Malware - What Should We Do?

In reality, there is no magic single solution to malware. (And, if there was, be assured that a bread-crumb trail of patents would cover every part of it.) Current and foreseeable defenses are but a house of cards.

They are based on assumptions about "typical" malware behavior, and assumptions about malware writers which dramatically underestimate them. One violation of the assumptions and the house of cards comes tumbling down, defenders left scrambling to prop it up again.

What is clear is that no human intervention is possible in some attacks due to their speed. More automatic countermeasures are needed, not necessarily to stop malware completely - there is no such thing as absolute security, after all - but slowing malware down to a manageable rate would be valuable in itself.

As for malware detection, it is an undecidable problem. No perfect solution is possible, and the only way to tackle such a problem is with heuristics. Heuristics, rules of thumb, are fallible. In other words, a technical arms race rages on between attackers and defenders.

Whether or not the race is winnable is immaterial now; the finish line is still far off. Many excellent defensive steps that can be taken are not very technical at all, though:

  • Plan B. Organizations, and to some extent individual computer users, must have a plan for disaster recovery. What happens when defenses fail and malware strikes? Can machines be rebuilt, data be restored?
  • Education. A broad view of education must be taken. Users must be educated to harden them to social engineering attacks, but education can't stop there.

The next generation of computer scientists and computer programmers must be educated in depth about malware. Treating malware as a taboo subject is only security through obscurity.

  • Vendor pressure. It must be made clear to software vendors that security is a priority for their customers, a higher priority than more frilly features.

Customers can also demand to know why software is riddled with technical weaknesses, which should make customers and vendors both ask some pointed questions of educators and software researchers.

  • Minimalism. Users must responsibly use features that are present, which in part comes through education. Enabled features like network servers provide more potential attack vectors than having all such features turned off. At the extreme end of the minimalism scale, it can be argued that computers are too general-purpose.

Malware affects computers because they are just another form of software for a computer to gleefully run. Special-purpose devices doing one thing, and only one thing, are one way to help avoid exploitable problems.

  • Software updating. Until less-vulnerable software can be produced, software updating will still be a necessity. Mechanisms and policies that facilitate updating are a good thing.
  • Layers of defense. If each defensive technique is only a partial solution, then deploy a variety of defenses. Defenses should ideally be chosen that are based on different underlying assumptions, so that the patchwork defensive quilt will hopefully still work even if some assumptions turn out to be false.
  • Avoiding monocultures. In biology, having all members of a species the same is a potentially fatal problem: one disease can wipe the species out. Yet that is exactly the fatal problem the majority of computers exhibit. This isn't necessarily to say that everyone should change operating systems and applications.

Although that is one coarse-grained way to avoid a monoculture. Monocultures can be avoided in part just by automatically injecting randomness into the data locations and code of programs.

Diversity can be achieved by separating functionality physically, too. For example, moving firewall functionality to a different physical device makes the overall defenses that much harder to completely overcome.

Will malware ever go away? Even if all technical vulnerabilities are fixed, there will still be human vulnerabilities.

But the point is academic, because human nature virtually guarantees the large-scale availability of technical vulnerabilities for the foreseeable future. Suffice it to say that the computer security industry will continue to flourish, and security researchers will be employed for some time to come.