Can you break Law #1 and get away with it?

To save you scrolling down, let me restate Law #1 of the immutable laws of security:

"If a bad guy can persuade you to run his program on your computer, it's not your computer anymore"

Is there any possibility that it is safe to do business with a computer that has malware on it? The blanket answer is "no – there is no way to be sure". Like all generalizations (irony by design), this is not wholly true. Malware comes in many forms and not all malware will affect all aspects of system operation. If you know exactly what the malware does then it may be possible to still trust the machine to some degree. If you know that the malware just pops up unwanted advertising and has no other function at all then it is probably fine to still accept a low value online order from that customer. If the system has a keylogger which records credit card details then it might be perfectly safe for you to accept the order but very dangerous for the user to place it. So, the more accurate answer to the question would be "In general, no, it is not safe. In some specific cases, it may be".

So, the follow-on question is "Can you determine programmatically whether it is safe or not?"

This is, I think, a better question. However, the answer is unfortunately "Almost certainly not".

"Why do I say that?", I imagine you asking. I will be delighted to answer (I am easily pleased). The reason is twofold. The first is that you can’t tell what a bit of detected malware does without extensive reverse engineering. The second is that any machine (other than one in isolation that has been built from known clean sources) could be compromised with malware that hides well. One thing that rootkits do is hide. If something has modified system behavior below the level at which you run, the results of any investigation that you do is suspect – API calls can be subverted by malware. No automated or manual process can guarantee that there is no malware on a system because absence of evidence is not evidence of absence.

The logical conclusion is that since no real world machine is 100% safe then we must regard them as wholly unsafe. However, that is logical rather than sensible. In reality, we must accept a level of risk from the systems that run our applications. Where possible, we must mitigate the risks. We should always recognize them even if we can not mitigate against them.

In my next post, I will be talking about mitigation strategies.

Signing off