Path: utzoo!utgpu!water!watmath!clyde!att!osu-cis!killer!tness7!tness1!nuchat!sugar!karl
From: karl@sugar.UUCP (Karl Lehenbauer)
Newsgroups: news.admin
Subject: Re: Author's Reliability (was Re: Malicious Posting Worries...)
Summary: Binary analysis tools can't guarantee programs aren't trojan horses
Message-ID: <2274@sugar.UUCP>
Date: 8 Jul 88 23:02:01 GMT
References: <266@octopus.UUCP> <11518@agate.BERKELEY.EDU> <271@octopus.UUCP> <279@octopus.UUCP>
Organization: Sugar Land UNIX - Houston, TX
Lines: 23

In article <279@octopus.UUCP>, pete@octopus.UUCP (Pete Holzmann) writes:
> ...There are plenty of
> PC-based tools for binary analysis that can be quickly run over reasonble-
> sized programs (and slowly run over big programs). String searches, 
> automatic disassemblers that produce comments for anything that touches
> the external environment (system memory, I/O ports, interrupts, system
> calls), etc. One of the nice things about having millions of hardware-
> compatible systems, is that we've got automatic tools to do what must
> be done by 'hand' in Unix. 

Well, I assume automatic dissasemblers blow off stuff they don't understand
and just .DATA it or whatever as binary data.  It would be no problem for a 
Trojan Horse to decrypt the portion of itself that actually trashes your 
system when it has decided that the time is right.  That way, string searches
and code that looks for anything that touches system memory, I/O ports,
interrupts, system calls, etc, will fail to locate the Trojan.  More clever 
variations can be envisioned in which the encrypted part, or code that 
generates the code to do the trashing, etc, etc appears to be something 
useful, or at least seems too complicated to bother to decipher.

-- 
-- uunet!sugar!karl
-- These may be the official opinions of Hackercorp -- I'll have to ask Peter.