Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Compiler with built-in AV = No virus development?

Tags:

compiler-construction

malware-detection

integration

antivirus

Is it possible to produce compilers that heuristically check for malware behaviour? If it is possible why has not it been implemented? Wouldn't that strongly help preventing the production of such viruses, I mean why wait to stop them once they are out there?

Even if these people use a compiler that does not use the "proposed" built in AV, personal AV could detect that and grade the file as risky (sort of like SSL Certificates)

like image 996
Carlos Avatar asked Nov 16 '10 21:11

Carlos

3 Answers

You're making a lot of assumptions:

  • That the virus writers couldn't disable the built-in AV of any open-source (or even closed-source) compilers. Given how DRM is consistently and quickly broken, this seems unlikely.
  • That the virus writers couldn't simply use an existing pre-AV compiler.
  • That the virus writers couldn't create their own non-AV compiler.
  • That there are no legitimate programs that would trigger the compiler's AV heuristics.
  • That today's compiler writers can accurately predict and model all current and future AV behavior in order to produce a heuristic that is even remotely effective.

Seems to me like it's a non-starter.

Your comment about using non-AV compilers is essentially "code signing", and has been a common practice for years (decades?). The barrier there, however, is distribution of certificates, and coming up with a reasonable list of trusted signers. They're big enough problems that noone's found a way to solve them yet without severely limiting the usefulness of computers.

For even more information closely related to this subject, see this paper by Ken Thompson.

like image 86
Mark Avatar answered Nov 14 '22 20:11

Mark

  • Existing AV generally works with a black-list approach. (Comparing threat signatures against files.) That would be, by definition, almost useless on an entirely new threat.

  • Every operation you could try to classify would end up blocking a legitimate program; if the operations didn't have a legitimate use, the OS designers would remove them for safety reasons.

like image 3
jdmichal Avatar answered Nov 14 '22 19:11

jdmichal

There is the classical paper "Reflections on Trusting Trust" by Ken Thompson.

like image 3
horsh Avatar answered Nov 14 '22 19:11

horsh
Sign in to Comment

Related questions

gcc options: warning on non-void functions without a return statement
g++ -E option output
How to get the register name from the load instruction in llvm
Should a descendant class' method's variable that is identical to Self, have access to its ancestor's protected methods?
How can a language be interpreted by itself (like Rubinius)?
Encrypting password in compiled C or C++ code
What does back slash "\" really mean?
Why I can't write "implements AClass" in Java?
Compiling Java Generics with Wildcards to C++ Templates
Unknown conversion types in this program I'm meant to compile
Do C++ compilers eliminate assignment duplications?
How should I parse keywords when writing a C Compiler?
Difference between if as an expression and if as a statement
How can I use gcc to compile x86 assembly code on an x64 computer
Your favourite Abstract Syntax Tree optimization
My C++ code runs perfectly on MS C++ compiler but gives me NaN on g++ compiler. Why?
Infinite compilation with templates
Xcode can't create output file, permission denied
Mac OS X Lion has no /Developer/usr folder
System.String does not overload operator += But String Concatenation works, How?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!