Malicious Software and Security Programming Lecture 4 - PowerPoint PPT Presentation

1 / 23
About This Presentation
Title:

Malicious Software and Security Programming Lecture 4

Description:

Fred Cohen and Len Adleman were the first to define the ... A relationship is transitive if A is related to B and B is related to C then A is related to C. ... – PowerPoint PPT presentation

Number of Views:80
Avg rating:3.0/5.0
Slides: 24
Provided by: martin159
Category:

less

Transcript and Presenter's Notes

Title: Malicious Software and Security Programming Lecture 4


1
Malicious Software and Security Programming
Lecture 4
  • In this lecture we will look at some basic theory
    that relates to computer viruses
  • 1. Fred Cohens definition of a virus and some
    theoretical and experimental results
  • 2. Len Adlemans formulation of the notion of a
    virus

2
Informal Definition
  • Fred Cohen and Len Adleman were the first to
    define the concept of a computer virus
  • informally Cohen defined a virus as a program
    (sequence of symbols) that when executed can
    modify other programs (sequences of symbols) to
    include a possibly evolved copy of itself
  • evolved copy means alternate symbol sequences
    that have the same action

3
Formal definition
  • formal definition of a virus includes a lot of
    computability theory in order to understand it
  • however the basic notion of the formal definition
    is built around the concept of a viral set
  • a viral set is a set of viruses
  • a virus v is a sequence of symbols that when
    executed as an algorithm causes some element
    (virus) of the viral set v (v may be identical
    to v) to be written out somewhere else in the
    execution machine (i.e. not in space occupied by
    virus v) in all of the histories (sequences of
    states) of the machine following the execution of
    v

4
  • classic virus forms a singleton viral set i.e.
    a set of one virus which exactly reproduces
    itself after execution
  • they are the set of all viruses that can be
    produced

5
Transitivity
  • A relationship is transitive if A is related to B
    and B is related to C then A is related to C.
  • So for example lt is a transitive relation AltB
    BltC, then AltC
  • Information flow between users in a typical
    computer system is also transitive, if
    information can flow from A to B and information
    can flow from B to C then information can flow
    from A to C
  • Information flow can include information in the
    form of computer programs

6
  • There is no distinction between information that
    is used as data and information that is used as a
    program
  • This transitive relationship is essential to
    virus propagation
  • There are 2 necessary conditions that a computer
    system must have that permits the spread of
    viruses
  • Modification of symbol sequences (as files of
    data or programs)
  • Sharing of information between users within the
    system between users includes here the action
    of programs that run on the users behalf all
    users share use of a variety of systems programs

7
  • With these 2 conditions once a virus is runs, the
    modification condition permits other programs to
    be infected and the sharing condition allows the
    virus to propagate transitively through the
    system
  • Propagation will continue until the virus has
    spread to the transitive closure of the system,
    starting from any source in the system
  • Transitive closure is simply the set of all
    elements that can be reached by one or more
    stages/steps of a given type of operation

8
  • Thus 2 extreme forms of protection against
    computer viruses are systems that do not permit
    modification of files and systems which do not
    permit the sharing of information between users
    and their programs complete isolation
  • Neither ideal mechanism is practicable

9
  • The sharing and transitivity property that
    results from it, is the property that allows
    viruses to propagate in systems that otherwise
    appear to be highly secure e.g. a modern
    multi-user operating system environment in which
    ordinary users have highly restricted access
    rights to most of the machine and disk i.e. they
    are generally restricted to access and control of
    their own data, etc.
  • However there is usually some limited sharing
    between users on such systems

10
  • Also some users are more trusted than others and
    have greater access rights over the system
  • Typical infection routes into a system that
    appears highly secure starts with infection
    existing in the least secure part of the system
    and slowly moving up the trust and security
    hierarchy in stages

11
  • So for example someone logs onto a mainframe
    system as a guest login and leaves in the guest
    directory an interesting looking executable. Some
    low security level user on the system runs that
    executable infecting files in the guest login
    area and in their own area. A colleague of that
    user in turn uses some code supplied by that user
    (now infected) and so on, eventually someone with
    greater security privileges might run some code
    which they have been given from some source that
    they trust and so more secure systems become
    compromised

12
  • So the system administrator who would never
    consider running an executable from the guest
    login directory or from a low security level user
    may end up allowing a virus total access to the
    system because the administrator runs code from
    sources that are deemed trustworthy, they in turn
    may have run code from sources which they deem
    trustworthy (but note the administrator might
    not), etc.

13
Experiments
  • Cohen conducted some experiments on operating
    systems that had typical multi-user OS security
    systems in place.
  • The results were frightening
  • In one system the virus achieved root access
    privileges i.e. was running as part of a program
    that ran as root in a fastest time of only 5
    minutes, and average time of 30 minutes and a
    slowest time of 1 hour!!!

14
  • On a different system (one designed explicitly to
    be used in environments where security was
    essential) it took an average of 30 minutes, but
    the maximum was 48 hours
  • As typical of the response of system security
    administrators to such experiments, Cohen was not
    allowed to conduct further experiments on any
    systems (because no one wanted the security holes
    to be exposed to view) - of course this still
    left the security holes still in place rather
    than finding them and doing something about it!

15
Bell-LaPadula
  • Remember Bell-LaPadula security model for highly
    secure systems that was explicitly designed to
    ensure information is kept secure. Effectively
    information can only move up or sideways between
    security levels and never downwards. Well the
    property of allowing information to move upwards
    in the security levels is all that is required to
    permit viruses to move up security levels until
    they execute as part of programs that have the
    highest security clearance on the system

16
  • All you need then is the virus to be written to
    use an appropriate covert channel to signal
    information (and what is to stop it since it is
    running with the highest clearance possible)

17
Decidability of virus identification
  • Basic theoretical results
  • In general terms it is impossible to write a
    program that can guarantee to detect all computer
    viruses
  • Consider the following pseudo code
  • Program CV
  • If not Check_Virus(CV) then
  • infect-executable

18
  • Assume Check_virus() is code that checks to
    verify whether its parameter file is a virus or
    not
  • Now if Check_virus is asked to check the code for
    CV (which includes the code for Check-virus as
    well) what we find is that if Check_Virus was to
    find CV was not a virus then CV would infect an
    executable (and would be a virus because it would
    always infect the executable), whereas if
    Check_Virus was to find that CV was a virus it
    would simply terminate
  • Whatever Check_virus concludes, it is always wrong

19
  • A similar related result is that if you have some
    form of mutating or evolving virus, it is
    impossible for a program in general to determine
    whether a mutated version of a virus is actually
    still a virus (after the mutation)

20
Adlemans formulation of a virus
  • unit of analysis is not the virus itself but the
    infected program
  • for every program there is an infected form of
    that program i.e. a virus formally defines a
    mapping from programs to infected forms of
    those programs
  • the infected programs have 3 behaviours
  • injure ignore original task and carry out some
    other function
  • infect infect some target programs
  • imitate carry out original task

21
  • Adleman identified a number of principal types of
    virus although we tend to characterise them
    with different names these days
  • a virus could be characterised as contagious
    (within a given environment H/W and O/S
    platform, etc,) if it infected other programs
  • a virus could be characterised as pathogenic if
    it carried out injury
  • there were therefore 4 principal types of virus

22
  • 1. if with respect to some virus an infected
    program is benignant then the infected program
    is not contagious and not pathogenic - it
    computes the same function as its uninfected
    predecessor
  • 2. if with respect to some virus an infected
    program is a Trojan horse then infected program
    is not contagious, but is pathogenic it does
    not infect other programs but can only imitate
    and injure

23
  • 3. if with respect to some virus an infected
    program is a carrier then infected program is
    contagious but not pathogenic it does infect
    other programs or imitate but does not cause
    injury
  • 4. if with respect to some virus an infected
    program is virulent then infected program is
    contagious and pathogenic it infects other
    programs and causes injury
Write a Comment
User Comments (0)
About PowerShow.com