Path: utzoo!attcan!uunet!ubvax!ardent!mec
From: mec@ardent.com (Michael Chastain)
Newsgroups: comp.protocols.tcp-ip
Subject: Breaking up the monoculture
Summary: Virus protection through artificial variation?
Keywords: binary virus salt variation
Message-ID: <731@ardent.UUCP>
Date: 23 Nov 88 07:43:56 GMT
Sender: news@ardent.UUCP
Reply-To: mec@ardent.com (Michael Chastin)
Organization: Ardent Computer, Sunnyvale, CA"
Lines: 37

Here are my assumptions:

(1) Attacks against a known binary server (e.g. Vendor X, Release Y) are
easier to accomplish than general attacks "through the interface".

(2) Some machines on the Internet were unaffected by the recent virus
because they had recompiled /etc/fingerd; e.g., with nameserver
support.  Sorry, I can't find references.

How about a "salt" utility that transforms an executable to another
executable, while adding extra bytes here and there to make all the
data addresses come out different?

This is even easier to do at link time.  Suppose that you have the
capability to relink your operating system (e.g., to add device
drivers).  Do so, and stick in some padding here and there.

Now imagine that Internet Worm II shows up on your system and tries to
read kernel data space to get juicy network data (e.g. /dev/kmem on
Unix).  Your physical memory doesn't look like everybody else's!  So if
the worm is carrying around kernel data addresses, it doesn't get to do
what it wants on your system.

I think this idea can be taken further.  For instance, if you have
source, you could protect private data structures by randomizing the
order of their structure members.  This wouldn't fool a smart hacker,
but it might fool a dumb worm.  This would protect against "read the
clist and discover what people are typing" attacks.

An unrelated, controversial statement: protecting your user's files is
now the second most important thing.  The first most important thing is
protecting your network connections.

Michael Chastain
Ardent Computer
mec@ardent.com
"He who dies with the most FRIENDS wins."