Leichter-Jerry@CS.YALE.EDU (02/04/90)
David Chess continues, in essense, to complain about the user interface. He says that determining which changes to executables were deliberate and which not is too hard, etc. This again misses my point. I was not trying to sell anyone on a "solution to the virus problem". I was trying to point out that the apparent THEORETICAL impediments to virus DETECTION were in no sense basic, but were side-effects of the particular ways we have chosen to build our hardware and our mathematical models. We can make other choices if we wish. He also asks: Or it could create the object that it wanted, and call the copy utility. Or is it impossible for a program to copy a non-executable thing to an executable thing? That would help a little, but would also make the system less convenient to use. How do you get a new copy of the linker? How do you write a patch program? No, on such a system you could not copy a non-executable thing to an executable, unless you chose to have a copy routine which was marked "may set the 'executable' bit". Most people do not need patch programs - most people are not programmers. Those who need a patch program can give it the appropriate rights. You create a new linker by linking one with the old one, if you are in the business of creating new linkers. Or you install one, already marked as executable, from a binary disk you got from a trusted source. Russell Wallace has two complaints: That this technique only catches viruses at run-time, rather than by examining the code, and that various things he does on his Amiga, like patching code, would become impossible. For the first, I suggest that *I* examine code by running it on my CPU - it's much better at looking closely at things than I am. Today, that's a dangerous thing to do, since the act of examination may let a virus do damage. On a properly built system, I would be told if the code tried to do anything to any of my executables. As for patching and such: The machines I described are perfectly capable of doing anything any current machine can do. If you give a patch program the right to create executable code, it will work just as it does today. Of course, in the process you give up some of your protection. Hey, if you release the safety on a gun, you could accidentally shoot yourself. Imagine that! Arthur Larky writes: "Perhaps I'm Missing Something" and points out that an MS/DOS timestamp is worthless. Yes, he did miss something - my article which talked about where these timestamps come from. Sorry, not from MS/DOS or any existing software or hardware.... He also says: But that's what I do for a living: "program development, install new executables, etc." Oh, well, one can always retire to something less challenging such as urban warfare. Welcome to the real world. Only a minority of us do program development, a minority that is growing smaller every day. While most owners of PC's have to install executables, that involves a minute fraction of the time they spend using their systems. If a system protected them, it would be well worth building. As to the developers - - they are inherently doing something riskier, and will have to watch their systems more carefully. With the "no new executables" switch off, they can develop - and be infected - as always. They still get the hardware modification log if they want it. I translate this to mean "find something other than a PC or a MAC on which to do your computing." True, but it doesn't solve the current problem for most of us. You bet. But, to repeat myself, I wasn't TRYING to solve anyone's current problems - I was trying to show that a solution is POSSIBLE, if we decide it is worth the costs. The problems involved are monetary/political/organizational, NOT technical. -- Jerry
CHESS@YKTVMV.BITNET (David.M..Chess) (02/05/90)
> David Chess continues, in essense, to complain about the user > interface. Not at all! I'm saying that, no matter *what* the user interface looks like, a system that relies on a human to decide whether or not a timestamp-change is legitimate is no more a "universal virus detector" than a program that relies on the user to type in the answers is a "universal problem solver". Jerry's point that most machines are not used for program development is well-taken. But the machines which -are- used for program development are the ones where a virus could do the most damage (if I buy a program that was infected with a virus "at the factory", the fact that it can't spread any more on my machine isn't all that much comfort). It's also important to remember that "program development" has to include writing BAT and CMD files, tailoring HyperCard cards, and anything else which can effect, in a general-purpose way, how the machine acts; taking that into account, many machines are used for program development, and the proportion that are is likely to grow rapidly as "programming" becomes easier. It also becomes less clear that an "is executable" bit is useable. Would a Basic program be marked as executable? Would a shell script? DC