Computer Viruses -Theory and Experiments Dr. Frederick B. Cohen DOD/NBS 7 th Conference on Computer Security Copyright©,1984,Fred Cohen Presented by Swetha

Outline A Computer Virus Prevention of Computer Viruses Cure of Computer Viruses Conclusions Question

A Computer Virus “We define ‘virus’ as a program that can ‘infect’ other programs by modifying them to include a possibly evolved copy of itself.” With the infection property,a virus can spread throughout a computer system or network. Every program that gets infected may also act as a virus and thus the infection grows.

A Simple Virus “V” The following is a pseudo-program that shows how a virus can be written. program virus:= { ; subroutine infect_executable := { loop: file =get_random_executable_file; if first_line_of_file = then goto loop; prepend virus to file; } subroutine do_damage:= { whatever damage is to be done } subroutine trigger_pulled:= { return true if some condition holds } main_program:= { infect _executable; if trigger_pulled then do_damage; goto next;} next: }

r The key property of a virus is its ability to infect other programs,thus reaching the transitive closure of sharing between user. P1 owned by U1 is initially infected. When P1 is run by U2,P2 is infected. When P2 is run by U3,P3 is infected. P1 (U1) [v] P2 (U2) P3 (U3) P1 (U1) [v] P2 (U2) [v] P3 (U3) P1 (U1) [v] P2 (U2) [v] P3 (U3) [v]

q A virus need not be used for evil purposes. q A compression virus could be written to find uninfected executables,compress them upon the user’s permission and prepend itself to them. q Such a virus can save over 50% of the space taken up by the executable files in an average system. q Since it has the infection property,it is still a virus. A sample compression virus could be written as :

program compression_virus:= { ; subroutine infect_executable:= { loop: file = get_random_executable_file; if first_line_of_file = then goto loop; compress file; prepend compression_virus to file; } main_program:= { if ask_permission then infect_executable; uncompress the_rest_of_this_file into tmpfile; run tmpfile; }

Prevention of Computer Viruses Basic Limitations Sharing,transitivity of information flow and generality of interpretation allow a virus to spread to the transitive closure of information flow starting at any given source.

Basic Limitations (Continued...) Infection by Technical Defenses In sharing, virus can spread through By no sharing i.e by Isolationism the interpretation of shared information. In transitivity of information flow By restriction on the transitivity of information flow. In generality of interpretation,information By fixed first order functionality is interpreted as a program by its recipient, system,a system in which no program that interpretation can result in infection. can be altered and information cannot be used to make decisions --cannot be infected. ABC

Partition Models Two limits on the paths of information flow can be distinguished, those that partition users into closed proper subsets under transitivity, and those that don’t. Flow restrictions that result in closed subsets can be viewed as partitions of a system into isolated subsystems. These limit each infection to one partition. This is a viable means of preventing complete viral takeover at the expense of limited isolationism. The Biba integrity model and Bell-LaPadula security model are examples of a policy that can be used to partition systems into closed subsets under transitivity.

Partition Models(Continued…) B-L Model Biba Model + = B-L Model Biba Model Combining Secrecy with Integrity results in a isolationism High ….. Low No Read Read/Write NoWrite Read/Write No Read Read/Write NoWrite Read/Write No Read No Access Read/Write No Access

Flow Models In policies that don’t partition systems into closed proper subsets under transitivity, it is possible to limit the extent over which a virus can spread. The ‘flow distance’ policy implements a distance metric by keeping track of the distance (number of sharings) over which data has flowed. The rules are: D(output) = max(D(input)) D(shared input) = 1+D(unshared input) -Protection is provided by enforcing a threshold above which information becomes unusable.

Flow Models (Continued…) If the threshold is set at 1 and each user (A-E) able to communicate with only the 2 nearest neighbors. A B C D E | X |--- | 1 |---| 0 |---| 1 |---|X | A Distance metric with a Threshold of 1

Cure of Computer Viruses Prevention of computer viruses may be infeasible if widespread sharing is desired. Cure of computer viruses -- by detection and removal of computer virus.

Detection of Viruses program contradictory-virus:= {….. main-program:= { if ~D(contradictory-virus)then { infect-executable; if trigger-pulled then do-damage; } goto next; } The hypothetical decision procedure D is self contradictory, and precise determination of a virus by its appearance is undecidable.

Detection of Viruses (Continued…) Protection from Virus V “PV” program new_run_command : = { file = name_of_program_to_be_executed; if first_line_of_file = then { print “the program has a virus”; exit;} otherwise run file; } “ In general,precise removal depends on precise detection,because without precise detection,it is impossible to know precisely whether or not to remove an object.”

Conclusion Absolute protection is attained by absolute isolationism.But this is unacceptable solution. Precise detection is undecidable,however some methods may be used to limit undetected spreading. Several undecidable problems have been identified with respect to viruses and countermeasures. To be perfectly secure against viral attacks,a system must protect against incoming information flow.

Question In general what strategic plans do you suggest for virus defenses?