Reflections on state certification of antiviruses
Every year, our brave regulators (the FSB and FSTEC in the first place) demand more and more different kinds of licenses, permits, certificates, and similar papers from IT specialists. The FSB imposes the use of its "proprietary" encryption algorithms, instead of the globally obscure. FSTEC strives to stick its nose deeper into the code of software products, in its search for undeclared capabilities, “caring” about the safety of our information with you.
Is there any sense in such studies in relation to modern antivirus?
You can use any antivirus software for your home, but for government agencies or to protect personal data in personal data information systems (ISPDs) you will have to choose a product that has passed the appropriate certification.
Thus, according to the order of the Government of the Russian Federation No. 781 dated 11/17/2007, information security tools used in ISPDN, in the prescribed manner, are required to undergo a conformity assessment procedure (established requirements that are specified in the guidelines of the FSTEC). In particular, the use of only certified solutions for state institutions is spelled out in such documents as Decrees of the President of the Russian Federation dated March 17, 2008. No. 351 “On measures to ensure the information security of the Russian Federation when using information and telecommunication networks of international information exchange” dated May 12, 2004. № 611 "On measures to ensure the information security of the Russian Federation in the field of international information exchange."
The software is checked for compliance with the requirements of the governing document “Protection against unauthorized access to information. Part 1. Software of information security tools. Classification according to the level of control over the absence of undeclared capabilities . ”
')
The key point of this taxiway is this label:
According to paragraph 3 "Monitoring the initial state of the software" list of requirements
At the moment, FSTEC certified products of several anti-virus companies:
For example, let's take Kaspersky Anti-Virus (just an example), they are very proud of their FSTEC certificates, not missing a chance to trump them to customers.
The certificate of conformity (No. 1384) for “the Kaspersky Anti-Virus 6.0 for Windows Workstations software product” was issued in 2007, then extended to 2013, during which time the LC released 4 (!) Large updates (MP) for it, and the certificate was the same ! This means that no one checked the product, just because the tsiferka major version has not changed ... And this is not to mention the daily update of the database of signatures.
There are no checksums in the certificate. It is logical, but why are they? With the first update, most of the files will simply change. Of course, this paper perfectly covers the fifth points of the heads of IT departments, but really, those who give out such things do not understand the whole delusional situation ..?
And here, in the certificate of conformity from the FSB, they are, but what is the point in them? Just check the distribution before installing.
You have a lot of paperwork on the remedy, but :
1. No one guarantees to you that there are no random (supposedly) errors in the code, including critical ones, which can be used to completely compromise the system. According to the experience of using the same Kaspersky Anti-Virus 6.0, I can say that the errors left after all the certifications are just a huge amount (well, other products have fewer :). But is it possible to prove, for example, the intentional abandonment of a “Buffer Overflow” type hole? Hardly…
2. Thanks to advanced systems for updating and treating new threats, almost any modern antivirus can perform arbitrary actions (so-called treatment scripts) by a command from the update center. What prevents to give the command to find certain files on the computer, to secure them, and then, in full compliance with all user agreements, to transfer them “for analysis to the analysts of the virus laboratory”? So what? Well, sometimes, we found these files malicious and, taking care of your security, we analyzed them. Solely for your good! Sleep well, no malicious macros were found in your secret documents, and we snipped out that analyst to that analyst;)
The existing methods for controlling the absence of undeclared capabilities in such software products as information protection tools against dynamic threats are hopelessly outdated and cannot guarantee anything at all . Anyway, the ability to reliably keep such a system in check seems doubtful.
The certificate will save you only from checking regulators, but not from any threats. Well, this is quite logical for our country, unfortunately ... p class =
Is there any sense in such studies in relation to modern antivirus?
You can use any antivirus software for your home, but for government agencies or to protect personal data in personal data information systems (ISPDs) you will have to choose a product that has passed the appropriate certification.
Legislation
Thus, according to the order of the Government of the Russian Federation No. 781 dated 11/17/2007, information security tools used in ISPDN, in the prescribed manner, are required to undergo a conformity assessment procedure (established requirements that are specified in the guidelines of the FSTEC). In particular, the use of only certified solutions for state institutions is spelled out in such documents as Decrees of the President of the Russian Federation dated March 17, 2008. No. 351 “On measures to ensure the information security of the Russian Federation when using information and telecommunication networks of international information exchange” dated May 12, 2004. № 611 "On measures to ensure the information security of the Russian Federation in the field of international information exchange."
The software is checked for compliance with the requirements of the governing document “Protection against unauthorized access to information. Part 1. Software of information security tools. Classification according to the level of control over the absence of undeclared capabilities . ”
')
The key point of this taxiway is this label:
Requirements for the level of control. List of requirements.
| No | Title requirements | Level of control | |||
| four | 3 | 2 | one | ||
| Documentation Requirements | |||||
| one | Control of the composition and content of the documentation | ||||
| 1.1. | Specification (GOST 19.202-78) | + | = | = | = |
| 1.2. | Program Description (GOST 19.402-78) | + | = | = | = |
| 1.3. | Application Description (GOST 19.502-78) | + | = | = | = |
| 1.4. | Explanatory note (GOST 19.404-79) | - | + | = | = |
| 1.5. | The texts of the programs included in the software (GOST 19.401-78) | + | = | = | = |
| Test content requirements | |||||
| 2 | Control of the initial state of the software | + | = | = | = |
| 3 | Static analysis of program source code | ||||
| 3.1. | Control of completeness and lack of source code redundancy | + | + | + | = |
| 3.2. | Control of software source code compliance with its object (boot) code | + | = | = | + |
| 3.3. | Control of communications of functional objects on management | - | + | = | = |
| 3.4. | Control of communication of functional objects by information | - | + | = | = |
| 3.5. | Control of information objects | - | + | = | = |
| 3.6. | Control of the presence of specified structures in the source code | - | - | + | + |
| 3.7. | Formation of the list of routes for performing functional objects | - | + | + | = |
| 3.8. | Analysis of critical routes for performing functional objects | - | - | + | = |
| 3.9. | Analysis of the operation of functional objects based on flowcharts, diagrams, etc., built on the source code of the controlled software | - | - | + | = |
| four. | Dynamic source code analysis | ||||
| 4.1. | Monitoring the performance of functional objects | - | + | + | = |
| 4.2. | Comparison of the actual routes of the performance of functional objects and routes built in the process of conducting a static analysis | - | + | + | = |
| five. | Reporting | + | + | + | + |
Designations
"-" - no requirements for this level;
"+" - new or additional requirements;
"=" - the requirements coincide with the requirements of the previous level.
According to paragraph 3 "Monitoring the initial state of the software" list of requirements
- The control consists in fixing the initial state of the software and comparing the obtained results with those given in the documentation.
- The results of the control of the initial state of the software should be the calculated unique values ​​of the checksums of the load modules and source codes of the programs included in the software.
- Checksums must be calculated for each file included in the software.
At the moment, FSTEC certified products of several anti-virus companies:
- ESET (level 4 no NDV);
- Dr.Web (2 and 3 level);
- Kaspersky Lab (Level 3);
- VBA32 (4th level).
for example
For example, let's take Kaspersky Anti-Virus (just an example), they are very proud of their FSTEC certificates, not missing a chance to trump them to customers.
The certificate of conformity (No. 1384) for “the Kaspersky Anti-Virus 6.0 for Windows Workstations software product” was issued in 2007, then extended to 2013, during which time the LC released 4 (!) Large updates (MP) for it, and the certificate was the same ! This means that no one checked the product, just because the tsiferka major version has not changed ... And this is not to mention the daily update of the database of signatures.
There are no checksums in the certificate. It is logical, but why are they? With the first update, most of the files will simply change. Of course, this paper perfectly covers the fifth points of the heads of IT departments, but really, those who give out such things do not understand the whole delusional situation ..?
And here, in the certificate of conformity from the FSB, they are, but what is the point in them? Just check the distribution before installing.
And what is the result?
You have a lot of paperwork on the remedy, but :
1. No one guarantees to you that there are no random (supposedly) errors in the code, including critical ones, which can be used to completely compromise the system. According to the experience of using the same Kaspersky Anti-Virus 6.0, I can say that the errors left after all the certifications are just a huge amount (well, other products have fewer :). But is it possible to prove, for example, the intentional abandonment of a “Buffer Overflow” type hole? Hardly…
2. Thanks to advanced systems for updating and treating new threats, almost any modern antivirus can perform arbitrary actions (so-called treatment scripts) by a command from the update center. What prevents to give the command to find certain files on the computer, to secure them, and then, in full compliance with all user agreements, to transfer them “for analysis to the analysts of the virus laboratory”? So what? Well, sometimes, we found these files malicious and, taking care of your security, we analyzed them. Solely for your good! Sleep well, no malicious macros were found in your secret documents, and we snipped out that analyst to that analyst;)
findings
The existing methods for controlling the absence of undeclared capabilities in such software products as information protection tools against dynamic threats are hopelessly outdated and cannot guarantee anything at all . Anyway, the ability to reliably keep such a system in check seems doubtful.
The certificate will save you only from checking regulators, but not from any threats. Well, this is quite logical for our country, unfortunately ... p class =
Source: https://habr.com/ru/post/117409/
All Articles