SMIBS@RHODES.BITNET (Benjamin S. Smith) (02/02/90)
An idea which rolled off the top of my head this afternoon: Every new program which comes out for your computer also has an "anti-virus module" with it, as a separate data file. This module contains information on what actions the program which you have just acquired takes during operation. Does the program ever change size? Does it ever create additional files? Is it authorized to make changes to other programs? What kinds of changes? How is it allowed to make such changes? Does it ever run/read other programs or data files? and so on. Included would be a list of all required read/write actions which the program uses. A central program, included with your computer from its manufacturer, is in charge of overseeing every one of these data files. It is a system-wide guard against unauthorized attempts from within any program to modify data on your computer. If a problem occurs, the central program spells it out for you and asks for further instructions. Somehow the central program would have to be referenced with every read and write, admittedly a long process. Maybe the program could be a piece of hardware, a chip, or extra memory simply set aside to be used only by the central program. Also, the more programs you have, the more that the central program must keep track of. Perhaps too much information to deal with at once. But it sounds good, right? This way the burden for virus protection falls on the computer manufacturer and the software companies themselves. No new updates of anti-virus programs are needed, since the computer can recognize any "incorrect" activity. Saves your $$, as you don't have to subscribe to an anti-virus updating service. Feasible? Or just too complicated? Could such a setup be compromised in any way short of hardware failure? Give it some thought..... Ben Smith smibs@rhodes.bitnet
vronay%castor.usc.edu@usc.edu (David Vronay) (02/03/90)
Well, the idea of programs containing descriptions of their own
activity is nice, but doesn't really solve the problem. After
all, all an infecting virus has to do is change these permission
files. Or better yet, the virus could patch the code that did
these checks so that the code would let this particular virus
go through. If we think about how current virus detection programs
"work", they basically do exactly what you described (only, instead
of each manufacturing describing the program's behaviour, the burden
is on the user). Take SAM, for instance, which can keep track of
legal and illegal activities on an application-by-application basis.
When it detects illegal activity, it brings up a dialog box that says
"Allow" "Deny" and "Learn" (or three similar options). Clicking on
"Learn" will change SAM's description of that program to allow that
potentially-illegal action in the future. Now, that information is
stored in SAM somewhere, where any moderately clever virus could
find it and modify it. Now, let's go one one step further and pretend
that Symantech made it impossible (via some yet-undiscovered hardware
scheme) for SAM to be modified. Now our virus would be forced to
use the following piece of pseudo-code:
Step 1: Set the window-manager's port 16,000 pixels to the left
Step 2: Set up dialog-box sniffer code that works at _vblank time.
Step 3: Do illegal virus activity
Step 4: SAM brings up its dialog box, which now appears about 16
feet off the screen due to step 1.
Step 5: The dialog sniffer from step 2 "sees" the dialog and
generates a mouse-down event over the "Learn" button.
Step 6: SAM writes the new exception to its special harware
Step 7: Restore the window-manager's port to its old position.
We have now successfully infected, despite all of super-SAM's
harware whatever.
Let's face it. There is NO WAY WHATSOEVER to make a computer
virus-proof, because there is no way that a computer can
determine the true intentions of a piece of code. (which, in tern,
is due to the fact that code doesn't HAVE intentions, only the
programmer who wrote it has intentions, and guess what? They
don't make it through the compile! :-)
We should concentrate our efforts on education, not complex software
solutions. After all, computer virii seem more a social problem
than a technological one.
- - ice
==================
email replies to: iceman@applelink.apple.com
DISCLAIMER: Not even I subscribe to everything I say
==================