On Tue, Jul 13, 2010 at 7:55 PM, Tony Harminc <t...@harminc.com> wrote:
> Linux may well have facilities that I am not familiar with to scan > modules for certain byte sequences, but any such static scan is going > to be easily foolable by even a slightly motivated programmer. Linux > could in theory, but we know does not in practice, interpret most > programs at run time, and thus catch any behaviour it doesn't like, at > an extreme cost in performance. What it cannot do is alter the > architecture of the machine it is running on in violation of the > Principles of Operation. I think your assessment is accurate, though I had probably used far less polite words for it... Clearly there *is* something in Linux that is involved when a user program is taken into execution, and you could envision to extend that with code to "screen" the program (ignoring for the moment that Linux does not actually load the code, but merely maps the module into the address space and relies on demand paging to bring it in). The problem with most malware however is that it uses "normal" instructions to do bad things. But when you run a program as non-root user, there's still limits to what you can break. And z/Linux has some lucky aspects that make it less likely a program can acquire root privileges. Screening program code for bad things is fuzzy, as the frequent updates of my antivirus software demonstrate. And it's not even searching for the malicious code itself, but for fingerprints of know malicious programs. Rob