Compiler with built-in AV = No virus development?
https://stackoverflow.com/questions/4199286
-
11-10-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russianسؤال
Is it possible to produce compilers that heuristically check for malware behaviour? If it is possible why has not it been implemented? Wouldn't that strongly help preventing the production of such viruses, I mean why wait to stop them once they are out there?
Even if these people use a compiler that does not use the "proposed" built in AV, personal AV could detect that and grade the file as risky (sort of like SSL Certificates)
المحلول
You're making a lot of assumptions:
- That the virus writers couldn't disable the built-in AV of any open-source (or even closed-source) compilers. Given how DRM is consistently and quickly broken, this seems unlikely.
- That the virus writers couldn't simply use an existing pre-AV compiler.
- That the virus writers couldn't create their own non-AV compiler.
- That there are no legitimate programs that would trigger the compiler's AV heuristics.
- That today's compiler writers can accurately predict and model all current and future AV behavior in order to produce a heuristic that is even remotely effective.
Seems to me like it's a non-starter.
Your comment about using non-AV compilers is essentially "code signing", and has been a common practice for years (decades?). The barrier there, however, is distribution of certificates, and coming up with a reasonable list of trusted signers. They're big enough problems that noone's found a way to solve them yet without severely limiting the usefulness of computers.
For even more information closely related to this subject, see this paper by Ken Thompson.
نصائح أخرى
Existing AV generally works with a black-list approach. (Comparing threat signatures against files.) That would be, by definition, almost useless on an entirely new threat.
Every operation you could try to classify would end up blocking a legitimate program; if the operations didn't have a legitimate use, the OS designers would remove them for safety reasons.
There is the classical paper "Reflections on Trusting Trust" by Ken Thompson.
