|
zanotowane.pldoc.pisz.plpdf.pisz.plefriends.pev.pl
| « M E N U » |
»
|
| » KtoĹ, kto mĂłwi, Ĺźe nie zna siÄ na sztuce, Ĺşle zna samego siebie. | | » Aldiss Brian W. - Na zewnÄ
trz, KSIÄĹťKI, E-book, Aldiss Brian | | » Aldiss Brian Wilson - Opowiadania I, e-book, Aldiss Brian | | » Aldiss Brian Wilson - Kryptozoik, e-book, Aldiss Brian | | » Aldiss Brian W. - Nieobliczalna gwiazda, KSIÄĹťKI, E-book, Aldiss Brian | | » Alex Joe - Cicha jak ostatnie tchnienie, e-book, Alex Joe | | » Alistair MacLean - Ĺamacz kodĂłw, KSIÄĹťKI, E-book, Alistair MacLean | | » Alistair MacLean - Rzeka Ĺmierci, KSIÄĹťKI, E-book, Alistair MacLean | | » Aldiss Brian W. - Kamyczki Poety Tu Fu, KSIÄĹťKI, E-book, Aldiss Brian | | » Alistair MacLean - Air Force One zaginÄ
Ĺ, KSIÄĹťKI, E-book, Alistair MacLean | | » Al-RâzĂŽ's Book of Secrets - The Practical Laboratory in the Medieval Islamic World by Gail Marlow Taylor (2008), Alchemia i spagiryka |
|
|
|
[ Pobierz caĹoĹÄ w formacie PDF ]
AlgebraicSpeciďŹcationofComputerViruses
andTheirEnvironments
MattWebster
?
M.P.Webster@csc.liv.ac.uk
DepartmentofComputerScience,UniversityofLiverpool,Liverpool,L697ZF,UK
Abstract.ThispaperintroducesanapproachtoformalspeciďŹcationof
computervirusesandtheirenvironmentsthroughthedevelopmentofal-
gebraicspeciďŹcationsusingGurevichâsAbstractStateMachines(ASMs)
andGoguenâsOBJ.DistributedASMsareusedtodevelopamodelof
anabstractcomputervirus,whichthroughaprocessofreďŹnementis
convertedintomodelsofdierentvirustypes.FurtherreďŹnementhas
resultedinanexecutablespeciďŹcation,writtenintheAbstractState
MachineLanguage,AsmL.Themodelsstrengthenthethesisthatany
algorithmcanbemodelledatanaturalabstractionlevelusinganAb-
stractStateMachine.TheASMmodelscombinedwiththeAsmLex-
ecutablespeciďŹcationprovideacomplementarytheoreticalandexperi-
mentalframeworkforproofsandexperimentsoncomputervirusesand
theirenvironments,aswellasausefulmeansofclassiďŹcationofdierent
computervirusestypes.Nextwelookatadierentapproachtocomputer
virusanalysisusingOBJ,whichisusedtospecifycomputerviruseswrit-
teninanadhocprogramminglanguage,SPL.TheOBJspeciďŹcationis
showntobeusefulforthedetectionofavirustypethatisparticularly
diculttodetectâthemetamorphiccomputervirus(MCV).Finally,the
usefulnessofthetwospeciďŹcationsforreasoningaboutcomputerviruses
isdiscussedandinthisregardthetwoformalismsarecompared.
1Introduction
Computervirusesare(oftenharmful)computerprogramsthatreplicateau-
tonomouslythroughcomputerďŹlesystems.Theyaretypicallydesignedtorepli-
catewithouttheusersâconsent,andareabletodamagedataorsoftwareon
infectedmachines.Ingeneral,computervirusesreplicateusingthelegitimate
infrastructureofanoperatingsystem(e.g.diskinput/outputroutines),and
consequentlythespreadofcomputervirusesisdiculttopreventabsolutely
withoutrestrictingtheoperatingsystem(OS)insomeway.
Academicstudyofcomputervirusesbeganin1987,whenCohendeďŹnedan
abstractcomputervirusandgaveaproofoftheundecidabilityofcomputervirus
detection,provingthattherewouldbenodetection-basedpanaceaforthecom-
putervirusproblem[1].Preventingcomputervirusesthroughtheuseofseverely
?
WiththankstomysupervisorsGrantMalcolmandAlexeiLisitsa,forshowingme
thepowerandbeautyofalgebraicspeciďŹcation.
100
restrictedoperatingsystemsispossible,sincethecomputerviruscanonlywork
bymodifyingstoredprogramsinmemorysothattheycontainacopyofthe
virus.However,thecomputerarchitecturethatallowsprogramcreationand
modiďŹcationisatthecoreoftheďŹexibilityandeciencyofmoderncomputers;
forexample,nocompilercouldrunwithoutthecreationandmodiďŹcationof
storedprograms.Thus,ďŹndingacureforcomputervirusesbyrestrictingtheir
environmentsisimpractical,andreliabledetectionisimpossible.Thereforethe
ďŹghttostopillicitcomputervirusesbecomesaquestionofoptimization,i.e.,
âHowcanwebestprotectourselvesagainstcomputerviruses?âInaddition,
tractabilityisaprimaryconcernduetothetrade-obetweeneciencyand
thoroughnessofanti-virus(AV)scanners.Withthisandthesustainedprolifera-
tionofcomputervirusesinmind,generaltheoriesofcomputervirusesandtheir
environmentswouldbeuseful.FormalspeciďŹcationofthebehaviourofdierent
virustypescanprovideinsighttodevelopersofanti-virussoftwarebyhighlight-
ingthecommonalitybetweendierentcomputerviruses,e.g.byencouragingthe
reuseofdetectionanddisinfectionmethods.KnowledgeofwhichspeciďŹcdetails
oftheimplementationofcomputersystemsaordsurvivalforvirusescanbede-
rivedfromformalmodels,andcanbeusedtorestrictcomputervirusbehaviour
throughthedevelopmentofsystemsthatareinherently(andprovably)more
secure.
Inthispaper,twoseparateapproachestocomputervirusformalisationare
presented.In§2AbstractStateMachines[2]areusedtobuildaformalmodel
ofanabstractcomputervirus,whichisreďŹnedtoseveralmorespeciďŹcvirus
types.AnexecutablespeciďŹcationinAsmL(basedontheASMmodels)isgiven,
formingwiththeASMmodelsacomplementarytheoreticalandexperimental
test-bedforformalproofsoncomputervirusesandtheirenvironments,aswell
asaformalmeansofcomputerviruscategorisation.OBJ[3]isusedin§3to
buildaformalframeworkforcomputervirologybasedonorder-sortedequational
rewriting.Anadhocsimpleprogramminglanguage(SPL)isusedtoimplement
computervirusesandexecutableďŹles,andaformallanguagerepresentationof
anoperatingsystemiscreated.In§3.3apromisingnewmeansofdetecting
metamorphiccomputervirusesbasedontheOBJspeciďŹcationisdemonstrated.
In§4itisshownhowtheseformalalgebraicspeciďŹcationsarereadilyapplicable
tocomputervirusdetectiontechnologythroughtheapplicationofthedevelop-
mentsmadeinMCVdetectionandcomputervirusclassiďŹcation.
1.1MetamorphicComputerViruses
Theundecidabilityofcomputervirusdetectionisoneoftheoldestresultsin
theďŹeldofcomputervirology,butanti-virusscannershavetraditionallycom-
pensatedforthisbyexploitingaweaknesscommontomanyna¨Ĺvecomputer
viruses:constantsyntax.Thestringofbinarydigitscorrespondingtoaparticu-
larcomputervirususuallyremainsunchangedfromonegenerationtothenext,
asdoestheplacementofthecomputerviruswithintheinfectedexecutableďŹle,
e.g.oneparticularvirusmightbeplacedatthestartofanyexecutableitinfects.
AVscannerswouldsearchexecutableďŹlesforvirusâsignaturesââstringsofbits
101
thatcorrespondtoaparticularvirusâattheusualsitesofinfectionwithinexe-
cutablesďŹles.Thepresenceofasignaturewouldsignalthattheexecutablewas
infected,andthatfurtherstepsneededtobetakentodisinfecttheďŹle.
Inordertoavoiddetection,thewritersofcomputervirusesbegantodevelop
waysofobfuscatingthesuspectviruscode.Oneattemptatthis,thepolymor-
phiccomputervirus,whichchangesitssyntactic(binarydigit)representation
usingencryption,failstoremainhiddenfromAVscannersonceitsmeansof
decryptionhasbeendiscovered.Oncedecrypted,allgenerationsofpolymorphic
computerviruseslookalike,andthesignature-basedapproachtodetectioncan
beused.Amorepowerfulmeansofdetectionavoidanceisemployedbythemeta-
morphiccomputervirus.Eachsuccessivegenerationofametamorphiccomputer
virusmodiďŹesthesyntax,butleavesthesemanticsunchanged.Inthiswaythe
behaviourofeachsuccessivegenerationisthesame,butthevirusappearsto
bedierent.Thus,itbecomesmuchmoredicultforanAVscannertodetect
ametamorphiccomputervirususingasignature-basedapproach,anditisnot
possibletokeeparecordofallpossiblegenerationsbecausethereareanun-
limitednumber
1
.Inthiswaythemetamorphiccomputercansuccessfullyavoid
detection[4].
ThisproblemisnotconďŹnedtoaparticularprogramminglanguage.Within
anyTuring-completeprogramminglanguagethereissomeredundancy,thatis,
themappingfromsyntaxtosemanticsismany-to-one
2
.Thisredundancyal-
lowsthemetamorphiccomputervirustoavoiddetection(bysignature-based
methods)throughautomatedsyntacticvariantgenerationatrun-time.
1.2RelatedWork
Agoodintroductiontotheoreticalcomputervirologyandtheformalisationof
computervirusescanbefoundinearlyworkbyCohen[1,5]andAdleman[6].
FurthertoCohenâsworkontheundecidabilityofcomputervirusdetection,
Spinellishasrecentlydemonstrated[7]thatreliableidentiďŹcationofaknown
virusisnp-complete,andThimblebyetal[8]havedevelopedaformalismto
describetrojansandcomputervirusinfection.Additionally,Lakhotia&Mo-
hammed[9]havestudiedanapproachbasedonimposingorderonhigh-level
languagestatementsinordertoreducethenumberofsyntacticvariantsand
thereforeaidMCVdetection.
1
Programsizeis(theoretically)unlimited,soaninďŹnitenumberofvariantsonasingle
metamorphiccomputervirusispossiblethroughtheintroductionofâjunkcodeâ
thatdoesnotalterthestateofthemachine,butneverthelesshasasyntactical
representation.Agoodexamplewouldbethe
NOP
instructionin68000assembly
language,whichdoesnotalterthestateatalluponitsexecution.
2
SupposethatthereisaTuring-completeprogramminglanguageforwhichthereisa
one-to-onemappingfromsyntaxtosemantics.Ifsuchalanguageexisted,itwouldbe
possibletoprovetheequivalenceofanytwoprograms
p
1
and
p
2
bytranslationinto
thislanguage.Sinceprogramequivalenceisanundecidableproblem,therecanbeno
suchlanguage.(Thisproofassumesthatifsuchalanguageexistedthentranslation
intothelanguagewouldbepossible.)
102
2TheASMApproach
AbstractStateMachines(formerlyknownasEvolvingAlgebras)areaformal
approachtoalgebraicspeciďŹcationofsoftwaresystems,whereeachstepofan
algorithmistreatedasaboundednumberofchangestoanalgebra,andthe
wholealgorithmcanbedescribedusingaďŹnitenumberofsimpletransition
rules.TheASMthesisstatesthatanyalgorithmcanbemodelledatanatural
abstractionlevelusinganASM[2].
Algebraically,anAbstractStateMachineisdeďŹnedasfollows.LetAbean
AbstractStateMachine.Thevocabulary(orsignature)ofAisaďŹnitesetof
functions,eachofaďŹxedarity.TheuniversesofAarethesetsonwhichthe
functionsofAact,e.g.anASMthataddstwointegerswillrequirethesetofall
integersasoneofitsuniverses.ThestateofAconsistsofanon-emptysetX(the
superuniverseofA),togetherwithinterpretationsofeveryfunctionnameinthe
signature.ThesuperuniverseofAdoesnotchange,buttheinterpretationsofthe
functionnamesmay.Thesuperuniversecontainsdistinctelementstrue,false,
undefthatletushaveBooleantests,andpartialfunctions(e.g.f(a)=undef).
WhilstthestructureaboveisusedtodeďŹnethefunctionsusedandthesort
setsofanASMspeciďŹcation,theyaregluedtogethertoformacompletespeci-
ďŹcationusingrules[2].Theupdaterule(variableupdates),theconditionalrule
(conditionalstatementexecution)andtheblockrule(parallelstatementexecu-
tion)areproventobesucienttospecifyallsequentialalgorithms[10].
2.1DistributedASMs
DistributedASMs(DASMs)areanextensiontotheASMformalismforspeciďŹ-
cationofmulti-agentcomputations[2].InthispaperDASMsareusedtomodel
thebehaviourofthecomputervirusâenvironmentâtheoperatingsystem.A
setModulesrepresentstheprogramsstoredintheďŹlestorereadytoberun.A
setAgentsrepresentsprocessesinmemory,whichrunaparticularmodule(pro-
gram).Agentsruninparallelwithoneanother.Theuserismodelledusinga
(non-deterministic)externalfunctionthatrunsprogramsrandomlybyassigning
modulestonewagents.Thiscouldbeimplementedeitherbyactualuserinput,
ormorelikely,byafunctionthatnon-deterministicallyselectsexecutableďŹles
toberun.WhenaparticularagenthasreachedďŹxpoint,thatis,whenithas
ceasedtoupdatethestore,itisconsideredtohaveďŹnisheditsexecutionrun
andterminated.TheoperatingsystemissimplythedistributedASMitself.The
agentsrunmodules,andrunconcurrentlywithoneanother.
2.2AnAbstractComputerVirus
AnASMfortheabstractcomputervirus,whichisdesignedtoencompassthe
entireclassofcomputerviruses,isasfollows.
Superuniverse,S
AV
=Agents[Modules[Rules[Boolean[{undef},where
AgentsisthesetofagentsthatarerunbythedistributedASM;Modulesisthe
setofmodules;andRulesisthesetofwell-formedrulesforASMs.
103
Vocabulary,
AV
ThefunctionsinthevocabularyaredeďŹnedasfollows.
âInfected:Modules!Boolean.Returnstrueiamodulehasbeeninfected
withtheviralrule.Returnsfalseotherwise.
âInfect:ModulesĂRules!P(Modules).Infectionbyacomputervirusis
amodiďŹcationtothesetModulesinthespeciďŹcation,sothatthesetof
ASMrulescorrespondingtothevirusm
v
isexecutedby(atleast)onemore
modulethanwaspreviouslythecase.m
v
isreturnedbyThisProgram,and
addedtosomem2ModulesbyInfect.
âThisProgram:!Rules.Returnstheviralrule.Thismodelsaâreal-lifeâ
functionthatcananalytically(orotherwise)generatetheviralcodeinthe
module,andreturnit.Apossibleimplementationofthiswouldbetodelimit
theviralcodewithinaninfectedprogramusingsomesequenceofbits(e.g.
fromanassemblylanguageperspective,anumberof
NOP
sstrungtogether),
whichtheviruscanlaterusetoderiveitsowncodewhenitcomestocopying
itforinfection.
âState:!{Done}[{undef}.Usedtoenforcesequentiality;initialvalueis
undef.
RulesThesetofrulescorrespondingtotheabstractvirusisasfollows.The
ASMblockrulespeciďŹesthatanygivenblockofstatementswillexecutein
parallel,thereforeanylistofruleswillexecuteinparallelunlesssequentiality
isenforcedusingguards.Sincethefollowingruleshouldexecuteonlyonceper
executionofthemoduleinwhichitresides,weensurethisthroughtheuseof
thenullaryfunctionState,whichissettoDoneonceasingleinfectionhastaken
place.
AbstractVirus=ifnot(State=Done)then
chooseminModulessatisfyingnot(Infected(m))
Modules:=Infect(m,ThisProgram)
Infected(m):=true
State:=Done
endchoose
endif
TheviralruleabovecopiesitselftoothermodulesinthedistributedASM.
WhenthemodiďŹed(infected)modulesarerun,theviralmoduleďŹndsevenmore
modulestoinfect.
SpeciďŹcationofcomputervirusesisanewapplicationofASMs,andassuch
hasstrengthenedtheASMthesisthatanyalgorithmcanbemodelledatanatural
levelofabstractionbyanAbstractStateMachine[2].
ThroughaprocessofreďŹnementitisstraightforwardtospecifymorespeciďŹc
virustypesbasedon,andconformingto,thedescriptionoftheabstractvirus.
[ Pobierz caĹoĹÄ w formacie PDF ]
zanotowane.pldoc.pisz.plpdf.pisz.plhot-wife.htw.pl
|
|
| Cytat |
Dobry przykĹad - poĹowa kazania. Adalberg
I ty, Brutusie, przeciwko mnie?! (Et tu, Brute, contra me?! ) Cezar (Caius Iulius Caesar, ok. 101 - 44 p. n. e)
Do polowania na pchĹy i mÄĹźa nie trzeba mieÄ karty myĹliwskiej. Zygmunt Fijas
W ciepĹym klimacie najĹatwiej wyrastajÄ
zimni dranie.
Gdybym tylko wiedziaĹ, powinienem byĹ zostaÄ zegarmistrzem. - Albert Einstein (1879-1955) komentujÄ
c swojÄ
rolÄ w skonstruowaniu bomby atomowej
|
|
