From: Franz Kafka
Subject: Did Anyone Use Lisp Machines to investiage source code viruses?
Date: 
Message-ID: <b3b6b110.0303282016.34587b27@posting.google.com>
I am doing a report on Lisp & Computer Security and I need some
help.

I have read in several AI books that the govn't was investigating
source code viruses using Lisp--because Lisp is an Ideal Language
for those kinds of things.

I have also read some papers about early worms, and other forms
of distrubuted processes/programs that were developed on Lisp
Machines by Xerox.

I would like some info about it:

1.) Who sponsered the research into Source Code Viruses?
2.) Was any of it done in Lisp or on Lisp machines?
3.) Is it still classified. (The Xerox worms were not I found
    papers about them on the net awhile back.)
4.) Am I correct in assuming that because Lisp is a high level
    Symbolic Language that includes a powerful macro creating tool
    'defmacro' and treats programs and data in the same format--namely
    the List, that Lisp would be, has been, or could be a good language
    with which to experiment with source code viruses and develop examples
    so I could teach my students how such things work.
5.) I have heard rumors that viruses can be propogated via e-mail on
    Lisp Machines, is this true--and if it is how could one protect
    against it.

I thank in advance anyone who could help me.

PS

references to books/papers which address the above questions would also
be very helpful.

From: Kent M Pitman
Subject: Re: Did Anyone Use Lisp Machines to investiage source code viruses?
Date: 
Message-ID: <sfwel4qnkhm.fsf@shell01.TheWorld.com>
·································@hotmail.com (Franz Kafka) writes:

> I am doing a report on Lisp & Computer Security and I need some
> help.
> 
> I have read in several AI books that the govn't was investigating
> source code viruses using Lisp--because Lisp is an Ideal Language
> for those kinds of things.

It's a good language for anything that requires symbolic terms and 
recursive descent inspection, but I'd not heard anything about 
this particular domain.

> I have also read some papers about early worms, and other forms
> of distrubuted processes/programs that were developed on Lisp
> Machines by Xerox.

Certainly this is true.  Lisp and related languages generally have 
a printed representation for program and data, and so are often able to
externalize their data on one machine and ship it easily to another in
order to continue.

> I would like some info about it:
> 
> 1.) Who sponsered the research into Source Code Viruses?

No idea.

> 2.) Was any of it done in Lisp or on Lisp machines?

No idea.

> 3.) Is it still classified. (The Xerox worms were not I found
>     papers about them on the net awhile back.)

No idea.

> 4.) Am I correct in assuming that because Lisp is a high level
>     Symbolic Language that includes a powerful macro creating tool
>     'defmacro' and treats programs and data in the same format--namely
>     the List, that Lisp would be, has been, or could be a good language
>     with which to experiment with source code viruses and develop examples
>     so I could teach my students how such things work.

DEFMACRO is not relevant unless you are creating Lisp viruses.  Lisp viruses
are going to have low utility because most machines don't have a lisp server
listening for arbitrary Lisp forms, and so most machines wouldn't have anything
the virus could piggyback on.  Viruses tend to prefer to live on commonly
available substrates that are ubiquitously available.  Lisp can easily model
such substrates, but Lisp itself is hardly ubiquitous.

> 5.) I have heard rumors that viruses can be propogated via e-mail on
>     Lisp Machines, is this true--and if it is how could one protect
>     against it.

Where did you hear this?

This is almost certainly false.  Viruses are spread in situations where 
people don't want to do something manually and so run code to do a common
operation.  For example, I read mail in emacs.  emacs is written in lisp.
But emacs NEVER gets me viruses because it does not unpack attachments;
I _see_ viruses in my mail, but emacs doesn't execute them--it just treats
them as text, and as text they are harmless.  To unpack a 'virus' (or 
anything else), I have to write a message to a file, use another unrelated
program (like munpack) to unpack the MIME encoding, and finally go to a
command line and deliberately execute the result.  The likelihood of me
being suckered into doing this by accident is vanishingly small.

I can think of one place where the Lisp machine might have had a bug in it
that allowed transmission of lisp-based viruses, but it was probably 
patched long ago, and if it was not, it easily could be now.  [Font info
used to occur after a special marker in text that was followed by a form
to be read with READ.  If the form included #., you might have managed to
trick something.  Just arranging for *read-eval* to be NIL around that call
to READ would fix that bug, if it even still exists.

I don't do it often any more, but I feel quite safe reading email in Zmail,
the lisp machine mail reader.  Problems with viruses are probably 100,000
times less likely in Zmail than in Outlook Express, Eudora, or the like.
Lisp worms are hard to write, and you'd have to know the recipient had a 
lisp machine mail reader for them to do the right thing; modern mime font
encoding would not leave room for this bug.

> I thank in advance anyone who could help me.

Dunno if this counts.

> PS
> 
> references to books/papers which address the above questions would also
> be very helpful.

I'm definitely no help there.
From: Thomas F. Burdick
Subject: Re: Did Anyone Use Lisp Machines to investiage source code viruses?
Date: 
Message-ID: <xcvn0jd8v3r.fsf@famine.OCF.Berkeley.EDU>
Kent M Pitman <······@world.std.com> writes:

> ·································@hotmail.com (Franz Kafka) writes:
>
> > 5.) I have heard rumors that viruses can be propogated via e-mail on
> >     Lisp Machines, is this true--and if it is how could one protect
> >     against it.
> 
> Where did you hear this?
> 
> This is almost certainly false.  Viruses are spread in situations where 
> people don't want to do something manually and so run code to do a common
> operation.  For example, I read mail in emacs.  emacs is written in lisp.
> But emacs NEVER gets me viruses because it does not unpack attachments;

Once upon a time, Emacs had a vulnerability to elisp viruses.  In the
local-variables section of a file, you can specify a magic "eval"
variable, which causes thos forms to be evaluated.  Now, it prompts
you, but that wasn't always true.

-- 
           /|_     .-----------------------.                        
         ,'  .\  / | No to Imperialist war |                        
     ,--'    _,'   | Wage class war!       |                        
    /       /      `-----------------------'                        
   (   -.  |                               
   |     ) |                               
  (`-.  '--.)                              
   `. )----'                               
From: Kalle Olavi Niemitalo
Subject: Re: Did Anyone Use Lisp Machines to investiage source code viruses?
Date: 
Message-ID: <87d6k9e0p6.fsf@Astalo.kon.iki.fi>
···@famine.OCF.Berkeley.EDU (Thomas F. Burdick) writes:

> Once upon a time, Emacs had a vulnerability to elisp viruses.  In the
> local-variables section of a file, you can specify a magic "eval"
> variable, which causes thos forms to be evaluated.  Now, it prompts
> you, but that wasn't always true.

GNU Emacs 21.2 is still vulnerable to some similar attacks.
The CVS version is safer in this regard.
From: Joe Marshall
Subject: Re: Did Anyone Use Lisp Machines to investiage source code viruses?
Date: 
Message-ID: <n0jbeha1.fsf@ccs.neu.edu>
·································@hotmail.com (Franz Kafka) writes:

> I am doing a report on Lisp & Computer Security and I need some
> help.
> 
> I have read in several AI books that the govn't was investigating
> source code viruses using Lisp--because Lisp is an Ideal Language
> for those kinds of things.
> 
> I have also read some papers about early worms, and other forms
> of distrubuted processes/programs that were developed on Lisp
> Machines by Xerox.
> 
> I would like some info about it:
> 
> 1.) Who sponsered the research into Source Code Viruses?
> 2.) Was any of it done in Lisp or on Lisp machines?
> 3.) Is it still classified. (The Xerox worms were not I found
>     papers about them on the net awhile back.)
> 4.) Am I correct in assuming that because Lisp is a high level
>     Symbolic Language that includes a powerful macro creating tool
>     'defmacro' and treats programs and data in the same format--namely
>     the List, that Lisp would be, has been, or could be a good language
>     with which to experiment with source code viruses and develop examples
>     so I could teach my students how such things work.
> 5.) I have heard rumors that viruses can be propogated via e-mail on
>     Lisp Machines, is this true--and if it is how could one protect
>     against it.

I don't recall anyone doing `official' virus research on Lisp
machines (at least at the MIT AI Lab.  I never worked at Xerox.)

I do recall that there were some early experiments involving the Xerox
Alto.  It was possible to access an idle Alto from the network and
download code to it.  When a user logged in to the Alto, the code that
was using the idle cycles was terminated.  Somebody put together a
hack where several of these processes would communicate with each
other and keep themselves alive by spawning new copies when one went
off line.

I did not get the impression that any of these experiments were
`government research' let alone `classified'.

The Lisp machines had a couple of security holes involving the
reader, but I don't recall anyone exploiting them through email.  
From: Christopher Browne
Subject: Re: Did Anyone Use Lisp Machines to investiage source code viruses?
Date: 
Message-ID: <b69t0g$35360$1@ID-125932.news.dfncis.de>
Centuries ago, Nostradamus foresaw when Joe Marshall <···@ccs.neu.edu> would write:
> I do recall that there were some early experiments involving the Xerox
> Alto.  It was possible to access an idle Alto from the network and
> download code to it.  When a user logged in to the Alto, the code that
> was using the idle cycles was terminated.  Somebody put together a
> hack where several of these processes would communicate with each
> other and keep themselves alive by spawning new copies when one went
> off line.

Seems reminiscent of the Xerox CP-V "Robin Hood and Friar Tuck"
patches:

  <http://ftp.arl.mil/ftp/unix-wizards/V16%23019>

     Back in the mid-1970s, several of the system support staff at
     Motorola discovered a relatively simple way to crack system
     security on the Xerox CP-V timesharing system.  Through a simple
     programming strategy, it was possible for a user program to trick
     the system into running a portion of the program in `master mode'
     (supervisor state), in which memory protection does not apply.
     The program could then poke a large value into its `privilege
     level' byte (normally write-protected) and could then proceed to
     bypass all levels of security within the file-management system,
     patch the system monitor, and do numerous other interesting
     things.  In short, the barn door was wide open.

     Motorola quite properly reported this problem to Xerox via an
     official `level 1 SIDR' (a bug report with an intended urgency of
     `needs to be fixed yesterday').  Because the text of each SIDR
     was entered into a database that could be viewed by quite a
     number of people, Motorola followed the approved procedure: they
     simply reported the problem as `Security SIDR', and attached all
     of the necessary documentation, ways-to-reproduce, etc.

     The CP-V people at Xerox sat on their thumbs; they either didn't
     realize the severity of the problem, or didn't assign the
necessary
     operating-system-staff resources to develop and distribute an
     official patch.

     Months passed.  The Motorola guys pestered their Xerox
     field-support rep, to no avail.  Finally they decided to take
     direct action, to demonstrate to Xerox management just how easily
     the system could be cracked and just how thoroughly the security
     safeguards could be subverted.

     They dug around in the operating-system listings and devised a
     thoroughly devilish set of patches.  These patches were then
     incorporated into a pair of programs called `Robin Hood' and
     `Friar Tuck'.  Robin Hood and Friar Tuck were designed to run as
     `ghost jobs' (daemons, in UNIX terminology); they would use the
     existing loophole to subvert system security, install the
     necessary patches, and then keep an eye on one another's statuses
     in order to keep the system operator (in effect, the superuser)
     from aborting them.

     One fine day, the system operator on the main CP-V software
     development system in El Segundo was surprised by a number of
     unusual phenomena.  These included the following:


        * Tape drives would rewind and dismount their tapes in the
          middle of a job.
        * Disk drives would seek back and forth so rapidly that they
          would attempt to walk across the floor (see {walking
          drives}).
        * The card-punch output device would occasionally start up of
          itself and punch a {lace card}.  These would usually jam in
          the punch.
        * The console would print snide and insulting messages from
          Robin Hood to Friar Tuck, or vice versa.
        * The Xerox card reader had two output stackers; it could be
          instructed to stack into A, stack into B, or stack into A
          (unless a card was unreadable, in which case the bad card
          was placed into stacker B).  One of the patches installed by
          the ghosts added some code to the card-reader
          driver... after reading a card, it would flip over to the
          opposite stacker.  As a result, card decks would divide
          themselves in half when they were read, leaving the operator
          to recollate them manually.

     Naturally, the operator called in the operating-system
     developers.  They found the bandit ghost jobs running, and X'ed
     them... and were once again surprised.  When Robin Hood was X'ed,
     the following sequence of events took place:

          !X id1

          id1: Friar Tuck... I am under attack!  Pray save me!
          id1: Off (aborted)

          id2: Fear not, friend Robin!  I shall rout the Sheriff
               of Nottingham's men!

          id1: Thank you, my good fellow!

     Each ghost-job would detect the fact that the other had been
     killed, and would start a new copy of the recently slain program
     within a few milliseconds.  The only way to kill both ghosts was
     to kill them simultaneously (very difficult) or to deliberately
     crash the system.

     Finally, the system programmers did the latter --- only to find
     that the bandits appeared once again when the system rebooted!
     It turned out that these two programs had patched the boot-time
     OS image (the kernel file, in UNIX terms) and had added
     themselves to the list of programs that were to be started at
     boot time.

     The Robin Hood and Friar Tuck ghosts were finally eradicated when
     the system staff rebooted the system from a clean boot-tape and
     reinstalled the monitor.  Not long thereafter, Xerox released a
     patch for this problem.

     It is alleged that Xerox filed a complaint with Motorola's
     management about the merry-prankster actions of the two employees
     in question.  It is not recorded that any serious disciplinary
     action was taken against either of them.

-- 
If this was helpful, <http://svcs.affero.net/rm.php?r=cbbrowne> rate me
http://www.ntlug.org/~cbbrowne/lisp.html
JOHN CAGE (strapped to table): Do you really expect me to conduct this
 antiquated tonal system?  
LEONARD BERNSTEIN: No, Mr. Cage, I expect  you to die!
[With apologies to music and James Bond fans the world over...]