XPUM01@prime-a.central-services.umist.ac.uk (Dr. A. Wood) (02/10/90)
There has been much rhubarbiage about the possibility of writing a
program which will detect <all> viruses in incoming programs, not only
a set list of viruses that it has been told about. I suspect that this
is partly motivated by trying to achieve the efficiency of biological
immune systems - there have been a few 'biological analogy' articles
in Virus-L before. This analogy will not work - biological immune
systems are set up in a different way.
Long before birth, all possible antibody-producing cell types appear
in the body. As in the womb before birth in the normal case, no
foreign matter can get in, everything in the fetus is native and
belongs. And, at that stage, every antibody-producing cell that loses
its antibody, dies, for it must have lost its antibody by an
auto-immume reaction. Thus all auto-immune antibody-producing cell
lines are eliminated. Time passes and the baby is born. Then, any
antibody-producing cell that loses its antibody must have lost it to
some foreign matter. So it multiplies, and its descendants produce
much antibody to combat the invader. After birth, nothing else gets
unopposed into the body.
The only way to imitate this in computers is to have an immune program
which knows every program which will be run on that computer, and
rejects all strange programs. No good! So, is there any point in this
email-space-wasting discussion continuing? Bodies have a permitted
list and exclude all others; computers have a forbidden list and admit
all others. To a computer, a new virus is merely a new program, and
some human has to find that it is harmful and then add it to the
forbidden list.
Also, any two bodies' cells (except identical twins) have different
immunotypes, and attempted grafting fails, thus any bacterium that
learns to masquerade as a legal cell of body A, is rejected on trying
to invade body B. The computer analogy of this would be for each
individual microcomputer's copy of each authorized program to be
different.
The only thing that I can suggest is for microcomputer designers to
start using the mainframe technique of preventing programs running
under ordinary mode from writing to system areas, and for only the
suppliers of the computer to be allowed to write system programs which
run under everything-permitted mode. That will exclude damaging
viruses, but will still allow the sort of virus that merely multiplies
and wastes time and storage space.
{A.Appleyard} (email: APPLEYARD@UK.AC.UMIST), Fri, 09 Feb 90 15:38:12 GMTwilkins@jarthur.Claremont.edu (Mark Wilkins) (02/13/90)
XPUM01@prime-a.central-services.umist.ac.uk (Dr. A. Wood) writes: > there have been a few 'biological analogy' articles >in Virus-L before. This analogy will not work - biological immune >systems are set up in a different way. [stuff deleted] >Also, any two bodies' cells (except identical twins) have different ^^^^^^^^^^^^^^ >immunotypes, and attempted grafting fails, thus any bacterium that ^^^^^^^^^^^ >learns to masquerade as a legal cell of body A, is rejected on trying >to invade body B. The computer analogy of this would be for each >individual microcomputer's copy of each authorized program to be >different. First, identical twins are not the only humans with identical immunotypes. Any individual's full brother or sister has a 1/4 chance of having an exactly identical immunotype, or rather just slightly less because of crossing-over. But that doesn't belong in this group. This, however, does: It is true that tissue typing analogies are poor for computerized anti-invasive agents. However, the body's system might provide some clues regarding possibilities for such things. Suppose one wants to implement a system which, like the human body, is adaptive. How about this: Each low level write call causes a checksum of the data written to be computed, or, better, the checksum is computed 12 hours of uptime later, to avoid some shrewdly-done virus from writing the data out in some randomized fashion. This checksum is then stored and indexed with the program or programs which made the alterations leading to them. If the same checksum starts cropping up repeatedly in calls from several different programs which have never before exhibited such behavior then that indicates that some uniform, self-replicating piece of code MIGHT have infected those programs. Of course, there are likely to be cases where changes in system configuration will cause this to happen, but all this routine would do is produce a log from which a reasonably technically competent individual could detect the infection. There might, also, be ways to improve it to actually prevent spreading under certain circumstances. - -- Mark Wilkins wilkins@jarthur.claremont.edu