Path: utzoo!attcan!uunet!lll-winken!decwrl!polyslo!vlsi3b15!vax1.cc.lehigh.edu!sei.cmu.edu!krvw From: David_Conrad%Wayne-MTS@um.cc.umich.edu Newsgroups: comp.virus Subject: UVD Message-ID: <0006.9002221232.AA07723@ge.sei.cmu.edu> Date: 21 Feb 90 02:17:38 GMT Sender: Virus Discussion List Lines: 39 Approved: krvw@sei.cmu.edu "David.M..Chess" writes: >> VDOS pseudo-executes the program, checking for >> every possible outcome and attempts to write to disk. > >Unlikely to be practical, I'm afraid? For instance, if the program >waits for user input, or looks at the time or date, or reads from a >file (I can't think of -any- program offhand that doesn't sometimes do >at least one of these), the pseudo-executor would have to >pseudo-execute a separate instance of the program for every possible >input/time/data-item. Not likely to finish within the life-expectancy >of the user! A seperate instance for every possible input? Nonsense. All that is required is a seperate instance for every alternative in a conditional structure. Of course, that can still require a large number of instances, and some data will be undefined, so it would be necessary to rule out entire classes of operations where it is unacceptable for some parameters to be unknown (such as direct writes to the disk where the location to be written to is unknown). But many such activities would be 'suspicious' anyway. Another method of verification in which the values of data are unknown and which requires no seperate instances of a program is to examine the code as if all alternatives of a conditional structure are taken. Once again, it is necessary to rule out certain actions when data values are unknown. Remember, however, most instructions are not suspicious even when all parameters are unknown. Also, in conditionals in machine languages there are only two alternatives in a conditional branch (branch or don't!). Still, if one tried to simulate every possible path through any decently large program the number of instance doublings (every time there is a conditional jump you get two possible paths) would quickly eat up memory and it would take a *long* time. But since it isn't necessary to simulate every possible input, I think the simulation would terminate within the average user's lifetime. _________________________________________________________________ David Conrad BITNET: David_Conrad%Wayne-MTS@um.cc.umich.edu "He hates the sight of liquor. That's why he drinks so much. To get it out of sight quickly."