[Dailydave] I love PKI :) (was Some Propaganda.)

Joanna Rutkowska joanna at invisiblethings.org
Thu Nov 16 18:39:36 Local tim 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

dan at geer.org wrote:
> Joanna Rutkowska writes:
>  | ...snip...
>  | Existence of such tools, as Piotr is working on, should really convince
>  | and encourage *all* developers to digitally sign their executables.
>  | 
> 
> 
> May I assume that if a signature is good, then code will be run
> while if a signature is bad, then code will not be run.
> 

You should rather think of it this way - once the signature is broken
(or doesn't exist in case of a Windows system file) then it's relatively
easy to detect that something is wrong in the system. So, attacker
should have not interest in breaking or removing signatures.

> However, would Vista remember that a bit of code used to have a
> signature wrapped around it and now, magically, does not?
> 

I don't think that Vista tracks such an information (and I'm too lazy to
try). However, in the ideal world we could assume that all executables
must have a signature, so anything without a signature would be easily
detectable and suspected. No, Microsoft didn't pay me to write this;)

Just to make it clear - I don't think that enforcing the use of digital
signatures on all executables is an effective way to *block* malicious
code execution. That would never work in 100%, as there is always a
possibility to find a bug (in a signed application) and exploit it, not
to mention that anybody could buy a signature and sign his or her
malicious code with it.

But I think that having digital signatures is the only way we could
(start) building a reliable and systematic *integrity verification* tool
for our OS (note that I didn't write "compromise detector"). Of course,
that would allow us only to detect type I malware, but we need to start
from something, right? ;) Focusing on type II malware detection, without
first solving the problem of detecting type I malware doesn't make much
sens.

Also, it should be clear that signatures would not solve the problem of
type 0 malware - i.e. will not detect a potential malicious executable
(which is not interested in modifying other process or system kernel,
but still is "malicious") signed with a valid signature. But type 0
malware detection is not really an OS integrity verification issue and
this is something I leave to the "classic" A/V industry :)

joanna.
-----BEGIN PGP SIGNATURE-----

iD8DBQFFXLAqORdkotfEW84RAnTYAJ9qIRsCHbHO87UCYxy14UzwtbiV+QCeNOuW
WGI+qXL/Yu7L1L1zuOccDUM=
=EesH
-----END PGP SIGNATURE-----

More information about the Dailydave mailing list