Cybersecurity & Tech

On the Inspection of Anti-Virus Source Code to Demonstrate the Lack of Offensive Cyber Capabilities

Herb Lin
Monday, July 3, 2017, 3:28 PM

A recent AP story notes that senior U.S. intelligence officials have advised Congress to steer well clear of Kaspersky's products. In response to such U.S. government concerns, Eugene Kaspersky has offered to allow the inspection of the source code of his anti-virus products.

Published by The Lawfare Institute
in Cooperation With

A recent AP story notes that senior U.S. intelligence officials have advised Congress to steer well clear of Kaspersky's products. In response to such U.S. government concerns, Eugene Kaspersky has offered to allow the inspection of the source code of his anti-virus products.

Without commenting one way or another on the underlying matter, that is, whether or not Kaspersky security products have any built-in offensive cyber capabilities, I note that even a source code inspection may not shed much light on the matter. At best, it could rule out the possibility that the products themselves have no specific offensive cyber capabilities. However, even if this were true, it is easy to imagine that those products might be used to facilitate an attack.

The reason is that the source code of such products (i.e., the program) is different than the malware databases off of which these products operate. The malware databases contain “signatures” of known malware. The program compares the signature of incoming files against signatures in the databases and blocks incoming files whose signatures match something in the databases. Thus, the protective value of any signature-based malware protection program (most antivirus products qualify as such) depends on having as many signatures in the relevant databases as possible, and not on the program per se, which simply does the comparison.

What if the malware database does not contain the signature of malware X, which happens to originate from Russian intelligence? The product will not detect it, and malware X will penetrate to the user’s machine and do its offensive dirty work.

Why did the database not contain X’s signature? This is the critical question—and it’s impossible to answer. Here are two possibilities:

  1. The signature of X may be missing for entirely innocent reasons—all malware databases are incomplete, and the completeness of coverage of extant threats is a point on which security vendors compete. The incomplete nature of coverage for any given product is why many people, me included, run second and third opinion anti-malware products—we wish to increase the probability of detection so that something not caught by product A is caught by product B or C.
  2. X’s signature may be missing for less innocent reasons as well—perhaps Russian intelligence asked the vendor to refrain from including it in the database.

From the outside, there’s no way to tell whether either is true.

Would inspection of the malware database help? Not really. Such inspection would reveal only what can be caught, not what can’t be caught. The only way to shed light on whether X was deliberately omitted from the database would be if X’s signature was present in the databases of a number of other security product providers—if that were true, then one could conclude either that Kaspersky deliberately omitted X’s signature, or that Kaspersky’s product was considerably less sophisticated than those of its competitors. But again, the information derived could not differentiate between these two outcomes.

I realize that Kaspersky antimalware products do not rely exclusively on malware signatures to provide protection. Inspection of source code would provide useful information on a product’s detection capabilities for malware without known signatures. But for the most part, the analytical techniques used for such detection are heuristic in nature—that is, they are based on a number of rules derived from observations of how malware usually works (see here for a discussion of Kaspersky’s take on this matter). Malware that takes an approach not covered by these rules will not be detected. In the end, we would be left with the same problem—is a heuristic rule missing because Kaspersky’s engineers were not sufficiently clever or because they deliberately omitted a rule that would have caught some alleged Russian malware?

Again, I’m not casting aspersions on Kaspersky or Russia in this argument—one could substitute any vendor and any government for these names. Nor is this piece intended to suggest that Kaspersky is or is not what he claims to be—a vendor interested in the best possible protection for its customers. But the question of whether or not Kaspersky is in cahoots with Russia will not be resolved by access to source code or even to the malware signatures in the Kaspersky databases.

Dr. Herb Lin is senior research scholar for cyber policy and security at the Center for International Security and Cooperation and Hank J. Holland Fellow in Cyber Policy and Security at the Hoover Institution, both at Stanford University. His research interests relate broadly to policy-related dimensions of cybersecurity and cyberspace, and he is particularly interested in and knowledgeable about the use of offensive operations in cyberspace, especially as instruments of national policy. In addition to his positions at Stanford University, he is Chief Scientist, Emeritus for the Computer Science and Telecommunications Board, National Research Council (NRC) of the National Academies, where he served from 1990 through 2014 as study director of major projects on public policy and information technology, and Adjunct Senior Research Scholar and Senior Fellow in Cybersecurity (not in residence) at the Saltzman Institute for War and Peace Studies in the School for International and Public Affairs at Columbia University. Prior to his NRC service, he was a professional staff member and staff scientist for the House Armed Services Committee (1986-1990), where his portfolio included defense policy and arms control issues. He received his doctorate in physics from MIT.

Subscribe to Lawfare