MIT Technology Review Subscribe

Norman Sandbox Won’t Work

Scott Fulton at BetaNews just published an uncritical puff piece about computer-security firm eEye’s new antivirus product, Blink.
By Simson Garfinkel ’87, PhD ’05

The main thrust of the article is that Blink will be able to find and detect brand-new viruses by running suspect programs in a virtual machine and observing their behavior:

The Norman SandBox, Maiffret described, is a fast, stand-alone virtual machine, which tests the code of executables to see whether they’ll do interesting things, such as changing the Windows System Registry startup keys, or some very interesting things, such as connect to an IRC chat server somewhere in Russia.

Advertisement

Rather than scan everything all the time, however, the new Blink will scan newly discovered executables, and may perhaps rescan them if, for instance, their patterns or file size appears to have changed. But if it’s the same executable, by default, Blink will only scan it once.

This story is only available to subscribers.

Don’t settle for half the story.
Get paywall-free access to technology news for the here and now.

Subscribe now Already a subscriber? Sign in
You’ve read all your free stories.

MIT Technology Review provides an intelligent and independent filter for the flood of information about technology.

Subscribe now Already a subscriber? Sign in

Unfortunately, this approach is pretty easy for a would-be virus writer to avoid. For example, the “virus” could perform its malicious activity only if it receives user input (which it is unlikely to receive in a virtual machine but likely to receive if it pops up a window). Or the virus could check to see if it is running in a virtual machine using technology that is now readily available.

Of course, the real problem with this approach is that it’s theoretically impossible to look at a program and figure out what it’s going to do. This is just another recasting of Turing’s famous “halting problem.” Even running the program in a virtual machine won’t tell you what it’s going to do once you run it in the wild.

This is your last free story.
Sign in Subscribe now

Your daily newsletter about what’s up in emerging technology from MIT Technology Review.

Please, enter a valid email.
Privacy Policy
Submitting...
There was an error submitting the request.
Thanks for signing up!

Our most popular stories

Advertisement