Google Summer of Code Project Proposal -------------------------------------- Project: Clam AntiVirus integration in Wine Name : Christoph Probst Preamble -------- Wine is a software project that allows people to run their native Windows software in a non-windows environment such as Linux. The basic idea is to provide a set of essential DLLs that create the required API. ClamAV is an open source anti-virus toolkit for UNIX. It provides a multi-threaded daemon and tools for automatic database updating via the Internet. ClamAV is able to detect most common threats such as normal viruses, trojans, macro viruses and also phishing attacks. It is actively developed and widely used for virus detection. The aim of integrating ClamAV in Wine is to ensure that every potentially viral code accessed by a Windows program inside of Wine is scanned for viruses. If a virus is detected a message box will be displayed asking the user how to proceed. I believe that virus protection for Wine is very important. Many people are talking about Linux migration nowadays and want Linux on their desktops. On the other hand there are quite a number of windows applications that they still want to use. While everyone knows that for Windows an anti-virus software is essential there is no solution for Wine so far. Project Details --------------- There are a number of ways how viral code can be introduced into Wine: for example the binary initially loaded by Wine, DLLs that are shipped with the programs, code downloaded by plugins (e.g. ActiveX Controls), macro viruses in office files, etc. In most cases the files are accessed via handles that are created using the CreateFile API call. I'm planning to hook the scanner into CreateFile directly before the handle is passed back to the calling application. Further hooks might be necessary to scan data that is not accessed using CreateFile. This may be addressed by implementing the Windows Antivirus API for example. As ClamAV and Wine are published under different licenses (GPL vs. LGPL) it is not possible to link both projects together. Fortunately ClamAV is already shipped with a daemon (clamd) that can be called by a Wine ClamAV client. This will also provide for a clean interface between Wine and the virus scanner and allow to easily exchange the scanner in the future. The main goal will be to find a solution that doesn't slow down the file access too much. Using the ClamAV in daemon mode is only a first step to accomplish that. Other ideas are caching mechanisms, whitelists and an optimized ClamAV configuration. I'm aware that ClamAV also provides an on-access scanner for some platforms. The main drawback is that it's not possible to provide feedback to the user asking how to proceed in case a virus was found. Furthermore it is not guaranteed that viral code is always loaded from the underlying file system. Using Wine for virus scanning is a clean and user-friendy way to address these cases. Project Schedule ---------------- * I'm planning to start with identifying possible threats and how they affect Wine. This includes a lot of testing and monitoring of what actually happens when a windows virus is loaded within Wine. As I'm not yet very familiar with Wine this should also gives me a better understanding of the internal structures and the way things are implemented. This should not take me much more than the first month. * Implementation of the CreateFile hook. Performance analysis and implementation of performance enhancements if necessary. Code testing. This should be done by the end of month two. * Implementation of additional hooks, the Windows Antivirus API and additional performance analysis if necessary. Usability tests. Code reviews. Additional testing. Deliverables ------------ * Report on how viruses affect Wine; which species are dangerous and which aren't supported (and for what reason and how this may change in the future) * Implementation of a basic virus protection using the CreateFile hook. * Performance analysis of using Wine with and without virus protection. Recommendations on how to improve the performance. * Implementation of caching and whitelist mechanisms if it turns out that they are necessary and/or useful. Performance analysis of these features. * Implementation of other hooks such as the Windows Antivirus API if it turns out that this will improve the virus detection. Additional performance analysis. Bio --- My name is Christoph Probst, I'm 28 years old and I'm studying Computer Science at the University of Tuebingen, Germany. I'm in my final year now. My main interests are networking and security. I love to analyze other people's code, searching for flaws and helping to improve security. The last year I spent a lot of time consulting CAcert.org. I'm often working as a computer and software trainer for beginners and advanced users. That provides me with a good understanding of usability what I consider to be quite important for this project. I don't have my own big programming project with years of C/C++ experience but I finished quite a number of smaller projects over the last years that should be enough to get this project done.