RWALLACE@vax1.tcd.ie (02/02/90)
Leichter-Jerry@CS.YALE.EDU writes: > All this debate about whether virus detection is equivalent to the > halting problem, whether real CPU's are best modeled and FSA's or > Turing machines, and so on, is interesting but in a deep sense > completely irrelevant. > > With simple hardware support, one can design a system in which all > viruses are trivial detectable. > > Technique: The hardware will maintain, in both memory and > on disk, an "is executable code flag". For practicality, > assume this is done on a block-by-block basis say in units > of a K. > > The hardware enforces the following rules: > > 1. Any attempt to execute code from a memory block which > is not marked executable fails. > > 2. The only way to write into a block of memory that is > marked executable is from a disk block marked executable. > > 3. Any attempt to write to a disk block marked executable > fails. (To write to such a block, the executable flag must > first be cleared.) > > 4. Any disk block can be marked executable at any time. > > Memory blocks are marked executable only by reading execu- > table disk blocks into them. > > 5. Associated with every disk block is a time stamp. When > a block is marked executable, the hardware updates its time- > stamp. > > 6. The system comes with physical ROM blocks, marked exe- > cutable, which contain at least the code needed to display > the timestamps on all executable blocks.. .. > Why does this work, despite all the proofs? The proofs are not relevant to your idea because they deal with the problem of deciding whether a piece of code is a virus BEFORE it gets executed whereas your idea is a run-time system. I gather the point is that only code in executable blocks on the disk can be executed, and these blocks can never be created or altered in any way, and any attempt to modify executable memory fails. OK, so your system won't work unless flexibility is unacceptably reduced. 1. You can't do things like patch the operating system with utility programs. I have LOADS of utility programs on both Amiga and MS-DOS that modify system jump tables etc. I'd far rather have to defend my system against viruses myself than give up the use of these programs. So that alone is sufficient to kill your scheme. 2. Sometimes you WANT to modify programs, the main example being use of a file zap utility to install patches to the executable code of a program. 3. You're going to HAVE to have a method for at least creating/deleting executable disk blocks. What if the user wants to delete or copy a program file? What if you want to extract a program from an archive? What if you want to compile a program? What if you want to download a program from a bulletin board? etc. etc... If applications software can do these things then so can a virus. So your system isn't going to be very usable, or else you'll have to give up security. The timestamps are the only thing you're left with and how many people are going to go into the ROM monitor program to display the timestamps on every program on their ***-megabyte hard disk to make sure nothing's been infected? Anyway you could probably work out some way to beat this given that the virus has access to the video RAM (which it _has_ to have). I hate knocking down all these nice ideas. Someone please come up with something that'll work, I'm beginning to think there isn't any solution. "To summarize the summary of the summary: people are a problem" Russell Wallace, Trinity College, Dublin rwallace@vax1.tcd.ie