Technology Review - Published By MIT
Advertisement
More Blogs | Back to Simson Garfinkel's blog smaller text tool icon medium text tool icon larger text tool icon

About Me

A commonsense take on computer security, usability and why IT does matter.

View Complete Bio
Add RSS Feed XML

Blog Topics

Norman Sandbox Won't Work

Scott Fulton at BetaNews just published an uncritical puff piece about computer-security firm eEye's new antivirus product, Blink.
Thursday, February 01, 2007

The main thrust of the article is that Blink will be able to find and detect brand-new viruses by running suspect programs in a virtual machine and observing their behavior:

The Norman SandBox, Maiffret described, is a fast, stand-alone virtual machine, which tests the code of executables to see whether they'll do interesting things, such as changing the Windows System Registry startup keys, or some very interesting things, such as connect to an IRC chat server somewhere in Russia.


Rather than scan everything all the time, however, the new Blink will scan newly discovered executables, and may perhaps rescan them if, for instance, their patterns or file size appears to have changed. But if it's the same executable, by default, Blink will only scan it once.

Unfortunately, this approach is pretty easy for a would-be virus writer to avoid. For example, the "virus" could perform its malicious activity only if it receives user input (which it is unlikely to receive in a virtual machine but likely to receive if it pops up a window). Or the virus could check to see if it is running in a virtual machine using technology that is now readily available.

Of course, the real problem with this approach is that it's theoretically impossible to look at a program and figure out what it's going to do. This is just another recasting of Turing's famous "halting problem." Even running the program in a virtual machine won't tell you what it's going to do once you run it in the wild.

Tags: security

Comments

  • Very true
    infosecsellout on 02/01/2007 at 3:37 PM
    Posts:
    1
    You are dead on correct with your assessment of the Noman Sandbox.  There have already been real world examples of malware being able to specifically detect the Norman Sandbox and then purposely hide its malicious behaviour until it is moved out of the sandbox.  Here is another great review of the original press release;

    http://infosecsellout.blogspot.com/2007/01/update-to-my-last-post-anti-virus.html
    Rate this comment: 12345
  • virtual environments
    ms on 02/02/2007 at 2:38 PM
    Posts:
    72
    Avg Rating:
    4/5
    To a program running on the machine, a properly implemented virtual machine should be indistinguishable from a real machine.

    Of course, a malicious program that uses random numbers (say generated by reading at the current time), could decide to be malicious only some of the time, and would have a good probability of not being detected as malicious by something that only tried it once.
    Rate this comment: 12345
Add New Thread

Videos
Latest Videos
TR10: Probabilistic Chips
Advertisement

Current Issue

Technology Review November/December 2008
Sun + Water = Fuel
An MIT chemist has opened the way to making hydrogen fuel from water using sunlight.
•  Subscribe
Save 41%
•  Table of Contents
•  MIT News

Magazine Services

•  Gift Subscription
•  Digital Subscription
•  Reprints, Back Issues, Customer Service

Career Resources

Visit the Job Board and Resource Center to move your career to the next level.

MIT Technology Insider

Stories and breaking news from inside MIT about the latest research, innovations, and startups--in a convenient monthly e-newsletter. Subscribe today

Follow us on Twitter

Twitter

Get Technology Review updates via the web, cellphone, or Instant Messager – Follow techreview on Twitter!
Advertisement

Wire Stories

Advertisement
Advertisement
Advertisement
MIT Massachusetts Institute of Technology