LAS VEGAS – Critical components of endpoint security vendor Sophos LLC’s antivirus engine recently underwent an intense review from a security researcher, and the results – revealed today at Black Hat 2011 – were not kind to the product.
My intent for this project was to provide the missing technical speficiations for Sophos Antivirus in order to help those evaluating antivirus do so thoroughly.
Tavis Ormandy, vulnerability hunter
Vulnerability hunter Tavis Ormandy, who by day is an information security engineer at Google Inc., released his findings in a paper (PDF) following his presentation at Black Hat, along with a spate of tools used in his dissection of the Sophos engine. Ormandy said his analysis found that Sophos software uses weak or outdated cryptography in the way it builds and matches virus signatures, relies on obfuscation for security too often, and fails to comprehend certain exploitation techniques, among other problems.
Ormandy set the context for his talk at the outset, explaining that antivirus products keep users from having to make trust decisions about their security; the tradeoff is an increased attack surface. He conceded this is an adequate tradeoff because virus infections require urgent action. Vendors, however, won’t publish technical specifications on their antivirus products in order to keep hackers from exploiting the product.
“My intent for this project was to provide the missing technical speficiations for Sophos Antivirus in order to help those evaluating antivirus do so thoroughly,” Ormandy said. “They’ll be able to make informed decisions about whether this product makes sense in the context in which they want to deploy it.”
Ormandy reverse-engineered the product in order to analyze its design and implementation; he did not discuss vulnerabilities during his talk. Among the design problems he discovered was the use of a weak cryptographic hash function, CRC32, which he said affects the quality of signature matching against known viruses. He found that some checksums are performed on dead, trivial or irrelevant code and that non-automatically generated signatures were of poor quality because the signature scheme was weak in general.
“There is no rationale why they would rely on such a weak scheme,” he said. “It’s not a performance issue.”
Drafts of Ormandy’s paper were shared with Sophos prior to the presentation. The U.K.-based vendor has already started to put some remediations in place, and promised some wholesale changes in upcoming major version updates.
Sophos Canada Senior Security Advisor Chester Wisniewski told SearchSecurity.com he agreed in part with some of Ormandy’s findings, adding that some simple checks are done to expediate signature deployments to customers and avoid hindering performance on endpoints. He added that while Ormandy took deep dives into specific engine components as an academic, Sophos, whose researchers receive more than 150,000 malware samples daily, makes decisions within a business context.
“We are down on the ground every day trying to figure out what we are going to do with these 150,000 samples that just came in the door in the last 24 hours,” Wisniewski said. “We’ve got to react to that in a way that we can deliver protection right now. He looks at it from an academic perspective where there’s this really cool, clever thing you could be doing that could solve this problem. We would have to commercialize that and make it into something that’s lightweight that our customers will install.
“We’ve got different challenges that he didn’t understand. He understood them technically in the product, but maybe didn’t understand why they were in the product or maybe why we use those things,” Wisniewski added. “We don’t rely on any one thing he talked about to provide protection. It’s part of a whole big picture.”
Ormandy found encryption issues throughout the research he did on the Sophos engine. Dated and obsolete 64-bit Feistel block ciphers or the XOR cipher are used in places, and Ormandy said they’re used incorrectly and essentially become obfuscation tools rather than encryption. Sophos’ Wisniewski said the vendor is working toward phasing out these weak encryption implementations in future releases.
Sophos is also overhauling its Buffer Overflow Protection System, known as BOPS, based on the work of Ormandy and others. BOPS works only on Microsoft Windows systems prior to Vista, which addressed buffer overflows through the use of ASLR and DEP in Vista and Windows 7. BOPS’ inherent weaknesses focus on two weak forms of runtime exploitation mitigations: Structured Exception Handling Overwrite Protection (SEHOP) and Return to LibC.
“Our BOPS system was designed to provide protection for [earlier versions of Windows],” Wisniewski said. “Now it’s come to light through researchers that you can bypass Microsoft’s protections. We totally understand Tavis’ viewpoint there and are implementing a new buffer-overflow system for Vista and Windows 7 because we want to block off the end-run of Microsoft’s technologies.
“Taken singularly without working closely with us to try to understand why we might do a certain thing is the reason we would view a certain piece of code he’s looking at applying a criticism to and say it’s designed to do a single thing and actually it still does that and in a lightweight fashion that we can ship to customers’ desktops.”
Wisniewski said this is the first time a researcher has taken such a deep dive into a Sophos product and that, as a result, some fixes that were already on the drawing board will be accelerated.
“More often it’s good to have a good outside set of eyes looking at the product,” Wisniewski said. “Having an external view of it is certainly helpful to us.”