Vista. Still, she does not present generalized digital signatures for executable files as a panacea solution.
However, Nishad Herath, senior researcher at McAfee, revealed an entirely different perspective on the matter, arguing that the current offerings of the security industry are not a wrong path, but in fact the natural evolution of the products designed to offer protection to users of various operating systems.
"With Joanna's "elegant" solution, all that a cybercriminal needs to do is to compromise an application vendor to create an infected binary, signed by the vendors certificate and voila! Users will trust the signature and run the executable without asking any questions. In fact, the cybercriminal doesn't even have to spend time developing new malware because the old ones will work just fine. There are no file Anti-Virus scanners anywhere to identify the infection after all! Yes, in one word, ridiculous," Herath commented, classifying Rutkowska's solution as insane and utopian.
Besides, it is quite a stretch of the imagination to envision a world were all the executable files are digitally signed. Microsoft, or other multi billion software companies are not the sole sources of code. And a model which makes the digitally signing of all executables mandatory is bound to take independent software producers out of the equation killing diversity. Just look at the problems users have when attempting to integrate unsigned or legacy drivers into the 64-bit editions of Vista. Microsoft will do everything from revoking certificates to labeling tools as potentially malicious code in order to stop the trend of loading unsigned code in the Vista kernel.
"Even in the highly unlikely utopian reality we imagined for the sake of the argument, it is clearly evident that Joanna's "elegant" solution is in fact far from being a solution. Besides, file Anti-Virus scanners are increasingly being augmented by cutting edge behavioral scanners, to protect users from "malicious intent" no matter where the executable content comes from. I personally prefer a world where my client security infrastructure protects my computing environment from malicious activity, rather than asking me to place my trust on hundreds of external sources and assume all is well," Herath concluded.