I decided to publish the full source code of my System Virginity Verifier. The license grants you to do anything with the code, including using it in a commercial product.
Unfortunately I don't have time to further develop SVV, but I still believe that this is the right approach for system compromise detection (which still requires lots of work to be put into it though). It's actually very surprising for me to see only one another product which uses similar idea for detecting system compromises, that is Microsoft's Patch Guard.
I hope that publishing SVV source code might be useful in two situations:
First, it should help to reduce implementation specific attacks, as used by malware against rootkit detectors (remember holly_father's shop?). Having the sources allows anybody to compile his or her own private detector, a little bit different from the one which is targeted by malware's anti-detection engine. This might include changing I/O interface between usermode and kernel mode component of the detector, changing the order of certain actions, etc...
The above statement applies actually not only to SVV, but to any other rootkit/malware detector with open sources.
Second, I hope that having SVV sources opened can encourage people to extend the subset of the sensitive OS elements which are verified by SVV, thus minimizing the "hooking space" which can be used by malware. This should consequently eliminate simple, yet annoying malware from the market...
SVV sources and some presentations about its design can be found here.
Friday, 12 May 2006
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment