[comp.unix.i386] Is DOS under Unix immune?

jes@mbio.med.upenn.edu (Joe Smith) (08/03/90)

We are considering adopting '386 Unix in the lab, but I'm curious
about something.  Are the DOS under Unix implementations immune to the
usual PC viruses?  If so, how (in a nutshell)?  If not, is the Unix
filesystem safe at least?  I suppose most readers already know the
answer(s), so just e-mail...

<Joe

--
 Joe Smith
 University of Pennsylvania                    jes@mbio.med.upenn.edu
 Dept. of Biochemistry and Biophysics          (215) 898-8348
 Philadelphia, PA 19104-6059

tneff@bfmny0.BFM.COM (Tom Neff) (08/03/90)

In article <JES.90Aug2223811@mbio.med.upenn.edu> jes@mbio.med.upenn.edu (Joe Smith) writes:
>We are considering adopting '386 Unix in the lab, but I'm curious
>about something.  Are the DOS under Unix implementations immune to the
>usual PC viruses?  If so, how (in a nutshell)?  If not, is the Unix
>filesystem safe at least?  I suppose most readers already know the
>answer(s), so just e-mail...

Depending on the virus, I would say 'no' DOS under UNIX is not immune
to infection, but the UNIX system itself is probably safe.

VP/ix has four kinds of disk access:

 (1) floppies, at the driver level.

 (2) 'real' DOS hard disk partitions, again at the driver level.

 (3) Pseudo-disks (/usr/vpix/defaults/C:) at the block level, through
     a special VP/ix interface.

 (4) The UNIX filesystem at the 'stdio' level, through a TSR resident 
     under DOS (Redirect) that uses hooks to the VP/ix executive.

Any virus built to talk to the disks at a ROM-BIOS or "block" level will
tend to succeed on types (1), (2) and (3) above, but fail on type (4).
Viruses dealing with FILES (in a well-behaved way) only, rather than disk
blocks, might work on (4) but they are also the easiest to detect.

An infected VP/ix site could certainly infect others via diskette or
upload.  So the virus life cycle can, in principle, run to completion.

But any virus that's dependent on such things as precise clock timing
or transparent access to the controller hardware seems likely to fail,
although it could certainly lock up the box in failing.

Since the files DOS and VP/ix need to run are usually not otherwise
critical to the operation of the host UNIX system, it is unlikely that a
DOS virus infected site would have problems with its performance as a
UNIX system.  Effectively, UNIX would not itself be infected.

The above remarks apply to viruses designed for the standalone PC.
But what about a VP/ix or DOS Merge specific virus?  Is one possible?
Absolutely!  And given the privileged access VP/ix has, the potential
for harm to the UNIX side is great.

I think the biggest protection VP/ix has going for it now is that there
aren't enough sites to tempt malicious hackers.  That may change someday.

-- 
"NASA Announces New Deck Chair Arrangement For   \_/  Tom Neff
Space Station Titanic" -- press release 89-7654  \_/  tneff@bfmny0.BFM.COM

peter@ficc.ferranti.com (Peter da Silva) (08/03/90)

In article <JES.90Aug2223811@mbio.med.upenn.edu> jes@mbio.med.upenn.edu (Joe Smith) writes:
> We are considering adopting '386 Unix in the lab, but I'm curious
> about something.  Are the DOS under Unix implementations immune to the
> usual PC viruses?  If so, how (in a nutshell)?  If not, is the Unix
> filesystem safe at least?  I suppose most readers already know the
> answer(s), so just e-mail...

Existing PC viruses do not know about the particular environment of DOS-under-
UNIX. Boot infectors and many executable infectors will fail if you're using a
common disk image that's protected from writing by UNIX file protection.
Viruses that infect random application programs may still work.

I do know that some places doing work on viruses use DOS-under-UNIX as a
"clean lab" environment. It's certainly going to be a lot harder for a DOS
virus to infect such a setup. I don't know of any existing viruses that
could make the jump over to UNIX, but I'm sure I could devise one if I
was so inclined.

Summary: It's a highly resistant if not immune environment.
-- 
Peter da Silva.   `-_-'
+1 713 274 5180.   'U`
<peter@ficc.ferranti.com>

richard@pegasus.com (Richard Foulk) (08/04/90)

>
>We are considering adopting '386 Unix in the lab, but I'm curious
>about something.  Are the DOS under Unix implementations immune to the
>usual PC viruses?  If so, how (in a nutshell)?  If not, is the Unix
>filesystem safe at least?  [...]
>

Yes they can provide additional security against that sort of thing, just
like pc-nfs.  The binaries can be write protected from the Unix side so
that a virus or whatever can't modify them.

I'm not sure if you can write-protect the operating system, if so that
would be a good protection as well.



-- 
Richard Foulk		richard@pegasus.com

jes@mbio.med.upenn.edu (Joe Smith) (08/04/90)

> (4) The UNIX filesystem at the 'stdio' level, through a TSR resident 
>     under DOS (Redirect) that uses hooks to the VP/ix executive.

Would it be possible then for all your 'DOS' files to really be UNIX
files, with the appropriate ownership/permissions (e.g. *real*
read-only directories), which would be inaccessible to the DOS
executable?  I mean, just making your COMMAND.COM owned by root, and
mode 755 would be sufficient to stop several of the common viruses (I
presume VP/ix doesn't support the setuid call, and that the Unix
permission bits are mapped appropriately).  Is that sort of thing
possible?

> But any virus that's dependent on such things as precise clock timing
> or transparent access to the controller hardware seems likely to fail,
> although it could certainly lock up the box in failing.

Aren't hardware (i/o) accesses trapped and 'tamed' in some way?  I mean,
I could care less what the goofy DOS software does with my speaker, but
I'd be real uncomfortable knowing it could start fiddling with the disk
controller registers.

As I think about it I guess it's just impossible to accommodate all the
DOS software that assumes it has free reign of the machine without
really giving it that kind of access.

BTW, there was apparently an article in this thread from Peter da
Silva which I couldn't retrieve.  I'd appreciate it if someone could
pass that along by e-mail.

<Joe
--
 Joe Smith
 University of Pennsylvania                    jes@mbio.med.upenn.edu
 Dept. of Biochemistry and Biophysics          (215) 898-8348
 Philadelphia, PA 19104-6059

tmh@prosun.first.gmd.de (Thomas Hoberg) (08/14/90)

I recently caught a case of Jerusalem-B on my 386 DOS/UNIX box running
vanilla DOS and a 'nice' new little game. Since for some reason I can
not access the hard disks when I boot DOS off a floppy disk (some weird
DOS-BIOS interaction here) VPIX sure came handy as a way to examine
the DOS partitions and the reproduction characteristics of the virus
without risking further infection. I mounted the DOS partitions
read-only and used UNIX tools (find and fgrep) to locate infected files
after I had found a substring identifying the virus. I then logged in as
super-user and zapped the infected files, which wasn't too careful...
Quitting VPIX infected QUIT.COM on the UNIX-filesystem (which can't do
any harm--installing the virus is the last thing that DOS task does).

I'd say DOS under UNIX can aid somewhat when investigating a virus, but
if you use DOS partitions viruses can do anything DOS can do: Whereas
you might be protected from those viruses that twiddle the hardware,
plenty of damaged can still be done. Running VPIX off a unix file system
will give you somewhat more security, depending on the amount of effort
you are willing to put into file permissions.