Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!samsung!umich!sharkey!msuinfo!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: 71435.1777@CompuServe.COM (Bob Bosen) Newsgroups: comp.virus Subject: Signature Programs Message-ID: <0001.9004111326.AA11326@ubu.cert.sei.cmu.edu> Date: 10 Apr 90 13:36:58 GMT Sender: Virus Discussion List Lines: 118 Approved: krvw@sei.cmu.edu Several weeks ago, Ross Greenburg challenged me to obtain and post descriptions of tests and user experiences involving use of sophisticated authentication algorithms in the "real world" against real viruses. Because I represent a commercial software vendor I was hesitant to publish my own test results out of fear I would sound biased. Most of my clients are rather secretive, and it took a while before I was able to arrange for the following to be written and cleared for posting. The following is a message forwarded from Padgett Peterson, a well-known (in some circles) virus researcher, employed by a well-known Defense Contractor. He speaks only for himself. Padgett conducted a detailed evaluation of a great many viral defense products, subjecting them to a collection of viruses and stressing them in other ways. I am posting his words for him because at the moment, his internet access is rather awkward. He comments on valuable ways to use authentication algorithms at all ends of the spectrum, and I find his views similar to my own, inasmuch as my product offers authentication algorithms at all ends of the spectrum and allows users to "fine-tune" the sophistication of the algorithm to suit all the extremes and norms Padgett discusses. But there are things in his views that'll make a lot of folks happy. The following are his words: FOR POSTING A. Padgett Peterson Recently, following a hiatus from the VIRUS-L forum, I have had the opportunity to examine the continuing authentication (thank you WordStar) saga. All of the people involved appear to be knowledgeable and concerned participants, yet they seem to be arguing the same side of two different questions: 1) Authentication of known software in a controlled unique environment (Radai and Greenberg). 2. Authentication of unknown, publicly transmitted software (Bosen and Murray). The virus issue, while a valid concern, is just a complicating factor, since, if the software were trusted, by definition it could not be infected. The focus of the issue is what level of authentication is necessary for trust. All of the participants agree that some is necessary - the question is how much? My personal feeling is that an authentication algorithm may be very simple (CRC or less) provided that it is unknown (or unpredictable). Since my 4.77 Mhz/ST-412 museum piece is capable of a simple byte count/XOR/ROR disk file check at 50k bytes/second (and could be faster if done in RAM by a TSR between LORD and EXECUTE), performance concerns are unnecessary (quantum economics). This method is suitable for any physically controlled system. Unfortunately, Mr. Greenberg's algorithm fails this test because it is publicly known. A mechanism designed to subvert his programs is feasible (worm, trojan, virus, bomb, etc.). However, given a small number of different algorithms (ADD/SUB/XOR followed by ROL/ROR/NOP give nine easily) generated by a machine-unique seed (time hack at initial algorithm load would work), a non-resident intruder would have a very hard time subverting a system without generating a few errors first. This is particularly effective if even the creator of such a program cannot predict which algorithm/seed will be used on a particular machine. A procedure such as this is even workable in a networked/server environment: the file itself is stored en clair. Each authorized user has a unique signature file. No two signatures match yet each will authenticate the same file in the proper machine. A nightmare for intruders. Alternatively, a publicly transmitted file for which the algorithm/key is also public requires a much more rigorous algorithm to avoid spoofing or infection by a determined intruder. In this case ANSI or DES is appropriate. Taken together, the indication would be that for inter-machine transmission, the more rigorous public-key methods would be appropriate, while a much simpler one would be suitable for intra-machine retrieval. This would postulate a software package that: a: Uses a simple (fast) but unique algorithm for known files whose signatures are stored on the platform. b: Requires a much more rigorous authentication process for unknown files (possibly also requiring authorization for load). c: Once (b) is satisfied allows a file to migrate to (a). Considering the viral threat, if a virus is accompanied by a valid signature, ANY authentication scheme will pass it, however, as aoon as a resident file is infected, the unique resident signature will become invalid. The point was raised concerning Boot and Partition Table Infectors (Hidden Sector, FAT, Root, RAM-Resident, and Bad Sector Infectors are also possible). This is a different question from that of authenticating a file. At present I know of only one package that provides complete coverage: Enigma-Logic's Virus-Safe which I use. However, over 90% of all PC virii could have been caught early by a CLI that occasionally compares the Top-Of-Memory, the end of DOS/TSR memory, and the first byte of the Boot Sector against known values. MS-DOS doesn't. (END OF PADGETT PETERSON POSTING) Thank You, Bob Bosen Enigma Logic Inc.