[fuzzing] PROTOS Genome Test Suite c10-archive
Heikki Kortti
hkortti at codenomicon.com
Tue Mar 18 06:14:33 CDT 2008
On Mon, Mar 17, 2008 at 05:11:29PM -0500, eugaaa wrote:
> I wonder what AV heuristics engines are currently doing to prevent this
> type of exploitation? Is there a good paper on heuristic container
> protection?
Well, the whole point of adding more code to protect underlying code
is fundamentally flawed and leads only to more exploitable bugs. As
you have seen, in this case it's the "heuristics engine" itself that's
under attack, not the underlying system.
AV engines should be a) coded with the same stringent secure coding
practices as all other modern software, and b) they should be
subjected to all the same security testing practices as all other
modern software.
If anything, they should be built _more securely_ and tested _more
rigorously_, as they claim to protect other, perhaps more vulnerable
parts of systems. However, this does not seem to be the case with most
present-day AV software.
Taking the argument to the extreme, AV and firewall software should be
abolished as soon as the security of all underlying systems has been
improved to a tolerable level ;-)
While we're on the topic, there's some good papers out there on
antivirus fuzzing. Sergio did a great presentation at the last CCC
Camp:
<URL:http://events.ccc.de/camp/2007/Fahrplan/attachments/1324-AntivirusInSecuritySergioshadownAlvarez.pdf>
And here's another excellent paper along the same lines from Sergio
and Thierry, in case someone here hasn't read it yet:
<URL:http://www.nruns.com/aps/The_Death_of_AV_Defense_in_Depth-Revisiting_Anti-Virus_Software.pdf>
--
Heikki / Codenomicon
More information about the fuzzing
mailing list