WATCHDOG/PARANOIA SUMMARY
WATCHDOG is a cooperative tandem process replicatory software mechanism for protecting executable code in an on-line real time computing system. PARANOIA algorithmic code ia attached to executable code of a software computing system. WATCHDOG/PARANOIA validates the integrity of executable code and themselves before allowing a monitored program to execute. This self propagating replicating mechanism, with inherent anti-tampering (self/cross validation), disallows operator/user interference with its functioning. It was successfully demonstrated on October 5, 1989, at the SDC, Huntsville, Alabama.
*************************************************
* COOPERATIVE TANDEM PROCESS: *
* *
* >> PAR.<-> executable code *
* / 1 *
* P / *
* WATCHDOG / A <----> PAR.<-> executable code *
* R 2 *
* *
* 1 PAR.<-> executable code *
* to <----) 3 *
* n' \ *
* \ >> PAR.<-> executable code *
* n' *
* *
* PAR.=PARANOIA *
* *
***************************************************
NOTE: the multiple copies of paranoia are limitless
WATCHDOG scans all executable files within a system and validates whether or not Paranoia is attached. If not, WATCHDOG will create and attach PARANOIA to the unprotected code segments. PARANOIA is replicated by WATCHDOG to each executable code segment. In a unique cooperative tandem process WATCHDOG validates the integrity of PARANOIA and is, in turn, validated as unchanged.
Validation is achieved through the use of an integrated CRC-32/Checksum calculated on a known good copy of the executable code. This value is stored within PARANOIA which is attached to the executable code. Every time the code segments (shell script/library) or programs are to be executed, PARANOIA recalculates and validates the algorithmic result and compares it to the original value. If the validation is true, the execution of the program segment is permitted. If the validation is false, PARANOIA sends E-Mail on-site and off-site to warn of possible corruption/infection. WATCHDOG/PARANOIA can be custom coded to lock up the system, or, disallow execution of the offending program segment while allowing validated program segments to continue processing.
The anti-tampering mechanism is derived from communications between WATCHDOG and PARANOIA. Each time a code segment containing PARANOIA is executed, PARANOIA queries WATCHDOG to validate WATCHDOG is functioning. If WATCHDOG is functional, PARANOIA continues. If WATCHDOG is non-functional in any way, PARANOIA will send E-Mail, both on- and off-site, and prevent the execution of the suspect program segment. The same result occurs if PARANOIA fails its validation by WATCHDOG.
For security reasons, the source and object code for Watchdog/Paranoia are available only to approved Defense personnel. Watchdog/Paranoia offers the ultimate weapon for data subversion via header record tagging combined with the continued existence of the tandem co-process.
REPORT OF SDI SPONSORED RESEARCH
Title of Research:
Front-End Anti-Viral/Change Detection Mechanisms Using Replicating /
Self-Replicating Software to protect Strategic Defense Initiative Organization
National Test Bed Facility, Defense Department Communications, and Corporate
Contractor Networks, Applications and Data
The views and conclusions contained in this sample are those of the authors and should
not be interpreted as necessarily representing the official policies, either expressed or
inferred, of the US Department of Defense and the Strategic Defense Initiative
Organization. The complete document with its associated software code is 171 pages.
This research is proprietary to and copyrighted by Thomas V. Sobczak, Consultants.
A. TASK OBJECTIVES
The objectives of Task DI-MISC-80048, Front-End Anti-Viral Detection Mechanism
Using Replicating/Self-Replicating Software, are threefold:
1. Research viral mechanisms, antiviral procedures, and self-replicating
Software mechanisms for use as security products in MS-DOS and UNIX
environments on PCs, Workstations and Midrange Devices.
2. Evaluate the applicability of said mechanisms to protect and/or identify
and/or detect computer virus intrusion and corruption within said systems.
3. Begin experimentation with a replicating/self-replicating software product to
be used to secure SDI operating systems, software libraries, and data
archives.
B. TECHNICAL PROBLEMS
!. Bugs in AT&T UNIX system 5 version 4 (HCL America Magnix)-CSH supports
job monitoring while KSH does not. The S5V4 disassembler incorrectly disassembles an
instruction. The system assigned the wrong owner/group to some files. The RUNACCT,
started by the CRON table, would catch in an infinite loop on startup of system. Using
STTY 38.400 would hang up the line in single-user mode.
2. Use of a WORM program (a self-contained self-replicating software
mechanism) for the Watchdog/Paranoia idea due to architectural limitations regarding
memory, memory addresses, and logical memory segments.
3. We ruled out elimination of viruses due to the mathematical computations of
Dr. Fred Cohen. He proved conclusively that protecting against computer viruses is
impossible.
4. Due to time and resource limitations, we used the publicly known CRC-32
algorithm. In future, a less-public CRC algorithm will be used.
5. Watchdog/Paranoia appreciably slows a MS-DOS-based PC with speeds
below 266 MHz and a UNIX machine, comeghat. Faster, optimized algorithms need to be
researched in the follow-on phases.
6. Due to the impossibility of using existing technologies to detect a well-written
non-viral WORM or Trojan Horse program, we omitted these programs from the Phase 1
proof of concept. Future considerations will address these classes of programs directly
and separately.
C. GENERAL METHODOLOGY:
Sobczak used the following definitions in its research:
1. Computer Virus: A set of instructions, programmatic or otherwise, that
propagates themselves through computer systems and/or networks, deliberately set to
take actions unwanted by the legitimate owners of those systems. A virus must attach
itself to executable code to function.
2. WORM: A self-contained, free-running computer program that moves in
memory.
3. Trojan Horse: A program that does other than what the user intended.
4. Prevention: Stop initial and subsequent attempts to modify or infect a
computer system. The solution conceived is not keyed to any particular infection.
5. Identification: Suggest specific methods to identify infections or differences.
6. Detection: Monitoring change to the characteristics of any executable
component processed in the device or its associated networks. Detection is not keyed to
any particular infection or difference.
Dr. Fred Cohn has proven, mathematically, that preventing a computer virus is
impossible. Pamela Kane of Dr. Panda Systems has proven that it is impossible to know
or identify all code that comprises a computer virus. And, Steven J. Rose of Deloitte &
Touche LLP has stated, "The best protection would be to detect the presence of a virus
before it could do harm." Therefore, we chose to detect the modification of executable
code by computer viruses and our research followed that premise.
BBS Text: Sobczak monitored hacker and public domain bulletin board services for
information about computer viruses and how they function. We include a sample in
Appendix A. This research provided a number of computer viruses for DOS PC's, Apple
PCs, and a WORM identification program for VAX/VMS written using the ADA language.
Especially informative was the VIRUS-L conference BBS at Lehigh University available
through BITNET.
Academic Research: Research includes academic papers (Fred Cohen, Ken
Thompson, Gene Spafford, Ray Glatz, etc.), commercial magazine and newspaper articles, trades magazine articles, books, and professional hacker magazines. A short bibliography at the end of this report shows samples of sources used.
APPLICATION OF ESTABLISHED TECHNOLOGY
Self-replicating technology research began in the 1960's as a game in Bell
Laboratories called Core Wars. Opposing WORM programs would replicate themselves
as quickly as possible, while overwriting their opponents efforts. The program with the
greatest number of copies when available memory was compromised was the winner.
Bell Labs WORM programs remained a game.
In the late 1970's and early 1980's, researchers performed additional research into
self-replicating mechanisms at the Xerox Palo Alto Research Center. Most of this work
was proprietary. Research diminished as experimenters had difficulty finding applications compatible with the self-replicating mechanism.
The NCR Century 100 series midrange computer operating system used an inherent
self-replicating mechanism to automatically upgrade from early operating system versions to later ones. Use of a self-replicating mechanism eliminated a thankless task for system administrators as all storage devices bought on-line eventually upgraded themselves.
In the mid-1980's, Dr. Fred Cohen used a virus-oriented mechanism as a
compression method to better manage storage space. Cohen writes the virus, in pseudo code, like this:
program compression-virus:=
{01234567;
subroutine infect-executable:=
{loop:file=get random-executable-file;
if first-line-of-file=01234567 then goto loop; compress file;
prepend compression-virus to file;
}
main-program:=
{if ask-permission then infect-executable; uncompress
the-rest-of-this-file into tmpfile; run timpfile;}
}
(Computers and Security, Vol. 8, No. 4, June 1989, p. 326) His concept, though it proved slow, worked.
In 1989, there were unconfirmed reports that the communications package for the
PRODIGY bulletin board service would upgrade a user's software package if he were using an earlier version. It was frightening for the victim, but a useful tool. Finally, hackers are exploring the possibilities of self-replicating mechanisms. "One, whose handle is Bill McTuesday, says, 'They can clean up your computer and they can be used as a hacking tool (sniffer software). They provide a good way of investigating closed systems . . . They will also defend against invading viruses . . . '" (Mondo 2000, Fall #7, 1989, p. 50) Research into potentially self-replicating software mechanisms has potential. We chose to reapply this technology to create a tamper-proof, free-running security system without an operator interface.
Sobczak performed a risk analysis of potential threats. It is impossible, using
existing technology, without substantial modification, to detect a well-written WORM or
Trojan horse program, we concentrated on computer viruses and code corruption. Worm and Trojan horse programs will be addressed in depth in later research. Since it is impossible to prevent a viral occurrence, either through transferable storage media, remote access, or keyboard input, we deemed detection of corruption by identifying change the most effective way to bound potential damage caused by misuse of software. The research then analyzed known virus code structures to study the attaching, executing, and replicating mechanisms of viruses. For security reasons, we omit sample code.
Lastly, we coded the Watchdog/Paranoia programs, our replicating executable code
security mechanism, in multiple languages for multiple operating environments. It was
transmitted using RF as transport for wireless communication. An ability to lock-up the nonsecure hardened system aboard a capital vessel was demonstrated to US Navy AIR-055 by hacking into Fltsatcom and transmitting REXX based "do-loops." Scratch Pad memory was constantly exhausted thereby stopping any ability to compute. As the REXX code was not a virus it ran undetected until located using a line by line search. This effort was a most time consuming exercise at best, particularly when our sophisticated code set erased any trace of the incursion.