padgett%tccslr.dnet@uvs1.orl.mmc.com (Padgett Peterson) (02/19/91)
For some time now I have been rambling about "layered" protection for PSs running MS-DOS (with modifications the same would be possible on any OS), but now can make a stab at putting a model together that would contain all of the necessary elements to provide protection from malicious software with minimal user and performance impact: 1) Prevent cold boot from floppy - can only be done with hardware unless already in BIOS. Only element that must be in hardware though can also do others. Note: element (2) can DETECT malicious action from a cold floppy boot but cannot prevent it if drive A: is present. 2) Password access (if desired) in absolute sector 1. Software redirection can hide hard disk from normal floppy boot. Authenticates disk access mechanism to prevent "stealth" infections. Protects partition table, hidden sectors, & boot record from writing, entire disk from low level format once resident. Can also prevent any warm floppy boot. 3) Internal executable authentication scheme. All files in system have separately stored signature & are authenticated prior to execution. 4) Known viral signature checks for any unknown executable presented for execution. User permission required & tracking instigated. 5) Background floppy access task: signature checks for malicious software in system areas of any floppy on door closure. 6) Warm Boot trap; prevents boot from unknowm floppy. 5 & 6 could be used in multi-machine or networked environment to prevent importation/ recognition of "outside" floppies. 7) System configuration monitor: detects any attempt for a program to go resident or any attempted addition or change of an executable file. Has list and configuration of programs permitted to do so. Could exclude programs known by (3). Of these, the only one that has any performance impact would be item (4) but by confining it to executables presented for execution, this should not be significant. Right now, I believe only FLUSHOT and DR. PANDA attempt (7) though do not keep record of permitted programs - most users disable this feature from incessant alarms. John McAfee's VSHIELD makes a first pass at (6). No one (that I know of) is trying (5). Several products do a good job of (3) Certus' CERTUS, Enigma-Logic VIRUS-SAFE, VSHIELD, BEARTRAP. Some of these do (4) also (CERTUS, VSHIELD) I wrote DISKSECURE (beta copy sent to Ken via USnail) as an experiment to cover (2), and have heard a few rumours of products doing (1) but have not seen any, most have been password schemes with no anti-viral functions. Point is, to block malicious software properly, a layered approach consisting of ALL of these elements is necessary. Impact - my guess would be 5 seconds on boot, 250 milliseconds per 50k of known executable presented. 2 seconds per 50k of unknown executable presented, and about 4k of RAM on a 286 @10 mhz. Additionally, (and I am basing this on installations I have done) there would be a one-time hit of 3-5 minutes while signatures are generated to install. I know there is some rdundancy indicated, but that is because nothing I've seen that does everything (just like no-one checks Int 2E for a pseudo-TSR). My feelings are that given such a scenario, while malicious software would not be impossible to write, difficulty would rise at least to the same degree as for VMS, MVS, or a good Unix. Padgett (comments welcome) [Ed. I saw one product which seems (IMHO) to come close to this - PC/DACS by Pyramid (note: I have no affiliation with them...). It provides boot protection, optional hard disk encryption (required to prevent absolute sector access), username/password protection, file access control, etc. Anyone with experience with this, or similar, systems care to comment?]