T.TENG@Macbeth.Stanford.EDU (T. Teng) (07/10/90)
Is it possible to make something for PCs, which works effectively against all the virus, old or new?
CHESS@YKTVMV.BITNET (David.M.Chess) (07/11/90)
> Is it possible to make something for PCs, which works effectively against > all the virus, old or new? Well, you can turn the machine off, and leave it off! *8) More seriously, Fred Cohen showed awhile back, in his thesis, that no 100% perfect virus detector is possible (all detectors will either miss some viruses, or accuse some non-viral programs of being viruses). On the practical side, it seems unlikely that any anti-virus can be even close to 100% effective against unknown viruses, since that would require being able to tell an intended change from an unintended change (and if we could do that, we could find all *bugs*, not just all viruses...). It's relatively easy, in general, to be 100% effective against any given *known* virus. DC
dfs@uunet.UU.NET (David F. Skoll) (07/11/90)
T.TENG@Macbeth.Stanford.EDU (T. Teng) writes: >Is it possible to make something for PCs, which works effectively against >all the virus, old or new? I wrote a program for the PC called VPROT which "sort of" achieves this. The program examines files (.EXE, .COM, whatever) and adds a two-byte checksum to the end of the file. You can pass the file through an encrypting filter before generating the checksum to reduce the chances of a virus realizing the file is protected. Then, you periodically run the program to ensure that the file checksums are still valid. If a virus has modified the file, chances are high that the checksum is wrong, because I used the CRC-16 generating polynomial. BUT: 1) This does not protect the boot sector, although the idea can be extended to cover this case. 2) If you "protect" files which are ALREADY infected, you're in trouble. 3) You must run the program fairly often to check your files. 4) If a virus is found, you need another tool to disinfect it. So, is it worth it? I guess if you copy lots of software from a BBS or other "suspicious" sources, it is. Otherwise, I wouldn't bother. +--------------------------------------------------------------------------+ | David F. Skoll Department of Electronics | | dfs@doe.carleton.ca Carleton University | | (613) 788-5771 | 788-5772 Ottawa, Ontario, Canada | +--------------------------------------------------------------------------+
WHMurray@DOCKMASTER.NCSC.MIL (07/13/90)
> Is it possible to make something for PCs, which works effectively against > all the virus, old or new? Yes, but with limits. Security measures that are 100% effective have infinite cost. As a result, we usually strive for security meausures that are efficient. An efficient measure is one that covers its own cost and which is cheaper than the next best alternative. The conditions that are necessary for the success of a virus are: 1) that it be able to get itself executed (calling an arbitrary program); 2) that it can store a copy of itself (writing); 3) that the copy can be moved to a second environment (sharing); 4) that there be a sufficient number of target environments (population); Thus, in order to protect against viruses in general, one must be prepared to restrict one or more of these, otherwise valuable, conditions. Only the first two are really of interest; these are the two that are within the control of the execution environment. Cohen suggests that we restrict the first. He points out that in a world made up of application machines (i.e., computers in which all procedures are bound and not subject to change; e.g., ATMs or arcade machines), we would enjoy most, but not all, of the advantages of computers. Thus, by restricting the capability to create new or modify existing programs, one could protect the machine from viruses. (Try a thought experiment: try to visualize how you might change the programs of an arcade machine from the joy-stick.) In practice, this restriction is often quite tolerable. Days often go by in which I do not deliberately introduce a new program into my machine; I rarely ever modify an existing program. While I would not want to give up the freedom to do so forever, binding it for long periods is not inconvenient. Relaxing it when I intend to introduce a new program requires only a key-stroke. If I inadvertantly relax it for a virus, it will still prevent the execution of the infected program. My secretary's machine believes that it is a word-processor. However, it became badly contaminated with a virus when she tried to print a file on a diskette brought in by a student. Restricting her machine only to the word-processing program would be consistent with the intent of its use and would have prevented it from executing the virus. This mechanism works fundamentally; i.e, it restricts one of the fundamental capabilities on which a virus relies. It operates early; i.e., it prevents the execution of the virus, rather than trying to detect it, or limiting its ability to write. It does not rely on its ability to recognize programs that are malicious or unauthorized. Rather, it relies upon its ability to recognize programs that are benign or, at least, authorized. This is a much easier problem. As Cohen has said, and as Dave Chess likes to remind us, there is no rule which is sufficient for distinguishing between a virus and any other program. On the other hand, it is relatively easy to distinguish between known and authorized programs, and all others. This is not an easy restriction to impose or enforce. Nonetheless, it is possible. It is not universally applicable. However, it is broadly applicable, and where it is applied, it is equally effective against all viruses. William Hugh Murray, Executive Consultant, Information System Security 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 203 966 4769, WHMurray at DOCKMASTER.NCSC.MIL