It would be helpful if legit code would not obfuscate code for sure. Eventually, a decent white list repository could then be created (can be anyway, but still have to allow for gaps for all of the software out there).

Obfuscation then can be trivially detected by entropy analysis with a high degree of accuracy, generically.

IMO, it is a bit like "what are you hiding and why". Security needs transparency and this should be expected from vendors. How, for instance, do you otherwise confirm the functionality of even "legitimate" code? That is an user's right to verify that. Just like you have a right to verify your laptop manufacturor did not put a hardware bug in your laptop.

Would like to see a more centralized, public use code signed/checked by independent type of system... so good code can be verified and anything else thrown out.

Agree that eventually this will be the future. Mandates for transparency already exist in many quarters.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/498/35528#35528