I decided to publish the full source code of my System Virginity Verifier. The license grants you to do anything with the code, including using it in a commercial product.
Unfortunately I don't have time to further develop SVV, but I still believe that this is the right approach for system compromise detection (which still requires lots of work to be put into it though). It's actually very surprising for me to see only one another product which uses similar idea for detecting system compromises, that is Microsoft's Patch Guard.
I hope that publishing SVV source code might be useful in two situations:
First, it should help to reduce implementation specific attacks, as used by malware against rootkit detectors (remember holly_father's shop?). Having the sources allows anybody to compile his or her own private detector, a little bit different from the one which is targeted by malware's anti-detection engine. This might include changing I/O interface between usermode and kernel mode component of the detector, changing the order of certain actions, etc...
The above statement applies actually not only to SVV, but to any other rootkit/malware detector with open sources.
Second, I hope that having SVV sources opened can encourage people to extend the subset of the sensitive OS elements which are verified by SVV, thus minimizing the "hooking space" which can be used by malware. This should consequently eliminate simple, yet annoying malware from the market...
SVV sources and some presentations about its design can be found here.
Friday, May 12, 2006
Subscribe to: Post Comments (Atom)
Great :) So, SystemVirginityVerifier::find_IDTRVA won't be added ever? Or was it already moved to the private anti-SaSISA detector? ;)
Nice looking site, and err, picture too !
I'll be posting the latest news about SVV in here - RootKit Detection + Prevention ! - http://www.sysinternals.com/Forum/forum_posts.asp?TID=962&PN=2
All the best,
well well... comments on ;)
Your sharing of information is greatly appreciated, thank you! Very interesting and informative, keep up the fine research you are doing.
too bad, but thx for this! :)
Maybe sometime in the future, you will find a little time to improve SVV... ;-)
I can't wait to see what comes from the Black Hat Conference 08/06.
Pozdrowienia z Polski :) Inspirujesz nas! Pozdrawia student informatyki :)
Keep up the GOOD work and lets not hope this becomes a horrorshow...pun intended.
MD20/20 aka Mobius Drux
Just nice && simple
I've always preferred a nice clean looking site. The simpler...the better.
Post a Comment