Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!sample.eng.ohio-state.edu!purdue!news.cs.indiana.edu!widener!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: ingoldsb%ctycal@cpsc.ucalgary.ca (Terry Ingoldsby) Newsgroups: comp.virus Subject: Re: Software Upgradable BIOS (PC) Message-ID: <0006.9106101933.AA10096@ubu.cert.sei.cmu.edu> Date: 6 Jun 91 18:54:17 GMT Sender: Virus Discussion List Lines: 36 Approved: krvw@sei.cmu.edu padgett%tccslr.dnet@mmc.com (Padgett Peterson) writes: > >From: "William Walker C60223 x4570" ... > >I feel that the prominent anti-virus researchers (and some of uss > >others) ought to collectively rise up and protest the software- > >upgradable BIOS before it gets any acceptance. ... > Tullahoma in the seventies - Hi Bill), there does not have to be a problem > if the hardware designers do their job. A EEPROM requires a special signal > on one lead to tell it to write. If that lead is under hardware control and > accessable only with the case open and a special plug in place that disables > everything except a "load & verify BIOS" program, risk can be minimal. It is not even necessary to place it under hardware control, rather if the hardware incorporates an interlock that requires a special, possibly unique, code, then the viruses could bash at it forever (almost) without success. For example if each machine thus manufactured were assigned a unique value in EPROM (which could not be read by the CPU), say of length 64 bits, then the user could be queried, by the software upgrade program, to enter the key. If the key matched, the EAROM would be modified, otherwise nothing would happen. Note that if my quick calculations are correct, at a rate of 1 million tries per second it takes about 1800 years to try all the combinations. Surely after a year or so even the most patient of users would realize that something was wrong. The number could even be printed on the back of the machine, in case the user should forget. - Terry - -- Terry Ingoldsby ingoldsb%ctycal@cpsc.ucalgary.ca Land Information Services or The City of Calgary ...{alberta,ubc-cs,utai}!calgary!ctycal!ingoldsb