Steven Bellovin <[email protected]> writes: >Assume that there is some benefit to digitally-signed code.
There is at least one very obvious benefit: When malware is signed, it can't mutate on each generation any more but has to remain static. This makes it easier for the anti-malware folks to detect. You can also use it a second way: When malware authors have signed their products (at least until now) with fraudulently-obtained certificates (but not stolen ones) the only thing that they've signed with that particular certificate is malware. This means that once a particular signed binary has been detected as being malware the virus scanner can extract the signing certificate and know that anything else that contains that particular certificate will also be malware, with the certificate providing a convenient fixed signature string for virus scanners to look for. This actually provides a real, effective use for code-signing certificates, although it's certainly one that the PKI folks would never have dreamed of. Unfortunately as with many other arms-race tricks it only works as long as the malware authors don't try to counter it, either by buying a new certificate for each piece of malware that they release (it's not as if they're going to run out of stolen credit cards and identities in a hurry) or by siphoning large numbers of benign applications from software- distribution sites, signing them, and re-uploading them to other software distribution sites so that the signed files that constitute actual malware get lost in the noise. >Let's figure out what we're trying to accomplish; after that, we can try to >figure out how to do it. See above, code signatures help increase the detecability of malware, although in more or less the reverse of the way that it was intended. Peter. _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
