You have a set of malicious instructions. Write a program that will determine whether or not another program written in assembly will execute any one of these, so we can avoid running those programs.
Present your solution 5 minutes on this whiteboard. You may brute force if you like.
install gentoo
do your own homework
kys yourself to sleep tonight
Thanks, we'll call you.
Next, Pajeet Sahamadir!
heloo sir i think best solution here is allow me remote access with program teamviewer i will install microsoft certified antivirus for only $299 and i also give free microsoft word program
The problem is undecidable.
So you can't do it...? Do you think that's the kind of go-getter attitude we're looking for?
A proof:
Assume for the sake of argument there exists a program that can correctly determine whether or not a program contains malicious instructions. An attacker can write a program in assembly that will simulate this program on itself. It would execute a malicious instruction if and only if the program would not decide it to be malicious. Therefore, it is impossible to make any program that will complete this task with 100% accuracy.
And this is without going into the possibility of self-modifying code that can pull from sources inaccessible to the detector program.
Why haven't you filtered tripfags yet, user?
What you have asked is equivalent to asking me to solve the halting problem. It isn't that I in specific can't answer it, but rather, no programmer can, and any solution that any of your candidates provide is demonstrably incorrect.
If you do not possess a degree in computer science and are unfamiliar with the concept of undecidable problems, allow me to ask you a simple question: could you please draw a square circle on the board?
>i read 30 wikipedia articles per day
Thanks, we'll call you.
(Susan, Get Pajeet back in here. He can do it for $299.)
Hash each item in the set and write a ClamAV rule that checks for those hashes.
When can I start?
Kek
Exactly what would happen
Static method =
Analyze the executable, the .Text/.Code section will contain the instructions, see it the set of instructions are there.
Dynamic method would involve running the executable in a sandbox/VM type interpreter as the code may be generated at run time and then try to execute, something the static method could not detect.
I have a bachelor's degree in computer science, and am a few months away from completing my master's degree. I know enough about automata theory from classes that every computer science major is required to take, to know what kinds of problems are and aren't computable, and how to prove them.
In fact, now that I think of it, I could have made a simpler problem by suggesting that we say that any jump that would inevitably lead back into an infinite loop is a bad instruction, and any other instruction is not a bad instruction. We therefore can say that a solution to this problem implies a solution to the halting problem. Since the problem reduces to a known undecidable problem, it is therefore undecidable itself. Q.E.D.
Analysing malware is far from impossible, even at the runtime. Spewing >muh MSc in cs is returded, nobody cares and all that theory will never prepare you for the real world
>and am a few months away from completing my master's degree
will the whole bus clap for you then
too much monies
find cheaper.
Malware scanners are not generic. They rely on signatures of known malware to find an infection. This is why zero days are so harmful.
Mike, can't we just get Ramesh to do it for free as an "interview question"?
Errmm... how does that mulatto on the right fit into this?
That's obviously HR. She is probably still new since she hasn't bloated up yet.
what are "malicious instructions"? Aren't all instructions "malicious"?
I don't think you understand what a zero day is buddy
Cool. I will have a cafe au lait, please.
A zero day is a vulnerability that has not been seen before. A program that exploits this vulnerability cannot be detected by a malware scanner.
STOP REPLYING TO TRIPFAGS!!!
You're fucking retarded though. We're looking for a program, that, given the binary (or maybe asm source) of another program, detects if a certain instruction, or certain instructions, occur(s). A "binary grep" would be enough, because every instruction translates to a certain bytecode signature in the executable and in the asm source code.
The question was not whether the instruction "occurs".
>Write a program that will determine whether or not another program written in assembly will execute any one of these
>determine whether
>another program
>will execute any one of these
If the problem was merely about finding if the instruction exists, I'd objdump the .text section and search for the bad instruction. But that isn't what was asked.
I'd program that uses straight-line, heuristic, and execution emulation-based disassembly to figure out whether the given set of instructions will be executed within the executable.
So how do you plan to address polymorphic malware that can detect when they are running inside of a debugger or virtual machine?
By writing a custom debugger/VM not known to the public.
And what if we are to suppose that the malware is written by one of your coworkers? Let's say he's a spy for a foreign power, and has managed to infiltrate the company to a high enough position that he can see the details of your program. He will relay this information to his comrades so that they can produce a targeted malware to defeat it. Or perhaps we are to assume that there is some spyware in your network left over from a previous attack, which can take a look at the source code of your program.
Security via obscurity only tends to create a false sense of security, not actual security. If we can assume that your program can be accessed in any way by an attacker (a reasonable assumption), then the problems with undecidability of the problem and with polymorphic malware are still entirely relevant.
>If we can assume that your program can be accessed in any way by an attacker
We can't, because my program is running in a lower protection ring.
Nope. is right, code can be self modifying and this not a problem to this.
Actually, he's not. OP's question is to find a specific set of instructions. When you enter the realm of polymorphism, they are no longer the same set of instructions and thus fall outside of the problem scope.
That'd only determine if the program is in the subset of programs that don't contain malicious instructions and only work with a computer using harvard architecture.
If it does contain a malicious instruction it could also be unreachable and thus never execute it.
First of all, I was talking about accessing the source code (or even just the binary for disassembly), which is a pretty safe assumption.
Second of all, protection rings aren't entirely meaningful here. I'm suggesting that if the developer of the malware knows how your program works, a countermeasure can be created. The undecidability problem comes into effect as soon as we can make the assumption that it can simulate your detection algorithms on itself. Polymorphism becomes relevant as soon as we know every means by which your program can check for the existence of the instruction, and every way that it differs from real hardware.
And finally, if we want to go look into the side of practicality rather than just things that could work out in theory, are you aware that there exist vulnerabilities in existing virtual machines that allow applications to escape out of their sandbox? In a recent Pwn2Own competition, an attacker was able to escape out of both a Microsoft Edge browser and the VMware Workstation instance that it was running in. What makes you think you can produce a more secure virtual machine than VMware?
The problem does not ask to find the instructions. The problem asks specifically whether the instructions are ever executed. It does not ask if they are present in the binary at all.
yes
What if I told you that the set of instructions could change nearly infinitely or mimic those found in commonly used software? These retarded interview questions. F-uck Off.
We are making hypotheticals here, just like you said my coworker is a Russian spy, I'm writing the most secure VM in the world with no exploits.
The reason malware can detect VMWare is because they're looking for certain fingerprints that are specific for VMWare (or using the str instruction or red pill/no pill technique, which become moot if you run it on a multicore CPU).
If you disassemble the binary with linear sweep/recursion and heuristics, you will determine whether those instructions will be executed.
Okay, fair enough. There is more than one way to detect that a program is running in a virtual machine, however. Let us consider a simple backdoored program. No part of the .text section of this program contains the malicious instruction. Instead, it awaits for a signal from a human. When that signal comes, it will modify itself to contain the malicious instructions, and then execute them. I think we have already established that polymorphic malware is fair game. I don't think it is necessary that we also assume the program is incapable of human input.
>If you disassemble the binary with linear sweep/recursion and heuristics, you will determine whether those instructions will be executed.
Who says that the binary must contain the malicious instruction? It could run a set of arithmetic operations on some variable in memory, and then copy the result to a block of executable memory, and call it.
Just fuck my whole life up senpai
The VM is scanning the memory constantly from ring 0.
>A zero day is a vulnerability that has not been seen before.
>A program that exploits this vulnerability...
If there is a program to exploit then the people who create that program have seen the vulnerability before you fucking idiot.
With "not seen before" he means not public, not published, not known by the creator of the program being exploited nor anti virus analysts.
r*by is a known TRANNY MUTANT KIKE