YZE6041@vx.acss.umn.edu (david paul hoyt) (11/18/89)
This is really in response to the CRC auto-diagnosis letters recently, but it was prompted by Bob Bosen's November 16th article. Mr. Bosen points to very good documents that will point the serious anti-viral minded software developers to an excellent method of defending their software (and customers) from viruses. I would suggest that software developers should at least review these documents. However, I would like to add a comment. Any of these auto-check schemes rely on a small number (1 to n) of programmed checks to see if the software has been corrupted. While this will defend against a general purpose or unsophisticated virus, it has little value against a malicious attack against your product. About ten years ago, there was a game called dungeon, that ran under VMS and perhaps other machines as well. Dungeon had something called 'game master mode.' You could rearrange things (cheat) to your heart's content. Figuring out how to use 'game master mode', figuring out its data structures, parsers and whatnot was much more interesting and educational than the game it self. But I digress. You entered it by saying something (incant?) and it would issue you a challenge. It gave you a word, and you had to decrypt it. Knowing nothing about cryptanalysis, I might of been out of luck. But rather than figuring out the cipher, I merely found the routine that checked to see if your response was correct and patched it to always return true. If I could figure this out as a complete novice (that was the first year I had seen a computer) think what a disgruntled employee might be able to do. The solution is, of course, to put part of the check someplace other than in the computer. The user can, even without his knowledge, be an integral part of the check. In the Mac world, and probably other worlds as well, when you first open an application, it asks you your name and your company. It then stores that data someplace, and each subsequent time you open the program it proclaims "This program is licensed to My Favorite Person." Or what ever else you happened to answer. The long and the short of it, is this: that name can be used as the key, along with the checksum, signature or whatever else you use, to encrypt itself. The CRC, exclusive or'ed with the odd bytes of the name can be used to create a key to to decode the even bytes of the name. Or any other like method. The individual's name will then be part of the correct 'signature' for the program. And the best part of it is that it will be the user, not the program, that performs the final authentication. If the user see's "This program is licensed to M# Fpv9r`ta.eas*n" Then she will know something's afoot. And there is nothing the vandals can do about it. The virus will be detected. david hoyt | dhoyt@vx.acs.umn.edu | dhoyt@umnacvx.bitnet