On 11/26/08 1:47 PM, "Michael Coffin" <[EMAIL PROTECTED]> wrote:
> Let me play devil's advocate for just a minute. WHAT would actually > constitute a "virus" in a VM/CMS environment? > We don't have the "backdoors" and "automatic program execution" stuff > that comes out of Redmond, so you don't have to worry about, for > example, XEDITing a file and it launching a program without your > approval that formats your 191 disk. One possible vector would be the CMS installation segment. If a suitably privileged userid were compromised, an app could be developed that modified the NSS spool file directly, and you could introduce either a nucleus extension with a common command name, or a load of another segment that got you some malicious code. Since the installation segment gets control before your PROFILE EXEC or most other user-controlled stuff gets control, you're hosed before there's much chance to detect it. > How would such a "virus" be detected? Is any program that executes the > FORMAT command (for example) going to be considered "dangerous"? That > would flag probably 50 or more legitimate execs that I use in production > to manage the system. For the above, you'd have to implement some kind of signing process for code blocks in memory and an integrity check in the OSes that use them. Not trivial stuff, and also subject to various attacks.
