P
P. Thompson
ftp://ftp.research.microsoft.com/pub/tr/TR-2005-72.pdf
A good read.
A good read.
P. Thompson said:ftp://ftp.research.microsoft.com/pub/tr/TR-2005-72.pdf
A good read.
Is the only way to discover a mal-page is by running IE in a virtual
process and seeing if it breaks?
Can't a mal-page be discovered programatically by analyzing the code?
Couldn't search engines perform this sort of discovery as part of
their normal function, and potentially build a business model around
protecting users from being directed to those mal-pages?
Why doesn't MS or Google offer an on-line portal that would allow
users to enter a URL path and have the URL analyzed for mal-behavior?
Virus said::
Is the only way to discover a mal-page is by running IE in a virtual
process and seeing if it breaks?
Can't a mal-page be discovered programatically by analyzing the code?
kurt said:it's not possible to algorithmically determine what a program does
for all possible programs just by looking at their code...
Ian said:Imagine the load put on a server to perform such requests
What is a web page doing trying to push executable code to a viewer?
You don't have to analyze executable code to know that the web site is
trying to push something bad back to the viewer.
How many page-views are initiated in the first place by a search?
Quite a few I bet.
yes...
How many search engines, in the course of scanning and archiving the
web, make sure that the pages they're cataloging (and will at some
point present to someone) are "safe" and don't contain known exploits?
Why is it that we can scan files for viral/trojan/worm content, but we
can't scan web URL's for their equivalent form of mal-code?
IE (and other browsers) are constantly getting patched for one
vulnerability or another. Why can't they throw up a message saying:
"hey, I've just detected a threat called "(you-name-it)" in the
web page you're trying to view. The protection for this
threat was installed with update patch kb123456 (July 2005).
I'm going to add that site (or entire domain) to my quarantine
list to prevent it from causing harm. Would you like to take
a look at or edit the quarantine list?"
When are browsers going to get smart enough to basically have their
own version of a built-in anti-mal-code scanner and dynamically
maintain their own site-by-site or domain-by-domain quarantine list?
Ian said:For the same reason they say antivirus software is only as good
as its latest update.
Why is it that we can scan files for viral/trojan/worm content, but we
can't scan web URL's for their equivalent form of mal-code?
Instead, while the browser is mindlessly loading in any URL that it's
pointed to, other processes running in the background have to make
sure that nothing weird or bad is happening. The first line of
defence would be for the browser to have some ability to know that it
is being presented with a KNOWN EXPLOIT and to neutralize it by not
loading or rendering it in the first place (and telling the user about
it).
So why do we bother having AV software then? By your reasoning AV
software should have never have been developed because of all the
arguments you just listed.
The biggest hole right now is that the web browser has no front-end
mal-ware detection or code-handler in it.
Instead, while the browser is mindlessly loading in any URL that it's
pointed to, other processes running in the background have to make
sure that nothing weird or bad is happening. The first line of
defence would be for the browser to have some ability to know that it
is being presented with a KNOWN EXPLOIT and to neutralize it by not
loading or rendering it in the first place (and telling the user about
it).
Virus said:What is a web page doing trying to push executable code to a viewer?
Or trying to send contents designed to cause a buffer overrun?
You don't have to analyze executable code to know that the web site is
trying to push something bad back to the viewer.
Is the only way to discover a mal-page is by running IE in a virtual
process and seeing if it breaks?
Couldn't search engines perform this sort of discovery as part of
their normal function, and potentially build a business model around
protecting users from being directed to those mal-pages?
P. Thompson said:A virual process or a whole virtual *machine*?
Takes bloatware to a whole new level.
Virus Guy said:So why do we bother having AV software then? By your reasoning AV
software should have never have been developed because of all the
arguments you just listed. Same with anti-spyware and ad-ware.
P. Thompson said:A virual process or a whole virtual *machine*?
Takes bloatware to a whole new level.
bloatware? i thought you read it - they aren't talking about a client side
application, it's not meant to be run on customer's computers..
Now where did I say it was going to run on customer's computers?
I was expounding on virus guy's marveling at their technique, which in the
paper they coyly describe as "fairly expensive".
P. Thompson said:I hate to reply to myself, but I can just see the 'in the box thinkers'
out there saying "why a virtual machine is cheaper than a real one, ain't
it".
So I will clarify "expensive" in the computer science terminology of being
of high computational overhead compared to a possible alternative that
virus guy mentioned of a technology which scans the HTML and extrapolates
the result without starting an OS, starting a browser, injecting mouse
click events of the typical porn surfer and then tearing it all down when
something exploits the machine.