0003158580@mcimail.com (William Hugh Murray) (04/11/91)
>a. That MS-Dos viruses (is this an all-encompassing term for things >that tamper with and destroy the OS and programs?) Perhaps, yes, but inappropriately so. True viruses are a special case. >have conceptual >parallels in the Unix o/s. i.e. the kernel is equivalent to >COMMAND.COM, the file system superblock is equivalent to the FAT, etc. Not true. There are no successful live viruses in the Unix environment. There are four necessary conditions for the success of a virus: 1) (very) large population of similar machines; 2) sharing among members of that population; 3) the ability of the user to execute an arbitrary program of his own choice; 4) storage into which write a modified executable. Unix does not appear to meet conditions 1 and/or 2. Other Trojan Horse attacks might be aimed at a specific Unix machine; these would be several orders of magnitude less serious than a successful virus. >b. That all "security" to read and write as a superuser has already >been breached and that this breach has gone undetected. Viruses and all other Trojan Horse attacks rely upon user privileges for their success. There is no requirement to bypass security. In fact, a virus that depended for its success on such a condition, clearly would not meet condition 1 above. On the other hand, if your b. is the case, then viruses and other Trojan Horse attacks are the least of your concerns. Viruses are Trojan Horses that wish to spread their influence. Trojan Horses are attacks against good security. In the absence of good security, neither is indicated or necessary. >c. That one workstation with a bootable hard disk is accessible to the >individual planning to damage the system. This condition is easily met in the MS-DOS environment; much less so in in the Unix environment. (You should note that viruses depend upon the fact that the same program will run in all systems in the target environment. While one can conceive of a virus that might spread from an MS-DOS workstation to a Unix workstation or multi-user system (if that is what you have in mind), it is highly unlikely that such a program would meet the conditions for success.) While some kinds of Trojan Horse attacks might target such a device, viruses are aimed at the population as a whole rather than to any specific machine. >d. That the individual is sufficiently sophisticated to avoid leaving >obvious clues (file sizes, dates, etc.). Well, that excludes all viruses. It is possible to conceive of a virus that was so subtle that it left no evidence; on the other hand, if you never notice that you have been damaged, then you have not been damaged. No such virus has ever been detected, for obvious reasons. All the reported viruses have done something noticeable. Since the intent of a virus is to spread, and since if it has no symptoms, the author cannot know if it is successful, few people would write such a virus. >e. We should consider that the individual may have access to the o/s >source code. I assume that you mean that an attacker would have special knowledge of the operating system, since if he has WRITE access to such code, no other attack is necessary. While it is likely that some virus authors have such special knowledge, few exploit it and, since viruses need only exploit user privileges, it is neither necessary nor even particularly useful. >I am particularly interested in comments about: > >a. Known attacks on Unix o/s involving tampering with the o/s kernel >and commands. Indeed, you may well be. (Of course, attacks against the kernel are substantively different from those involving commands.) Given the mode of operation of many Unix systems, sophisticated attacks are rarely needed. I suggest that you read Ken Thompson's Turing Award lecture and Cliff Stoll's "The Cuckoo's Egg." They have already recorded far more than I am likely to tell you. ____________________________________________________________________ William Hugh Murray 203-966-4769 Information System Security 203-326-1833 (CELLULAR) Consultant to Deloitte & Touche 203-761-3088 Wilton, Connecticut email: 315-8580@MCIMAIL.COM WHMurray@DOCKMASTER.NCSC.MIL MCI-Mail: 315-8580 TELEX: 6503158580 FAX: 203-966-8612 Compu-Serve: 75126,1722 21 Locust Avenue, Suite 2D DASnet: [DCM1WM]WMURRAY New Canaan, Connecticut 06840 PRODIGY: DXBM57A