sagar@psu-cs.UUCP (Arun Sagar) (03/22/89)
Hi, This may not be such a new idea, but i think merits some discussion. In writing programs, do the following to the release versions: 1. Make a procedure which on startup checks the size of the program and determines if it is equal to a constant (the size of the release version). If so continue else blurp an alert saying: "Something has changed the program , could be a virus", etc. Of course i'm assuming that the program is not self modifying, does not allow a user to change its resources and so on. Some of that could be taken care of by forcing the program to use a separate file for changed resources (a good technique, in general) and let the guardian code be more sophisicated in that it lets some resource types to be changed, i.e., ignores them. The major bottleneck is that some hack would figure out a way to let the virus detect such a guardian routine and modify it. One way to deal with this problem that comes to my mind is to use cryptoanalytic methods (aha, there's an extensive literature on that available in your local math library). Of course that would take care of even *manual* infections. Any comments??? -arun.
chuq@Apple.COM (Chuq Von Rospach) (03/23/89)
> This may not be such a new idea, but i think merits some discussion. >In writing programs, do the following to the release versions: >1. Make a procedure which on startup checks the size of the program and >determines if it is equal to a constant > Of course i'm assuming that the program is not self modifying Worse. It means that you can't internationalize the program for other languages. It means that people can't go in and relocate or change the size of dialogs, or add/modify keyboard definitions, or even add "Get Info" data. I *do* think it is a good idea (in theory) for a program to do a consistency check on itself -- verify that critical resources exist and perhaps checksum CODE resources that don't change. But trying to verify the entire package removes all of the advantages of having resources -- to change things, you have to recompile the checksumming routines. Chuq Von Rospach -*- Editor,OtherRealms -*- Member SFWA chuq@apple.com -*- CI$: 73317,635 -*- Delphi: CHUQ -*- Applelink: CHUQ [This is myself speaking. No company can control my thoughts.] USENET: N. A self-replicating phage engineered by the phone company to cause computers to spend large amounts of their owners budget on modem charges.
bradn@tekig4.LEN.TEK.COM (Bradford Needham) (03/23/89)
In article <1780@psu-cs.UUCP> sagar@psu-cs.UUCP (Arun Sagar) writes: >1. Make a procedure which on startup checks the size of the program and >determines if it is equal to a constant (the size of the release version). >If so continue else blurp an alert saying: "Something has changed the program >, could be a virus", etc. >... Any comments??? I submitted just such a thing to comp.binaries.mac about a month ago. You have only to wait for it to make it through the moderation queue. (Assuming, of course, the submission made it through the rats-nest of mail programs between me and the moderator.) Brad Needham bradn@tekig4.TEK.COM