On 2010-03-11 16:47, David F. Skoll wrote: > Török Edwin wrote: > >> Right now the only detections one can write are pattern-based. You >> can't write heuristic detections, you can't write unpackers, you >> can't support new file formats, and you can't do more complex >> analysis than pattern matching. The bytecode tries to offer the >> possibility to do the above, without releasing a new engine update >> each time. > > Well, there's a fundamental philosophical problem here. > > You've essentially introduced a software update mechanism that bypasses > the normal way to install ClamAV. > > Furthermore, you're trying to write complex algorithms in byte code rather > than C. (Or do you have a high-level language that compiles down to > byte code?) This will require a completely new set of coding and > debugging skills. > > Also, the *only* thing protecting us from malicious byte-code is your GPG > key. I hope you keep it safe. And nothing will protect us from buggy > byte code. Looking at the bytecode implementation, I found an easy > way to DoS ClamAV... do we really want that ability?
If you found a bug, please open a bugreport. > >>> And a security tool that requires (or at least can use) a C compiler >>> at run-time boggles the mind. > >> It doesn't use a C compiler at runtime. > > Really? Why do the release notes say: > > The following packages are optional, but required for bytecode JIT support: > GCC C and C++ compilers (minimum 4.1.3, recommended 4.3.4 or newer) > > Do you mean that GCC is required only at build time? Build time, yes. The documentation should probably make that more explicit. > > Anyway... I don't like large and complex (barely-commented, full of > mysterious hard-coded constants) code being added to a security tool, > especially when that large and complex code implements a > (Turing-complete?) computer. I just worry that some future version of > ClamAV will require the bytecode interpreter, similar to how 0.94 was > EOL'd because of signature engine limitations. I also worry that > there will be pressure to expose more and more API functions to the > bytecode interpreter---it's so tempting when you just need "one more > thing" to implement a new detection algorithm. > > Regards, > > David. > _______________________________________________ > http://lurker.clamav.net/list/clamav-devel.html > Please submit your patches to our Bugzilla: http://bugs.clamav.net _______________________________________________ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net
