Tom Duff
August 1987
Download PDF (669.44Kb) (You need to be registered on forum)Executable files in the Ninth Edition of the UNIX system contain small amounts of unused space, allowing small code sequences to be added to them without noticeably affecting their functionality. A program fragment that looks for binaries and introduces copies of itself into their slack space will transitively spread like a virus. Such a virus program could, like the Trojan Horse, harbor Greeks set to attack the system when run by sufficiently privileged users or from infected set-userid programs.
The author wrote such a program (without the Greeks) and ran several informal experiments to test its characteristics. In one experiment, the code was planted on one of Center 1127's UNIX systems and spread in a few days through the Datakit network to about forty machines. The virus escaped during this test onto a machine running an experimental secure unix system, with interesting (and frustrating for the system's developers) consequences.
Viruses of this sort must be tiny to fit in the small amount of space available, and consequently are very timid. There are ways to construct similar viruses that are not space-constrained and can therefore spread more, aggressively and harbor better-armed Greeks. As an example, we exhibit a frighteningly virulent portable virus that inhabits shell scripts.
Viruses rely on users and system administrators being insufficiently vigilant to prevent them from infiltrating systems. I outline a number of steps that people ought to take to make infiltration less likely.
Numerous recent papers have suggested modifications to the unix system kernel to interdict viral attacks. Most of these are based on the notion of 'discretionary access controls.' These proposals cannot usually be made to work, either because they make unacceptable changes in the 'look and feel' of the unix system's environment or they entail placing trust in code that is inherently untrustworthy. In reply to these proposals, I suggest a small change to the unix system permission scheme that may be able to effectively interdict viral attacks without serious effect on the unix system's functioning and habitability.