Custom Page

Read Me First System Security ***PC Security ***Watchdog/Paranoia ***Active Response ***Insecure Education ***Designing Weapons Security ***Terrorist Article Intelligence ***Public Secrets ***Relating Trivia Tech Transfer ***Mining Technology ***Tech Links The Future of Aggression Community Archeology Resume/Experiences Clients ***Part D Slides Thoughts

Watchdog/Paranoia

WATCHDOG/PARANOIA SUMMARY 
 
WATCHDOG is a cooperative tandem process replicatory software mechanism for  protecting executable code in an on-line real time computing system.  PARANOIA algorithmic code ia  attached to executable code of a software computing system.  WATCHDOG/PARANOIA validates  the integrity of executable code and themselves before allowing a monitored program to execute.  This self propagating replicating mechanism, with inherent anti-tampering (self/cross validation),  disallows operator/user interference with its functioning. It was successfully demonstrated on October 5, 1989, at the SDC, Huntsville, Alabama.
 
*************************************************

*      COOPERATIVE TANDEM PROCESS:                                        *

*                                                                                                           *
*                                >> PAR.<-> executable code                      *
*                              /    1                                                                     *
*                         P   /                                                                           *
*              WATCHDOG / A <---->  PAR.<-> executable code    *
*                         R         2                                                                     *
*                                                                                                            *
*                         1         PAR.<-> executable code                         *
*                        to <----)  3                                                                *
*                         n'  \                                                                            *
*                              \ >> PAR.<-> executable code                      *

*                              n'                                                                           *
*                                                                                                            *

*      PAR.=PARANOIA                                                                          *
*                                                                                                              *
***************************************************

       NOTE: the multiple copies of paranoia are limitless
 
WATCHDOG scans all  executable files within a system and validates whether or not Paranoia is attached.   If not,  WATCHDOG  will create and attach PARANOIA  to the unprotected code segments.    PARANOIA is replicated by WATCHDOG to each executable code segment.  In a unique cooperative tandem process WATCHDOG validates the integrity of PARANOIA and is, in turn, validated as unchanged. 

Validation is  achieved through  the use of  an integrated CRC-32/Checksum calculated  on a known good copy of the executable code.   This value is stored within PARANOIA which is attached to the executable code.    Every time the code segments (shell script/library) or programs are to be executed, PARANOIA recalculates and validates the algorithmic result and compares it to the original value.  If the  validation is true, the execution  of the program segment is permitted.  If the validation is false, PARANOIA sends E-Mail on-site  and  off-site  to warn  of possible corruption/infection.  WATCHDOG/PARANOIA  can be custom coded to lock  up the system, or,  disallow execution of the offending program segment while allowing  validated program segments to continue processing. 
 
The anti-tampering mechanism is derived from communications between WATCHDOG and PARANOIA.  Each time a code segment containing PARANOIA is executed, PARANOIA queries WATCHDOG to validate WATCHDOG is functioning.  If WATCHDOG is functional, PARANOIA continues.   If WATCHDOG is non-functional in any way, PARANOIA will send E-Mail, both on- and off-site,  and prevent the execution of the suspect program segment.  The same result occurs if PARANOIA fails its validation by WATCHDOG.  

For security  reasons,  the source  and  object  code  for Watchdog/Paranoia are available only to approved Defense personnel.   Watchdog/Paranoia offers the ultimate weapon for data subversion via header record tagging combined with the continued existence of the tandem co-process.

REPORT OF SDI SPONSORED RESEARCH

Title of Research: 

Front-End Anti-Viral/Change Detection Mechanisms Using Replicating /
Self-Replicating Software to protect Strategic Defense Initiative Organization
National Test Bed Facility, Defense Department Communications, and Corporate
Contractor Networks, Applications and Data
 
The  views and conclusions contained in this sample are those of the authors and should
not be interpreted as necessarily representing the official policies, either  expressed or
inferred, of the US Department of Defense and the Strategic Defense Initiative
Organization.  The complete document with its associated software code is 171 pages.
This research is proprietary to and copyrighted by Thomas V. Sobczak, Consultants.
 
 A.  TASK OBJECTIVES
 
     The objectives of Task DI-MISC-80048, Front-End Anti-Viral Detection Mechanism
Using Replicating/Self-Replicating Software, are threefold:
 
     1.   Research  viral  mechanisms,  antiviral  procedures,  and self-replicating 
          Software mechanisms for use  as security products in MS-DOS and UNIX
          environments on PCs, Workstations and Midrange Devices.
 
     2.   Evaluate  the applicability of said mechanisms to protect and/or identify
          and/or detect computer virus intrusion and corruption within said systems.
 
     3.   Begin  experimentation with a replicating/self-replicating software product to
          be used to secure SDI operating systems, software libraries, and data
          archives.
 
 B.  TECHNICAL PROBLEMS
 
     !.   Bugs in AT&T UNIX system 5 version 4 (HCL America Magnix)-CSH supports
job monitoring while KSH does not.  The S5V4 disassembler incorrectly disassembles an
instruction.   The system assigned the wrong owner/group to some files.  The RUNACCT,
started by the CRON table, would catch in an infinite loop on startup of system.  Using
STTY 38.400 would hang  up the line in single-user  mode.
 
     2.   Use of a WORM program (a self-contained self-replicating software
mechanism) for the Watchdog/Paranoia idea due to architectural  limitations regarding
memory, memory addresses, and logical memory segments.
 
     3.   We ruled out elimination of viruses due to the mathematical computations of
Dr. Fred Cohen.  He proved conclusively that protecting against computer viruses is
impossible.
 
     4.   Due to time and resource limitations, we used the publicly known CRC-32
algorithm.   In future, a less-public CRC algorithm will be used.
 
     5.   Watchdog/Paranoia appreciably slows a MS-DOS-based  PC with speeds
below 266 MHz and a UNIX machine, comeghat.  Faster, optimized algorithms need to be
researched in the follow-on phases.

     6.   Due to the impossibility of using  existing technologies to detect a  well-written
non-viral WORM or Trojan Horse program, we omitted these programs from the Phase 1
proof of concept.  Future considerations will address these classes of programs directly
and separately.
 
 C.  GENERAL METHODOLOGY:
 
              Sobczak  used  the following definitions  in its  research:
 
     1.   Computer Virus:   A set  of instructions,  programmatic or otherwise, that
propagates themselves through computer systems and/or networks,  deliberately set  to
take actions unwanted by the legitimate owners of those systems.  A virus must attach
itself to executable code to function.
 
     2.   WORM:  A  self-contained,  free-running  computer  program that moves in
memory.
 
     3.   Trojan Horse:  A program  that does other than what the user intended.
 
     4.   Prevention:  Stop initial and subsequent attempts to modify or infect a
computer system.  The solution conceived is not keyed to any particular infection.
 
     5.   Identification:  Suggest specific methods to identify infections or differences.
 
     6.   Detection:  Monitoring change to the characteristics of any executable
component processed in the device or its associated networks.  Detection is not keyed to
any particular infection or difference.
 
     Dr.  Fred Cohn has proven, mathematically, that preventing a computer virus is
impossible.  Pamela Kane of Dr. Panda Systems has proven that it is impossible to know
or identify all code that comprises a computer virus.  And, Steven J. Rose of Deloitte &
Touche LLP has stated,  "The best protection would be to detect the presence  of a virus
before it could do harm."  Therefore, we chose to detect the modification of executable
code by computer viruses and our research followed that premise.
 
     BBS Text: Sobczak monitored hacker and public domain bulletin board  services for
information about computer viruses and how they function.  We include a sample in
Appendix A.  This research provided a number of computer  viruses for DOS PC's, Apple
PCs, and a WORM identification program for VAX/VMS written using the ADA language.
Especially informative was the VIRUS-L conference BBS at Lehigh University available
through BITNET.
 
     Academic Research:  Research includes academic papers (Fred Cohen, Ken
Thompson, Gene Spafford, Ray Glatz, etc.), commercial magazine and newspaper articles, trades magazine articles, books, and professional hacker magazines.  A short bibliography at the end of this report shows samples of sources used.

APPLICATION OF ESTABLISHED TECHNOLOGY
 
     Self-replicating technology research began in the 1960's as a game in Bell
Laboratories called  Core Wars.  Opposing WORM programs would replicate themselves
as quickly as possible, while overwriting  their opponents efforts.  The program with  the
greatest number  of copies when available memory was compromised was  the  winner.
Bell Labs WORM  programs  remained  a game.
 
     In  the late 1970's and early 1980's, researchers performed additional research into
self-replicating mechanisms  at the Xerox  Palo Alto Research Center.  Most of this work
was proprietary.  Research diminished as  experimenters had difficulty  finding applications compatible with the self-replicating mechanism.
 
     The NCR Century 100 series midrange computer operating system used an inherent
self-replicating mechanism to automatically upgrade from early operating system versions to  later ones.  Use of a self-replicating mechanism eliminated a thankless task for system administrators as all storage devices bought on-line eventually upgraded themselves.
 
     In the mid-1980's, Dr. Fred Cohen used a virus-oriented mechanism as a
compression method to better manage storage space.  Cohen writes the virus, in pseudo code, like this:
 
      program compression-virus:=     
                    {01234567;
 
      subroutine infect-executable:=
                    {loop:file=get random-executable-file;
                    if first-line-of-file=01234567 then goto loop; compress file;
                    prepend compression-virus to file;
                    }
               main-program:=
                    {if ask-permission then infect-executable; uncompress                     
                    the-rest-of-this-file into tmpfile; run timpfile;}
                    }
 
     (Computers and Security, Vol. 8, No. 4, June 1989, p. 326) His concept, though it proved slow, worked.
 
     In 1989,  there were  unconfirmed reports that  the communications package  for the
PRODIGY bulletin board service would upgrade a user's software package if he were using an  earlier version.  It was frightening for the victim, but a useful tool.  Finally, hackers are exploring the possibilities of self-replicating  mechanisms.    "One,  whose handle is Bill McTuesday,  says,  'They can clean up your computer and they can be used as a hacking tool (sniffer software).  They provide a good way of investigating closed systems . . .   They will also defend against invading viruses . . . '"  (Mondo 2000, Fall #7, 1989, p. 50) Research into potentially self-replicating software mechanisms has potential.  We chose to reapply this technology to create a tamper-proof, free-running security system without an operator interface.
 
     Sobczak performed a risk analysis of potential threats.  It is impossible, using
existing technology, without substantial modification, to detect a well-written WORM or
Trojan horse program, we concentrated on computer viruses and code corruption.  Worm and Trojan horse programs will be addressed in depth in later research.   Since  it is impossible to prevent a viral occurrence, either through transferable storage media, remote access,  or keyboard input,  we deemed detection of corruption by identifying change  the most effective way to bound potential damage caused by misuse of software.  The research then analyzed known virus code structures to study the attaching, executing, and replicating mechanisms of viruses.  For security reasons, we omit sample code.
 
     Lastly, we coded the Watchdog/Paranoia programs, our replicating executable code
security mechanism, in multiple languages for multiple operating environments.  It was
transmitted using RF as transport for wireless communication.  An ability to lock-up the nonsecure hardened system aboard a capital vessel was demonstrated to US Navy AIR-055 by hacking into Fltsatcom and transmitting REXX based "do-loops."  Scratch Pad memory was constantly exhausted thereby stopping any ability to compute.  As the REXX code was not a virus it ran undetected until located using a line by line search.  This effort was a most time consuming exercise at best, particularly when our sophisticated code set erased any trace of the incursion.