Malicious Software and Security Programming Lecture 4

1
Malicious Software and Security Programming
Lecture 4

• In this lecture we will look at some basic theory
  that relates to computer viruses
• 1. Fred Cohens definition of a virus and some
  theoretical and experimental results
• 2. Len Adlemans formulation of the notion of a
  virus

2
Informal Definition

• Fred Cohen and Len Adleman were the first to
  define the concept of a computer virus
• informally Cohen defined a virus as a program
  (sequence of symbols) that when executed can
  modify other programs (sequences of symbols) to
  include a possibly evolved copy of itself
• evolved copy means alternate symbol sequences
  that have the same action

3
Formal definition

• formal definition of a virus includes a lot of
  computability theory in order to understand it
• however the basic notion of the formal definition
  is built around the concept of a viral set
• a viral set is a set of viruses
• a virus v is a sequence of symbols that when
  executed as an algorithm causes some element
  (virus) of the viral set v (v may be identical
  to v) to be written out somewhere else in the
  execution machine (i.e. not in space occupied by
  virus v) in all of the histories (sequences of
  states) of the machine following the execution of
  v

4

• classic virus forms a singleton viral set i.e.
  a set of one virus which exactly reproduces
  itself after execution
• they are the set of all viruses that can be
  produced

5
Transitivity

• A relationship is transitive if A is related to B
  and B is related to C then A is related to C.
• So for example lt is a transitive relation AltB
  BltC, then AltC
• Information flow between users in a typical
  computer system is also transitive, if
  information can flow from A to B and information
  can flow from B to C then information can flow
  from A to C
• Information flow can include information in the
  form of computer programs

6

• There is no distinction between information that
  is used as data and information that is used as a
  program
• This transitive relationship is essential to
  virus propagation
• There are 2 necessary conditions that a computer
  system must have that permits the spread of
  viruses
• Modification of symbol sequences (as files of
  data or programs)
• Sharing of information between users within the
  system between users includes here the action
  of programs that run on the users behalf all
  users share use of a variety of systems programs

7

• With these 2 conditions once a virus is runs, the
  modification condition permits other programs to
  be infected and the sharing condition allows the
  virus to propagate transitively through the
  system
• Propagation will continue until the virus has
  spread to the transitive closure of the system,
  starting from any source in the system
• Transitive closure is simply the set of all
  elements that can be reached by one or more
  stages/steps of a given type of operation

8

• Thus 2 extreme forms of protection against
  computer viruses are systems that do not permit
  modification of files and systems which do not
  permit the sharing of information between users
  and their programs complete isolation
• Neither ideal mechanism is practicable

9

• The sharing and transitivity property that
  results from it, is the property that allows
  viruses to propagate in systems that otherwise
  appear to be highly secure e.g. a modern
  multi-user operating system environment in which
  ordinary users have highly restricted access
  rights to most of the machine and disk i.e. they
  are generally restricted to access and control of
  their own data, etc.
• However there is usually some limited sharing
  between users on such systems

10

• Also some users are more trusted than others and
  have greater access rights over the system
• Typical infection routes into a system that
  appears highly secure starts with infection
  existing in the least secure part of the system
  and slowly moving up the trust and security
  hierarchy in stages

11

• So for example someone logs onto a mainframe
  system as a guest login and leaves in the guest
  directory an interesting looking executable. Some
  low security level user on the system runs that
  executable infecting files in the guest login
  area and in their own area. A colleague of that
  user in turn uses some code supplied by that user
  (now infected) and so on, eventually someone with
  greater security privileges might run some code
  which they have been given from some source that
  they trust and so more secure systems become
  compromised

12

• So the system administrator who would never
  consider running an executable from the guest
  login directory or from a low security level user
  may end up allowing a virus total access to the
  system because the administrator runs code from
  sources that are deemed trustworthy, they in turn
  may have run code from sources which they deem
  trustworthy (but note the administrator might
  not), etc.

13
Experiments

• Cohen conducted some experiments on operating
  systems that had typical multi-user OS security
  systems in place.
• The results were frightening
• In one system the virus achieved root access
  privileges i.e. was running as part of a program
  that ran as root in a fastest time of only 5
  minutes, and average time of 30 minutes and a
  slowest time of 1 hour!!!

14

• On a different system (one designed explicitly to
  be used in environments where security was
  essential) it took an average of 30 minutes, but
  the maximum was 48 hours
• As typical of the response of system security
  administrators to such experiments, Cohen was not
  allowed to conduct further experiments on any
  systems (because no one wanted the security holes
  to be exposed to view) - of course this still
  left the security holes still in place rather
  than finding them and doing something about it!

15
Bell-LaPadula

• Remember Bell-LaPadula security model for highly
  secure systems that was explicitly designed to
  ensure information is kept secure. Effectively
  information can only move up or sideways between
  security levels and never downwards. Well the
  property of allowing information to move upwards
  in the security levels is all that is required to
  permit viruses to move up security levels until
  they execute as part of programs that have the
  highest security clearance on the system

16

• All you need then is the virus to be written to
  use an appropriate covert channel to signal
  information (and what is to stop it since it is
  running with the highest clearance possible)

17
Decidability of virus identification

• Basic theoretical results
• In general terms it is impossible to write a
  program that can guarantee to detect all computer
  viruses
• Consider the following pseudo code
• Program CV
• If not Check_Virus(CV) then
• infect-executable

18

• Assume Check_virus() is code that checks to
  verify whether its parameter file is a virus or
  not
• Now if Check_virus is asked to check the code for
  CV (which includes the code for Check-virus as
  well) what we find is that if Check_Virus was to
  find CV was not a virus then CV would infect an
  executable (and would be a virus because it would
  always infect the executable), whereas if
  Check_Virus was to find that CV was a virus it
  would simply terminate
• Whatever Check_virus concludes, it is always wrong

19

• A similar related result is that if you have some
  form of mutating or evolving virus, it is
  impossible for a program in general to determine
  whether a mutated version of a virus is actually
  still a virus (after the mutation)

20
Adlemans formulation of a virus

• unit of analysis is not the virus itself but the
  infected program
• for every program there is an infected form of
  that program i.e. a virus formally defines a
  mapping from programs to infected forms of
  those programs
• the infected programs have 3 behaviours
• injure ignore original task and carry out some
  other function
• infect infect some target programs
• imitate carry out original task

21

• Adleman identified a number of principal types of
  virus although we tend to characterise them
  with different names these days
• a virus could be characterised as contagious
  (within a given environment H/W and O/S
  platform, etc,) if it infected other programs
• a virus could be characterised as pathogenic if
  it carried out injury
• there were therefore 4 principal types of virus

22

• 1. if with respect to some virus an infected
  program is benignant then the infected program
  is not contagious and not pathogenic - it
  computes the same function as its uninfected
  predecessor
• 2. if with respect to some virus an infected
  program is a Trojan horse then infected program
  is not contagious, but is pathogenic it does
  not infect other programs but can only imitate
  and injure

23

• 3. if with respect to some virus an infected
  program is a carrier then infected program is
  contagious but not pathogenic it does infect
  other programs or imitate but does not cause
  injury
• 4. if with respect to some virus an infected
  program is virulent then infected program is
  contagious and pathogenic it infects other
  programs and causes injury