The Antivirus is Dead, Long Live the Antivirus!

Last Updated on May 18, 2011

The Google Chromebook (that is the first Chromium OS powered devices) was presented few days ago (and is ready to reach our shelves for the half of June), but only yesterday I accidentally came across an interesting article (which I had already reported in yesterday’s post) which led me to several thoughts concerning the future of endpoint security, or better, how endpoint protection technologies will adapt themselves to the rapidly mutating landscape, which is shifting from an endpoint-centric to a cloud-centric model. My personal confessions of a dangerous mind derive from Google’s assertion that: Chromebooks have many layers of security built in so there is no anti-virus software to buy and maintain. Moreover, the fact that data reside mainly on the cloud moves the data protection requirements towards the cloud rather than on the endpoint. If this is true many security giants (such as ~~Intel~~ McAfee, Symantec, Trend Micro, etc.) focalized on endpoint would seriously have to worry about.

The core of the Chromium OS is represented by the Chrome web browser. Through a Web Interface, and most of all thanks to HTML5, Open Web Platform APIs and Google Chrome Extensions, the users will be able to access virtually any kind of applications from the cloud.

What does it mean from a security perspective? The Security Overview document describing the Security Mechanisms adopted by the Chromium OS is clear: the operating system has been designed from the ground up with security in mind, security as an iterative process focused on for the life of the operating system. As a matter of fact, since the OS is browser-centric, the security design efforts have been concentrated on this aspect starting from the foundation, that is the Operating Systems. Several of the weapons adopted by Chromium OS include:

OS Hardening through techniques of Process sandboxing (at OS and browser level), toolchain hardening, Kernel hardening and configuration paring, Additional file system restrictions (Read-only root partition, tmpfs-based /tmp, user home directories without executables, privileged executables, or device nodes;
Modular browser with sandboxes for media and HTML parsers;
Protection for Phishing, XSS and other Web vulnerabilities;
Secure autoupdate protecting itself from attacks by mean of Signed updates downloaded over SSL, checking of Version numbers of updates and verification of the integrity of each update on subsequent boot, by man of Verified Boot process;

That said, is really true that Chromium OS will be the death knell for antivirus?

Before answering this 10 million Dollars question (rigorously Monopoly Dollars) there is a due premise that must necessarily be done: classifying an endpoint protection technology as Antivirus is maybe a little bit reductive and anachronistic. The new generations of threats (the so called blended threats or APTs) make use of several combination of attack vectors ranging from malicious phishing web sites to 0-day OS or application vulnerabilities. This has implied in the last two/three years that the concept of multi-layered protection has found fertile ground in the endpoints as well (as previously done in the network with UTM/XTM technologies) since the new threats are not simple malware but complex combinations of attack vectors which need different layers of protections. A simple antivirus does not exist anymore in a corporate context, but has been substituted by a set of protection technologies combining Anti-Malware, Personal Firewall, Host Intrusion Prevention, Encryption, Data Leackage Prevention, Compliance.

With this premise in mind there are some points for which, in my opinion, endpoint protection technologies will be still needed (at least for version 1.0);

Some Critical voices stress the fact that Google will provide an SDK dedicated to write native applications. Although Google has probably done everything to secure those apps with their double sandbox design, in theory will be possibility to install malicious code or simply bugged code, unaware vector of vulnerabilities in the system (or in the cloud).
Since the OS is browser-centric, protection of the browser becomes a critical factor. The security design document states that the web browser provides Protection for Phishing, XSS and other Web vulnerabilities, but the description is not so satisfying: “Phishing, XSS, and other web-based exploits are no more of an issue for Chromium OS systems than they are for Chromium browsers on other platforms. The only JavaScript APIs used in web applications on Chromium OS devices will be the same HTML5 and Open Web Platform APIs that are being deployed in Chromium browsers everywhere. As the browser goes, so will we”. Only one simple consideration about this point: a vulnerability on the Webkit rendering engine caused a serious security flaw on the Android and Chrome Browser (and on the Safari Browser and Apple And Blackberry smartphone browsers as well during the last Pwn2Own 2011). Moreover phishing has registered a tremendous growth in the last months as the initial vector for perpetrating complex multi-layered attacks. I am not aware of the fact that chrome users have been less affected than the users of other browsers.
There is also another important point: the security overview document identifies two possible kinds of adversaries: opportunistic adversaries and dedicated adversaries. The first kind just tries to compromise an individual user’s machine and/or data, the second kind may target a user or an enterprise specifically for attack. According to Google version 1.0 will be focuses on dangers posed by opportunistic adversaries. This means that, at least for the first version, the Chromium OS will not offer countermeasures targeted to mitigate network-level attacks.

So what are the conclusions? Maybe the death knell for Antivirus technologies (or would be better to say endpoint protection technologies) is still far, rather I believe more realistically that endpoint security technologies will have to be redefined (or better tailored) to better fit the new scenario in which the endpoints act as web-centric gates for the cloud. Maybe antivirus will be no more necessary, but security efforts on the endpoints will have to be directed to protect this new role from OS and web application vulnerabilities (see authentication tokens in clear), malicious web sites, phishing, data loss/leakage (even if the Chromium OS already offers some native features in this direction), and, last but not least, compliance issues (for an enterprise usage). How this will be achieved? Simple, by mean of cloud based security services…