Why Is Computer Security So Hard?
On the Impossibility of Virus Detection
Professor Dave Evans teaches Computer Science at the University of Virginia. His current research seeks to enable the cost-effective production of complex computer systems that can be trusted for critical applications even in the presence of malicious attackers. His study spans many traditional research areas including security, software engineering, programming languages, cryptography and networking.
In his paper, On the Impossibility of Virus Detection, Professor Evans asks, “Why is computer security is so hard?” He concisely lays out his thesis that some established security vendors may not want to hear but the industry in general needs to understand in order to raise the bar on malware. His thesis begins:
“The question of how to detect malicious programs seems like a practical one, but at its core depends on the fundamental nature of general purpose computers and deep theoretical questions about what computers can and cannot do. This essay starts by formalizing the question of what it means to detect a virus. Then, we discuss theoretical results that show solving this (and most other important computer security problems) is impossible for general purpose computers. But impossible doesn’t mean hopeless — it just means we have to redefine our problems and approaches, and aim for solutions that work well in practice, even if nothing can work in theory.”
The Halting Problem
Professor Evans paper examines the Halting Problem that Alan Turing, the father of theoretical computer science and artificial intelligence, defined in the 1930s when he invented a hypothetical general purpose computing device known as the “universal Turing machine.” Turing proved that we cannot know if or when a computer will finish its work, or simply run forever. The reason is that any algorithm can be made to contradict itself. This is the famous Halting Problem or Undecidable Problem and from universal machines to undecidable virus detection, Professor Evans explores it in detail in his essay.
Applying Alan Turing’s lessons from the 1930’s in 2017, today’s legacy and automated “next-gen,” security solutions touting artificial intelligence and machine learning will be challenged in detecting unknown malware. Relying only on automated means or virus signatures cannot solve the whole problem and leaves openings for unknown malware to enter systems. For example, how will legacy and next-gen security solutions stop unknown applications and processes (potential zero day threats) from executing and infecting the environment? How will automated AI/machine learning approaches detect unknown code (e. g. dormant APTs or zero day malware using novel techniques)? They will fail much of the time, as Professor Evan’s mathematically proves in his essay.
Science Meets Cybersecurity
This paper is not a call for surrender to the bad guys; instead it rallies all of us in the industry to look at the problem differently. Read Professor Evan’s essay to learn how redefining our problems and approaches mathematically can help us find new solutions such as “shadowing” (virtualization) to address the malware problem.
Comodo Advanced Endpoint Protection represents a new approach: a practical solution that allows full usability of unknown files while they run in Secure Auto Containment™ until automatic and expert human analysis deliver a trust verdict of good or bad. The Halting Problem proves detection-based security solutions can never be 100 percent effective. Comodo overcomes this issue by containing unknown files in virtualized environment to prevent unknown malware from infecting the endpoint. No vendor can stop zero day threats, but Comodo can prevent any damage.