DataMuseum.dk

top - metrics - download

    Length: 11495 (0x2ce7)
    Types: TextFile
    Notes: Uncompressed file
    Names: »Dembart.virus.article«

└─⟦4f9d7c866⟧ Bits:30007245 EUUGD6: Sikkerheds distributionen
    └─⟦this⟧ »./papers/Virus/Dembart.virus.article« 
└─⟦4f9d7c866⟧ Bits:30007245 EUUGD6: Sikkerheds distributionen
    └─⟦737be5bff⟧ »./worm/virus.dembart.Z« 
        └─⟦this⟧ 

TextFile

From: "Paul R. Grupp" <GRUPP@AI.AI.MIT.EDU>
Subject:  computer viruses

  Security  experts  are afraid that saboteurs could infect  computers 
with a "virus" that would remain latent for months or even years,  and 
then cause chaos.

                     Attack of the Computer Virus
                     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                            By Lee Dembart 

  Germ warfare,  the deliberate release of deadly bacteria or viruses, 
is  a  practice  so  abhorrent  that it  has  long  been  outlawed  by 
international  treaty.   Yet computer scientists are  confronting  the 
possibility  that  something  akin to germ warfare could  be  used  to 
disable their largest machines.  In a civilization ever more dependent 
on computers,  the results could be disastrous - the sudden shutdown of 
air  traffic control systems,  financial networks,  or factories,  for 
example,  or  the  wholesale  destruction of  government  or  business 
records.  

  The  warning has been raised by a University of Southern  California 
researcher  who first described the problem in September,  before  two 
conferences  on computer security.  Research by graduate student  Fred 
Cohen,  28,  shows  that  it is possible to write a type  of  computer 
program,  whimsically called a virus, that can infiltrate and attack a 
computer  system  in much the same way a real virus  infects  a  human 
being.  Slipped  into  a computer by some clever saboteur,  the  virus 
would  spread throughout the system  while remaining hidden  from  its 
operators.  Then,  at some time months or years later, the virus would 
emerge without warning to cripple or shut down any infected machine.  

  The  possibility has computer security experts alarmed  because,  as 
Cohen warns, the programming necessary to create the simplest forms of 
computer  virus is not particularly difficult.   "Viral attacks appear 
to  be  easy  to develop in a short time," he told  a  conference  co-
sponsored  by the National Bureau of Standards and the  Department  of 
Defense.   "[They]  can be designed to leave few if any traces in most 
current systems,  are effective against modern security policies,  and 
require only minimal expertise to implement." 

  Computer  viruses  are aptly named;  they  share  several  insidious 
features  with  biological viruses.  Real viruses burrow  into  living 
cells  and take over their hosts' machinery to make multiple copies of 
themselves.  These  copies  escape  to  infect  other  cells.  Usually 
infected cells die.  A computer virus is a tiny computer program  that 
"infects" other programs in much the same way. The virus only occupies 
a  few  hundred  bytes of memory;  a  typical  mainframe  program,  by 
contrast,  takes  up hundreds of thousands.   Thus,  when the virus is 
inserted  into  an ordinary program,  its presence goes  unnoticed  by 
computer operators or technicians.  

  Then,  each time the "host" program runs, the computer automatically 
executes  the instructions of the virus-just as if they were  part  of 
the  main  program.  A  typical  virus  might  contain  the  following 
instructions:   "First,   suspend   execution  of  the  host   program 
temporarily.  Next, search the computer's memory for other likely host 
programs that have not been already infected.  If one is found, insert 
a copy of these instructions into it.   Finally, return control of the 
computer to the host program." 

  The  entire  sequence  of  steps takes a half a second  or  less  to 
complete, fast enough so that no on will be aware that it has run. And 
each newly infected host program helps spread the contagion each  time 
it  runs,   so  that  eventually  every  program  in  the  machine  is 
contaminated.  

  The  virus  continues to spread indefinitely,  even infecting  other 
computers  whenever  a contaminated program is  transmitted  to  them. 
Then, on a particular date or when certain pre-set conditions are met, 
the virus and all it's clones go on the attack.  After that, each time 
an  infected  program  is  run,  the  virus  disrupts  the  computer's 
operations by deleting files,  scrambling the memory,  turning off the 
power, or making other mischief.  

  The  saboteur  need not be around to give the signal  to  attack.  A 
disgruntled  employee  who was afraid of getting fired,  for  example, 
might  plot  his revenge in advance by adding an  instruction  to  his 
virus  that  caused it to remain dormant only so long as his  personal 
password was listed in the system.   Then,  says Cohen, "as soon as he 
was fired and the password was removed, nothing would work any more." 

  The fact that the virus remains hidden at first is what makes it  so 
dangerous.  "Suppose  your  virus  attacked by deleting files  in  the 
system,"  Cohen says.  "If it started doing that right away,  then  as 
soon  as  your files got infected they would start  to  disappear  and 
you'd  say  'Hey,  something's wrong here.' You'd probably be able  to 
identify  whoever did it."  To avoid early detection of the  virus,  a 
clever saboteur might add instructions to the virus program that would 
cause  it to check the date each time it ran,  and attack only if  the 
date  was identical -or later than- some date months or years  in  the 
future.  "Then," says Cohen,  "one day, everything would stop. Even if 
they  tried  to replace the infected programs with programs  that  had 
been stored on back-up tapes,  the back-up copies wouldn't work either 
- provided the copies were made after the system was infected.  

  The idea of virus-like programs has been around since at least 1975, 
when the science fiction writer John Brunner included one in his novel 
`The Shockwave Rider'.  Brunner's "tapeworm" program ran loose through 
the  computer  network,  gobbling  up  computer  memory  in  order  to 
duplicate  itself.  "It  can't be killed," one character in  the  book 
exclaims in desperation.  "It's indefinitely self-perpetuating as long 
as the network exists." 

  In 1980, John Shoch at the Xerox Palo Alto research center devised a 
real-life program that did somewhat the same thing.  Shoch's creation, 
called  a worm,  wriggled through a large computer system looking  for 
machines  that were not being used and harnessing them to help solve a 
large problem.  It could take over an entire system.   More  recently, 
computer scientists have amused themselves with a gladiatorial combat, 
called Core War, that resembles a controlled viral attack.  Scientists 
put  two  programs in the same computer,  each designed to  chase  the 
other around the memory, trying to infect and kill the rival.  

  Inspired by earlier efforts like these, Cohen took a security course 
last year,  and then set out to test whether viruses could actually do 
harm  to a computer system.  He got permission to try his virus at USC 
on a VAX computer with a Unix operating system,  a combination used by 
many  universities  and companies.  (An operating system is  the  most 
basic level of programming in a computer;  all other programs use  the 
operating system to accomplish basic tasks like retrieving information 
from memory, or sending it to a screen.) 

  In  five  trial  runs,  the virus never took more than  an  hour  to 
penetrate  the entire system.  The shortest time to full infection was 
five  minutes,  the average half an hour.  In fact,  the trial was  so 
successful that university officials refused to allow Cohen to perform 
further experiments. Cohen understands their caution, but considers it 
shortsighted.  "They'd rather be paranoid than progressive," he  says. 
"They believe in security through obscurity." 

  Cohen  next got a chance to try out his viruses on a privately owned 
Univac  1108.   (The  operators  have asked that the  company  not  be 
identified.)   This computer system had an operating  system  designed 
for military security;  it was supposed to allow people with low-level 
security  clearance  to share a computer with people  with  high-level 
clearance without leakage of data.   But the restrictions against data 
flow  did  not  prevent Cohen's virus from  spreading  throughout  the 
system  - even  though  he only infected a single  low-security  level 
security  user.   He  proved that  military  computers,  too,  may  be 
vulnerable, despite their safeguards.  

  The  problem of viral spread is compounded by the fact that computer 
users often swap programs with each other,  either by shipping them on 
tape  or  disk  or sending them over a telephone  line  or  through  a 
computer network.  Thus,  an infection that originates in one computer 
could  easily  spread  to  others over time - a  hazard  that  may  be 
particularly  severe  for the banking industry,  where information  is 
constantly being exchanged by wire.   Says Cohen,  "The danger is that 
somebody  will  write viruses that are bad enough to  get  around  the 
financial institutions and stop their computers from working." 

  Many  security  professionals also find this  prospect  frightening. 
Says   Jerry  Lobel,   manager  of  computer  security  at   Honeywell 
Information  Systems  in Phoenix,  "Fred came up with one of the  more 
devious  kinds of problems against which we have very few defenses  at 
present." Lobel,  who organized a recent security conference sponsored 
by  the International Federation for Information Processing -at  which 
Cohen  also  delivered  a paper- cites  other  potential  targets  for 
attack:  "If  it  were  an  air traffic control system  or  a  patient 
monitoring system in a hospital, it would be a disaster." 

  Marvin Schaefer, chief scientist at the Pentagon's computer security 
center,  says  the  military has been concerned about  penetration  by 
virus-like programs for years.   Defense planners have protected  some 
top-secret computers by isolating them, just as a doctor might isolate 
a patient to keep him from catching cold.   The military's most secret 
computers   are  often  kept  in  electronically  shielded  rooms  and 
connected  to each other,  when necessary,  by wires that run  through 
pipes  containing gas under pressure.  Should anyone try to  penetrate 
the  pipes in order to tap into the wires,  the drop in  gas  pressure 
would immediately give him away.   But,  Schaefer admits,  "in systems 
that  don't  have  good access controls,  there really is  no  way  to 
contain  a  virus.  It's quite possible for an attack to take  over  a 
machine." 

  Honeywell's Lobel strongly believes that neither Cohen nor any other 
responsible  expert  should even open a public discussion of  computer 
viruses.   "It only takes a halfway decent programmer about half a day 
of  thinking to figure out how to do it," Lobel says.   "If  you  tell 
enough people about it, there's going to be one crazy enough out there 
who's going to try." 

  Cohen  disagrees,  insisting  that  it is more  dangerous  `not'  to 
discuss and study computer viruses.  "The point of these experiments," 
he says,  "is that if I can figure out how to do it, somebody else can 
too.   It's  better to have somebody friendly do the experiment,  tell 
you how bad it is,  show you how it works and help you counteract  it, 
than  to have somebody vicious come along and do it." If you wait  for 
the bad guys to create a virus first, Cohen says, then by the time you 
find out about it, it will be too late.