Why a Kaspersky code audit doesn’t really ensure security

While Rendition Infosec commends Eugene Kaspersky’s move of transparency for a code audit, this won’t really ensure security. Eugene Kaspersky has also offered to testify in front of Congress, but it seems doubtful that his testimony would sway many people on this.

What about a code audit?
And a code audit is not really the issue here. For one thing, a source code audit occurs at a point in time. What we see today may not be the code used to build the product tomorrow. No matter what we see in the source, Kaspersky will have to add code over time to update features. That’s how software engineering works. Suppose they then offer to send updated source code for audit. That’s great, but who is really auditing it? This becomes a full time job. Also, backdoors in code are particularly difficult to detect and can be extremely carefully obfuscated to make them resistant to static code analysis.

There are other problems with a code audit as well and we shouldn’t equate a code audit with true security. The compiled code may contain backdoors not in the originally compiled source. These are non-trivial to detect and require a whole different set of specialized skills to find (the person performing the analysis must understand programming AND reverse engineering). Reverse engineering is an order of magnitude harder than code auditing, but if doubts exist about a foreign government influencing the software, this is practically required.
A final problem is that an antivirus program like Kaspersky is effectively a kernel mode rootkit with remote update functionality. The remote update functionality is important. With remote update functionality, even if someone audits the code the best possible outcome would be “no backdoors were found, but Kaspersky could install malware on or completely disable any machine it is running on at will.” While any software that implements auto-update functionality could conceivably install a malicious update (as we saw with MeDoc being used to deploy the NotPetya cyberattack against Ukraine). Reverse engineering would now need to be performed not once, but on a regular basis to identify the inclusion of new backdoors built into updates.

The difference between software like MeDoc and Kaspersky having auto-update functionality is that antivirus software is supposed to detect threats. Users are advised against running multiple antivirus software packages on their machines due to performance issues and potential conflicts between the AV vendors that may cause system instability. If another program’s auto-updates include malware, antivirus should catch it (eventually). In this case, the fear is that the antivirus is deploying the malware and therefore will ignore it. The very thing that is the last line of defense becomes the exploitation vector.

Does this mean we shouldn’t use Kaspersky?

Rendition is definitely not saying that.  Read this post for nothing more than it is, an explanation of why a code audit and congressional testimony aren’t enough to allay fears.  Eugene Kaspersky understands the futility of his offers better than most. It is likely that his offer is a publicity stunt more than anything else. That said, it remains an open question whether Kaspersky software is truly a threat to DoD. Russia is internalizing some of its software, in part due to security concerns. Maybe DoD should do the same. In any case, the “proof” offered by the Senate for this action is far from conclusive. It is hardly convincing to say “Eugene Kaspersky was trained by Russian intelligence therefore his software is open to influence from the Russian government.” Any number of US companies could be blackballed from participating in the global software market using the same standard as the Senate is currently basing .

While there is no standard for the level of proof required in a case like this, it is probably safe to say that what has been offered so far falls short. The intent of this post is not to say Kaspersky software is bad, Rendition has no formal opinion on that one way or the other. It is simply to offer education to Rendition’s clients and the public about why a software source code audit isn’t a feasible to allay the fears stated by the Senate. Rendition encourages a thorough discussion on the topic with appropriate levels of disclosure to back claims that Kaspersky software poses a bonafide threat to DoD networks. For more background on the Senate claims and the reactions of infosec professionals (including Rendition’s founder Jake Williams) see this article.