zanotowane.pldoc.pisz.plpdf.pisz.plefriends.pev.pl
« M E N U » |
»
|
» KtoĹ, kto mĂłwi, Ĺźe nie zna siÄ na sztuce, Ĺşle zna samego siebie. | » Aldiss Brian W. - Na zewnÄ
trz, KSIÄĹťKI, E-book, Aldiss Brian | » Aldiss Brian Wilson - Opowiadania I, e-book, Aldiss Brian | » Aldiss Brian Wilson - Kryptozoik, e-book, Aldiss Brian | » Aldiss Brian W. - Nieobliczalna gwiazda, KSIÄĹťKI, E-book, Aldiss Brian | » Alex Joe - Cicha jak ostatnie tchnienie, e-book, Alex Joe | » Alistair MacLean - Ĺamacz kodĂłw, KSIÄĹťKI, E-book, Alistair MacLean | » Alistair MacLean - Rzeka Ĺmierci, KSIÄĹťKI, E-book, Alistair MacLean | » Aldiss Brian W. - Kamyczki Poety Tu Fu, KSIÄĹťKI, E-book, Aldiss Brian | » Alistair MacLean - Air Force One zaginÄ
Ĺ, KSIÄĹťKI, E-book, Alistair MacLean | » Al-RâzĂŽ's Book of Secrets - The Practical Laboratory in the Medieval Islamic World by Gail Marlow Taylor (2008), Alchemia i spagiryka |
|
|
[ Pobierz caĹoĹÄ w formacie PDF ] AlgebraicSpeciďŹcationofComputerViruses andTheirEnvironments MattWebster ? M.P.Webster@csc.liv.ac.uk DepartmentofComputerScience,UniversityofLiverpool,Liverpool,L697ZF,UK Abstract.ThispaperintroducesanapproachtoformalspeciďŹcationof computervirusesandtheirenvironmentsthroughthedevelopmentofal- gebraicspeciďŹcationsusingGurevichâsAbstractStateMachines(ASMs) andGoguenâsOBJ.DistributedASMsareusedtodevelopamodelof anabstractcomputervirus,whichthroughaprocessofreďŹnementis convertedintomodelsofdierentvirustypes.FurtherreďŹnementhas resultedinanexecutablespeciďŹcation,writtenintheAbstractState MachineLanguage,AsmL.Themodelsstrengthenthethesisthatany algorithmcanbemodelledatanaturalabstractionlevelusinganAb- stractStateMachine.TheASMmodelscombinedwiththeAsmLex- ecutablespeciďŹcationprovideacomplementarytheoreticalandexperi- mentalframeworkforproofsandexperimentsoncomputervirusesand theirenvironments,aswellasausefulmeansofclassiďŹcationofdierent computervirusestypes.Nextwelookatadierentapproachtocomputer virusanalysisusingOBJ,whichisusedtospecifycomputerviruseswrit- teninanadhocprogramminglanguage,SPL.TheOBJspeciďŹcationis showntobeusefulforthedetectionofavirustypethatisparticularly diculttodetectâthemetamorphiccomputervirus(MCV).Finally,the usefulnessofthetwospeciďŹcationsforreasoningaboutcomputerviruses isdiscussedandinthisregardthetwoformalismsarecompared. 1Introduction Computervirusesare(oftenharmful)computerprogramsthatreplicateau- tonomouslythroughcomputerďŹlesystems.Theyaretypicallydesignedtorepli- catewithouttheusersâconsent,andareabletodamagedataorsoftwareon infectedmachines.Ingeneral,computervirusesreplicateusingthelegitimate infrastructureofanoperatingsystem(e.g.diskinput/outputroutines),and consequentlythespreadofcomputervirusesisdiculttopreventabsolutely withoutrestrictingtheoperatingsystem(OS)insomeway. Academicstudyofcomputervirusesbeganin1987,whenCohendeďŹnedan abstractcomputervirusandgaveaproofoftheundecidabilityofcomputervirus detection,provingthattherewouldbenodetection-basedpanaceaforthecom- putervirusproblem[1].Preventingcomputervirusesthroughtheuseofseverely ? WiththankstomysupervisorsGrantMalcolmandAlexeiLisitsa,forshowingme thepowerandbeautyofalgebraicspeciďŹcation. 100 restrictedoperatingsystemsispossible,sincethecomputerviruscanonlywork bymodifyingstoredprogramsinmemorysothattheycontainacopyofthe virus.However,thecomputerarchitecturethatallowsprogramcreationand modiďŹcationisatthecoreoftheďŹexibilityandeciencyofmoderncomputers; forexample,nocompilercouldrunwithoutthecreationandmodiďŹcationof storedprograms.Thus,ďŹndingacureforcomputervirusesbyrestrictingtheir environmentsisimpractical,andreliabledetectionisimpossible.Thereforethe ďŹghttostopillicitcomputervirusesbecomesaquestionofoptimization,i.e., âHowcanwebestprotectourselvesagainstcomputerviruses?âInaddition, tractabilityisaprimaryconcernduetothetrade-obetweeneciencyand thoroughnessofanti-virus(AV)scanners.Withthisandthesustainedprolifera- tionofcomputervirusesinmind,generaltheoriesofcomputervirusesandtheir environmentswouldbeuseful.FormalspeciďŹcationofthebehaviourofdierent virustypescanprovideinsighttodevelopersofanti-virussoftwarebyhighlight- ingthecommonalitybetweendierentcomputerviruses,e.g.byencouragingthe reuseofdetectionanddisinfectionmethods.KnowledgeofwhichspeciďŹcdetails oftheimplementationofcomputersystemsaordsurvivalforvirusescanbede- rivedfromformalmodels,andcanbeusedtorestrictcomputervirusbehaviour throughthedevelopmentofsystemsthatareinherently(andprovably)more secure. Inthispaper,twoseparateapproachestocomputervirusformalisationare presented.In§2AbstractStateMachines[2]areusedtobuildaformalmodel ofanabstractcomputervirus,whichisreďŹnedtoseveralmorespeciďŹcvirus types.AnexecutablespeciďŹcationinAsmL(basedontheASMmodels)isgiven, formingwiththeASMmodelsacomplementarytheoreticalandexperimental test-bedforformalproofsoncomputervirusesandtheirenvironments,aswell asaformalmeansofcomputerviruscategorisation.OBJ[3]isusedin§3to buildaformalframeworkforcomputervirologybasedonorder-sortedequational rewriting.Anadhocsimpleprogramminglanguage(SPL)isusedtoimplement computervirusesandexecutableďŹles,andaformallanguagerepresentationof anoperatingsystemiscreated.In§3.3apromisingnewmeansofdetecting metamorphiccomputervirusesbasedontheOBJspeciďŹcationisdemonstrated. In§4itisshownhowtheseformalalgebraicspeciďŹcationsarereadilyapplicable tocomputervirusdetectiontechnologythroughtheapplicationofthedevelop- mentsmadeinMCVdetectionandcomputervirusclassiďŹcation. 1.1MetamorphicComputerViruses Theundecidabilityofcomputervirusdetectionisoneoftheoldestresultsin theďŹeldofcomputervirology,butanti-virusscannershavetraditionallycom- pensatedforthisbyexploitingaweaknesscommontomanyna¨Ĺvecomputer viruses:constantsyntax.Thestringofbinarydigitscorrespondingtoaparticu- larcomputervirususuallyremainsunchangedfromonegenerationtothenext, asdoestheplacementofthecomputerviruswithintheinfectedexecutableďŹle, e.g.oneparticularvirusmightbeplacedatthestartofanyexecutableitinfects. AVscannerswouldsearchexecutableďŹlesforvirusâsignaturesââstringsofbits 101 thatcorrespondtoaparticularvirusâattheusualsitesofinfectionwithinexe- cutablesďŹles.Thepresenceofasignaturewouldsignalthattheexecutablewas infected,andthatfurtherstepsneededtobetakentodisinfecttheďŹle. Inordertoavoiddetection,thewritersofcomputervirusesbegantodevelop waysofobfuscatingthesuspectviruscode.Oneattemptatthis,thepolymor- phiccomputervirus,whichchangesitssyntactic(binarydigit)representation usingencryption,failstoremainhiddenfromAVscannersonceitsmeansof decryptionhasbeendiscovered.Oncedecrypted,allgenerationsofpolymorphic computerviruseslookalike,andthesignature-basedapproachtodetectioncan beused.Amorepowerfulmeansofdetectionavoidanceisemployedbythemeta- morphiccomputervirus.Eachsuccessivegenerationofametamorphiccomputer virusmodiďŹesthesyntax,butleavesthesemanticsunchanged.Inthiswaythe behaviourofeachsuccessivegenerationisthesame,butthevirusappearsto bedierent.Thus,itbecomesmuchmoredicultforanAVscannertodetect ametamorphiccomputervirususingasignature-basedapproach,anditisnot possibletokeeparecordofallpossiblegenerationsbecausethereareanun- limitednumber 1 .Inthiswaythemetamorphiccomputercansuccessfullyavoid detection[4]. ThisproblemisnotconďŹnedtoaparticularprogramminglanguage.Within anyTuring-completeprogramminglanguagethereissomeredundancy,thatis, themappingfromsyntaxtosemanticsismany-to-one 2 .Thisredundancyal- lowsthemetamorphiccomputervirustoavoiddetection(bysignature-based methods)throughautomatedsyntacticvariantgenerationatrun-time. 1.2RelatedWork Agoodintroductiontotheoreticalcomputervirologyandtheformalisationof computervirusescanbefoundinearlyworkbyCohen[1,5]andAdleman[6]. FurthertoCohenâsworkontheundecidabilityofcomputervirusdetection, Spinellishasrecentlydemonstrated[7]thatreliableidentiďŹcationofaknown virusisnp-complete,andThimblebyetal[8]havedevelopedaformalismto describetrojansandcomputervirusinfection.Additionally,Lakhotia&Mo- hammed[9]havestudiedanapproachbasedonimposingorderonhigh-level languagestatementsinordertoreducethenumberofsyntacticvariantsand thereforeaidMCVdetection. 1 Programsizeis(theoretically)unlimited,soaninďŹnitenumberofvariantsonasingle metamorphiccomputervirusispossiblethroughtheintroductionofâjunkcodeâ thatdoesnotalterthestateofthemachine,butneverthelesshasasyntactical representation.Agoodexamplewouldbethe NOP instructionin68000assembly language,whichdoesnotalterthestateatalluponitsexecution. 2 SupposethatthereisaTuring-completeprogramminglanguageforwhichthereisa one-to-onemappingfromsyntaxtosemantics.Ifsuchalanguageexisted,itwouldbe possibletoprovetheequivalenceofanytwoprograms p 1 and p 2 bytranslationinto thislanguage.Sinceprogramequivalenceisanundecidableproblem,therecanbeno suchlanguage.(Thisproofassumesthatifsuchalanguageexistedthentranslation intothelanguagewouldbepossible.) 102 2TheASMApproach AbstractStateMachines(formerlyknownasEvolvingAlgebras)areaformal approachtoalgebraicspeciďŹcationofsoftwaresystems,whereeachstepofan algorithmistreatedasaboundednumberofchangestoanalgebra,andthe wholealgorithmcanbedescribedusingaďŹnitenumberofsimpletransition rules.TheASMthesisstatesthatanyalgorithmcanbemodelledatanatural abstractionlevelusinganASM[2]. Algebraically,anAbstractStateMachineisdeďŹnedasfollows.LetAbean AbstractStateMachine.Thevocabulary(orsignature)ofAisaďŹnitesetof functions,eachofaďŹxedarity.TheuniversesofAarethesetsonwhichthe functionsofAact,e.g.anASMthataddstwointegerswillrequirethesetofall integersasoneofitsuniverses.ThestateofAconsistsofanon-emptysetX(the superuniverseofA),togetherwithinterpretationsofeveryfunctionnameinthe signature.ThesuperuniverseofAdoesnotchange,buttheinterpretationsofthe functionnamesmay.Thesuperuniversecontainsdistinctelementstrue,false, undefthatletushaveBooleantests,andpartialfunctions(e.g.f(a)=undef). WhilstthestructureaboveisusedtodeďŹnethefunctionsusedandthesort setsofanASMspeciďŹcation,theyaregluedtogethertoformacompletespeci- ďŹcationusingrules[2].Theupdaterule(variableupdates),theconditionalrule (conditionalstatementexecution)andtheblockrule(parallelstatementexecu- tion)areproventobesucienttospecifyallsequentialalgorithms[10]. 2.1DistributedASMs DistributedASMs(DASMs)areanextensiontotheASMformalismforspeciďŹ- cationofmulti-agentcomputations[2].InthispaperDASMsareusedtomodel thebehaviourofthecomputervirusâenvironmentâtheoperatingsystem.A setModulesrepresentstheprogramsstoredintheďŹlestorereadytoberun.A setAgentsrepresentsprocessesinmemory,whichrunaparticularmodule(pro- gram).Agentsruninparallelwithoneanother.Theuserismodelledusinga (non-deterministic)externalfunctionthatrunsprogramsrandomlybyassigning modulestonewagents.Thiscouldbeimplementedeitherbyactualuserinput, ormorelikely,byafunctionthatnon-deterministicallyselectsexecutableďŹles toberun.WhenaparticularagenthasreachedďŹxpoint,thatis,whenithas ceasedtoupdatethestore,itisconsideredtohaveďŹnisheditsexecutionrun andterminated.TheoperatingsystemissimplythedistributedASMitself.The agentsrunmodules,andrunconcurrentlywithoneanother. 2.2AnAbstractComputerVirus AnASMfortheabstractcomputervirus,whichisdesignedtoencompassthe entireclassofcomputerviruses,isasfollows. Superuniverse,S AV =Agents[Modules[Rules[Boolean[{undef},where AgentsisthesetofagentsthatarerunbythedistributedASM;Modulesisthe setofmodules;andRulesisthesetofwell-formedrulesforASMs. 103 Vocabulary, AV ThefunctionsinthevocabularyaredeďŹnedasfollows. âInfected:Modules!Boolean.Returnstrueiamodulehasbeeninfected withtheviralrule.Returnsfalseotherwise. âInfect:ModulesĂRules!P(Modules).Infectionbyacomputervirusis amodiďŹcationtothesetModulesinthespeciďŹcation,sothatthesetof ASMrulescorrespondingtothevirusm v isexecutedby(atleast)onemore modulethanwaspreviouslythecase.m v isreturnedbyThisProgram,and addedtosomem2ModulesbyInfect. âThisProgram:!Rules.Returnstheviralrule.Thismodelsaâreal-lifeâ functionthatcananalytically(orotherwise)generatetheviralcodeinthe module,andreturnit.Apossibleimplementationofthiswouldbetodelimit theviralcodewithinaninfectedprogramusingsomesequenceofbits(e.g. fromanassemblylanguageperspective,anumberof NOP sstrungtogether), whichtheviruscanlaterusetoderiveitsowncodewhenitcomestocopying itforinfection. âState:!{Done}[{undef}.Usedtoenforcesequentiality;initialvalueis undef. RulesThesetofrulescorrespondingtotheabstractvirusisasfollows.The ASMblockrulespeciďŹesthatanygivenblockofstatementswillexecutein parallel,thereforeanylistofruleswillexecuteinparallelunlesssequentiality isenforcedusingguards.Sincethefollowingruleshouldexecuteonlyonceper executionofthemoduleinwhichitresides,weensurethisthroughtheuseof thenullaryfunctionState,whichissettoDoneonceasingleinfectionhastaken place. AbstractVirus=ifnot(State=Done)then chooseminModulessatisfyingnot(Infected(m)) Modules:=Infect(m,ThisProgram) Infected(m):=true State:=Done endchoose endif TheviralruleabovecopiesitselftoothermodulesinthedistributedASM. WhenthemodiďŹed(infected)modulesarerun,theviralmoduleďŹndsevenmore modulestoinfect. SpeciďŹcationofcomputervirusesisanewapplicationofASMs,andassuch hasstrengthenedtheASMthesisthatanyalgorithmcanbemodelledatanatural levelofabstractionbyanAbstractStateMachine[2]. ThroughaprocessofreďŹnementitisstraightforwardtospecifymorespeciďŹc virustypesbasedon,andconformingto,thedescriptionoftheabstractvirus.
[ Pobierz caĹoĹÄ w formacie PDF ] zanotowane.pldoc.pisz.plpdf.pisz.plhot-wife.htw.pl
|
|
Cytat |
Dobry przykĹad - poĹowa kazania. Adalberg I ty, Brutusie, przeciwko mnie?! (Et tu, Brute, contra me?! ) Cezar (Caius Iulius Caesar, ok. 101 - 44 p. n. e) Do polowania na pchĹy i mÄĹźa nie trzeba mieÄ karty myĹliwskiej. Zygmunt Fijas W ciepĹym klimacie najĹatwiej wyrastajÄ
zimni dranie. Gdybym tylko wiedziaĹ, powinienem byĹ zostaÄ zegarmistrzem. - Albert Einstein (1879-1955) komentujÄ
c swojÄ
rolÄ w skonstruowaniu bomby atomowej
|
|