@@ -192,7 +192,7 @@ int main(int argc, char *argv[])

     bcs.all_bcs = bc;

     bcs.count = 1;

-    rc = cli_bytecode_load(bc, f, NULL);

+    rc = cli_bytecode_load(bc, f, NULL, 0);

     if (rc != CL_SUCCESS) {

 	fprintf(stderr,"Unable to load bytecode: %s\n", cl_strerror(rc));

 	optfree(opts);

@@ -410,6 +410,23 @@ int main(int argc, char **argv)

     if(optget(opts,"Bytecode")->enabled)

 	dboptions |= CL_DB_BYTECODE;

+    if((opt = optget(opts,"BytecodeSecurity"))->enabled) {

+	enum bytecode_security s;

+	if (!strcmp(opt->strarg, "TrustSigned"))

+	    s = CL_BYTECODE_TRUST_SIGNED;

+	else if (!strcmp(opt->strarg, "None"))

+	    s = CL_BYTECODE_TRUST_ALL;

+	else if (!strcmp(opt->strarg, "Paranoid"))

+	    s = CL_BYTECODE_TRUST_NOTHING;

+	else {

+	    logg("!Unable to parse bytecode security setting:%s\n",

+		 opt->strarg);

+	    ret = 1;

+	    break;

+	}

+	cl_engine_set_num(engine, CL_ENGINE_BYTECODE_SECURITY, s);

+    }

+

     if(optget(opts,"PhishingScanURLs")->enabled)

 	dboptions |= CL_DB_PHISHING_URLS;

     else

@@ -442,3 +442,14 @@ LocalSocket /tmp/clamd.socket

 # Set the exclude paths. All subdirectories are also excluded. (Dazuko only)

 # Default: disabled

 #ClamukoExcludePath /home/bofh

+

+# Set bytecode security level.

+# Possible values:

+#       None - no security at all, meant for debugging. DO NOT USE THIS ON PRODUCTION SYSTEMS

+#       TrustSigned - trust bytecode loaded from signed .c[lv]d files,

+#                insert runtime safety checks for bytecode loaded from other sources

+#       Paranoid - don't trust any bytecode, insert runtime checks for all

+# Recommended: TrustSigned, because bytecode in .cvd files already has these checks

+#

+# Default: TrustSigned

+#BytecodeSecurity TrustSigned

@@ -1222,7 +1222,7 @@ enum parse_state {

     PARSE_BB

 };

-int cli_bytecode_load(struct cli_bc *bc, FILE *f, struct cli_dbio *dbio)

+int cli_bytecode_load(struct cli_bc *bc, FILE *f, struct cli_dbio *dbio, int trust)

 {

     unsigned row = 0, current_func = 0, bb=0;

     char *buffer;

@@ -1232,6 +1232,7 @@ int cli_bytecode_load(struct cli_bc *bc, FILE *f, struct cli_dbio *dbio)

     int rc;

     memset(bc, 0, sizeof(*bc));

+    bc->trusted = trust;

     if (!f && !dbio) {

 	cli_errmsg("Unable to load bytecode (null file)\n");

 	return CL_ENULLARG;

@@ -67,6 +67,7 @@ struct cli_bc {

   struct cli_bc_dbgnode *dbgnodes;

   unsigned dbgnode_cnt;

   unsigned hook_lsig_id;

+  unsigned trusted;

 };

 struct cli_all_bc {

@@ -99,7 +100,7 @@ extern int have_clamjit;

 }

 #endif

 int cli_bytecode_init(struct cli_all_bc *allbc);

-int cli_bytecode_load(struct cli_bc *bc, FILE *f, struct cli_dbio *dbio);

+int cli_bytecode_load(struct cli_bc *bc, FILE *f, struct cli_dbio *dbio, int security);

 int cli_bytecode_prepare(struct cli_all_bc *allbc);

 int cli_bytecode_run(const struct cli_all_bc *bcs, const struct cli_bc *bc, struct cli_bc_ctx *ctx);

 void cli_bytecode_destroy(struct cli_bc *bc);

@@ -1204,6 +1204,9 @@ public:

 		}

 	  }

 	}

+	if (!bc->trusted) {

+	    //TODO: call verifier to insert runtime checks

+	}

 	delete [] Functions;

 	return true;

     }

@@ -134,7 +134,14 @@ enum cl_engine_field {

     CL_ENGINE_AC_MINDEPTH,	    /* uint32_t */

     CL_ENGINE_AC_MAXDEPTH,	    /* uint32_t */

     CL_ENGINE_TMPDIR,		    /* (char *) */

-    CL_ENGINE_KEEPTMP		    /* uint32_t */

+    CL_ENGINE_KEEPTMP,		    /* uint32_t */

+    CL_ENGINE_BYTECODE_SECURITY     /* uint32_t */

+};

+

+enum bytecode_security {

+    CL_BYTECODE_TRUST_ALL=0, /* insecure, debug setting */

+    CL_BYTECODE_TRUST_SIGNED, /* default */

+    CL_BYTECODE_TRUST_NOTHING /* paranoid setting */

 };

 extern int cl_engine_set_num(struct cl_engine *engine, enum cl_engine_field field, long long num);

@@ -300,6 +300,7 @@ static int cli_tgzload(int fd, struct cl_engine *engine, unsigned int *signo, un

 	dbio->readpt = dbio->buf;

 	cli_md5_init(&dbio->md5ctx);

 	dbio->bread = 0;

+	dbio->secure = 0;

 	/* cli_dbgmsg("cli_tgzload: Loading %s, size: %u\n", name, size); */

 	if(compr)

@@ -33,6 +33,7 @@ struct cli_dbio {

     unsigned int size, bread;

     char *buf, *bufpt, *readpt;

     unsigned int usebuf, bufsize, readsize;

+    unsigned secure;

     cli_md5_ctx md5ctx; /* TODO: replace with sha256 */

 };

@@ -291,6 +291,7 @@ struct cl_engine *cl_engine_new(void)

     new->min_cc_count = CLI_DEFAULT_MIN_CC_COUNT;

     new->min_ssn_count = CLI_DEFAULT_MIN_SSN_COUNT;

+    new->bytecode_security = CL_BYTECODE_TRUST_SIGNED;

     new->refcount = 1;

     new->ac_only = 0;

     new->ac_mindepth = CLI_DEFAULT_AC_MINDEPTH;

@@ -373,6 +374,9 @@ int cl_engine_set_num(struct cl_engine *engine, enum cl_engine_field field, long

 	case CL_ENGINE_KEEPTMP:

 	    engine->keeptmp = num;

 	    break;

+	case CL_ENGINE_BYTECODE_SECURITY:

+	    engine->bytecode_security = num;

+	    break;

 	default:

 	    cli_errmsg("cl_engine_set_num: Incorrect field number\n");

 	    return CL_EARG;

@@ -246,6 +246,7 @@ struct cl_engine {

     unsigned *hooks[_BC_LAST_HOOK - _BC_START_HOOKS];

     unsigned hooks_cnt[_BC_LAST_HOOK - _BC_START_HOOKS];

     unsigned hook_lsig_ids;

+    enum bytecode_security bytecode_security;

 };

 struct cl_settings {

@@ -1316,6 +1316,8 @@ static int cli_loadcbc(FILE *fs, struct cl_engine *engine, unsigned int *signo,

     struct cli_all_bc *bcs = &engine->bcs;

     struct cli_bc *bc;

     unsigned sigs = 0;

+    unsigned security_trust = 0;

+

     /* TODO: virusname have a common prefix, and whitelist by that */

     if((rc = cli_initroots(engine, options)))

@@ -1331,7 +1333,25 @@ static int cli_loadcbc(FILE *fs, struct cl_engine *engine, unsigned int *signo,

     }

     bcs->count++;

     bc = &bcs->all_bcs[bcs->count-1];

-    rc = cli_bytecode_load(bc, fs, dbio);

+

+    switch (engine->bytecode_security) {

+	case CL_BYTECODE_TRUST_ALL:

+	    security_trust = 1;

+	    cli_dbgmsg("bytecode: trusting all bytecode!\n");

+	    break;

+	case CL_BYTECODE_TRUST_SIGNED:

+	    if (dbio && (!engine->dbinfo || !engine->dbinfo->cvd

+			 || !engine->dbinfo->cvd->dsig)) {

+		cli_errmsg("CVD without signed .info?\n");

+		return CL_EMALFDB;

+	    }

+	    security_trust = dbio ? 1 : 0;

+	    break;

+	default:

+	    security_trust = 0;

+    }

+

+    rc = cli_bytecode_load(bc, fs, dbio, security_trust);

     if (rc != CL_SUCCESS) {

 	cli_errmsg("Unable to load %s bytecode: %s\n", dbname, cl_strerror(rc));

 	return rc;

@@ -240,6 +240,8 @@ const struct clam_option __clam_options[] = {

     /* Scan options */

     { "Bytecode", "bytecode", 0, TYPE_BOOL, MATCH_BOOL, 1, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "With this option enabled ClamAV will load bytecode from the database. It is highly recommended you keep this option on, otherwise you'll miss detections for many new viruses.", "yes" },

+    { "BytecodeSecurity", NULL, 0, TYPE_STRING, "^(None|TrustSigned|Paranoid)$", -1, "TrustSigned", 0, OPT_CLAMD, 

+	"Set bytecode security level.\nPossible values:\n\tNone - no security at all, meant for debugging. DO NOT USE THIS ON PRODUCTION SYSTEMS\n\tTrustSigned - trust bytecode loaded from signed .c[lv]d files,\n\t\t insert runtime safety checks for bytecode loaded from other sources\n\tParanoid - don't trust any bytecode, insert runtime checks for all\nRecommended: TrustSigned, because bytecode in .cvd files already has these checks\n","TrustSigned"},

     { "DetectPUA", "detect-pua", 0, TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "Detect Potentially Unwanted Applications.", "yes" },

     { "ExcludePUA", "exclude-pua", 0, TYPE_STRING, NULL, -1, NULL, FLAG_MULTIPLE, OPT_CLAMD | OPT_CLAMSCAN, "Exclude a specific PUA category. This directive can be used multiple times.\nSee http://www.clamav.net/support/pua for the complete list of PUA\ncategories.", "NetTool\nPWTool" },