SlideShare a Scribd company logo

Asm based modelling of self-replicating programs

U
UltraUploader
1 of 4
Download to read offline
ASM-based Modelling of Self-Replicating Programs Computer Science Technical Report ULCS-05-005 Presented at the 11th International Workshop on Abstract State Machines (ASM 2004) Matt Webster M.P.Webster@csc.liv.ac.uk Department of Computer Science, University of Liverpool, Liverpool L69 7ZF, UK Abstract. Self-replicating programs are a class of algorithms it seems has not yet been modelled using the Abstract State Machine (ASM) for- malism. In this paper an attempt at modelling the sub-class of computer viruses is shown. Implicit in modelling a computer virus is modelling the environment it needs to survive, and this also is detailed. Finally, an account of the experience of implementing these models in AsmL, the Abstract State Machine Language from Microsoft Research, is given. 1 Introduction The class of self-replicating programs includes viruses and worms, and was described in detail in [1]. Viruses are the focus for this project, and were defined formally by Cohen [2]: We define a computer ’virus’ as a program that can ’infect’ other programs by modifying them to include a possibly evolved copy of itself. With the infection property, a virus can spread through- out a computer system or network using the authorizations of every user using it to infect their programs. Every program that gets infected may also act as a virus and thus the infection grows. 2 Modelling an Operating System An operating system has been modelled using a distributed ASM. Dis- tributed ASMs are described in the Lipari guide [3]. In the model, mod- ules represent the programs stored in the filestore ready to be run. Agents represent processes in memory, which run a particular module (program). Agents run in parallel with one another. The user is modelled using a (non-deterministic) external function that runs programs randomly by assigning modules to new agents. This could be implemented either by I thank my Honours project supervisor, Alexei Lisitsa, for suggesting I submit this paper to ASM 2004.
actual user input, or more likely, by a function that non-deterministically selects executable files to be run. When a particular agent has reached fixpoint, that is, when it has ceased to update the store, it is considered to have finished its execution run and terminated. The operating system is simply the distributed ASM itself. The agents run modules, and run concurrently with one another. We shall see that ASM rules are versatile enough to simulate system calls, e.g. reading and writing files, which are vital for the viral infection process. 3 A Viral Module We use the following universes: – Agents - the set of agents that are run by the distributed ASM. – Modules - the set of modules. Each agent runs a module. Each module is a set of rules (a single-agent program), and is similar to a non-distributed ASM. – Rules - the set of well-formed rules for ASMs. We use the following vocabulary: – Infected : Modules → Boolean. Returns true if a module has been infected with the viral rule. – addRuleToModule : Modules × Rules → Rules, where Rules is the set of well-formed rules. Since a module is just an ASM program, and an ASM program is just a rule composed of other rules, we can assign the rule returned by this function to a module name to model the addition of a rule to a module. We could define this function set theoretically as: addRuleToModule(m, r) = RulesOf(m) ∪ {r}, where RulesOf(m) refers to the set of rules corresponding to the module m. – thisProgram :→ Rules. Returns the viral rule. This models a “real- life” function that can analytically (or otherwise) identify the viral code in the module, and return it. A possible implementation of this would be to delimit the viral code within an infected program using some sequence of bits (e.g. from an assembly language perspective, a number of NOP1 s strung together), which the virus can later use to derive its own code when it comes to copying it for infection. The viral module looks like this: ProgramV iral = choose m in Modules satisfying not( Infected(m) ) m := addRuleToModule( m, thisProgram ) Infected(m) := true endchoose The viral rule above copies itself to other modules in the distributed ASM. When the modified (infected) modules are run, or when new agents run the modified modules, the viral module finds even more modules to infect. 1 NOP is a 68000 assembly language mnemonic, and stands for “No operation”.
4 Implementation using AsmL 4.1 Modelling the Virus’s Environment The object-oriented features of AsmL [4] were most useful during imple- mentation of the model of the computer virus and its environment. The environment was based on the von Neumann computer architecture, and consisted of three classes, Storage, OS and User. It was the intention that the user must only interact with the store via the operating system (OS), although an executable program (e.g. a virus) could interact with the store directly. Storage encapsulates the file store and some low-level operating system methods, e.g. Add(...) and Remove(...) for adding and removing files from the filespace. OS encapsulates user-level operating system methods. The User class models the user, and contains methods for populating the file space with executables, installing the first instance of the virus, and running random programs. The latter method models the external function mentioned earlier, and chooses filenames (which are modelled as integers and stored in a set instance variable within the Storage class) non-deterministically, then uses a method from the OS class to run them: choose f in filenames os1.Run( f ) 4.2 Modelling Executable Files One of the biggest challenges in designing a simulated file system was to be able to have an AsmL set of the various types of executable file (e.g. “Hello world” executable, virus etc.). Ideally, the virtual store consists of such a set, in this case an instance variable within the Storage class. It would be possible to implement such a set by enumerating the desired types during set declaration, e.g. var s as Set of Executable or Virus However this leads to later incompatibility if a new virus class needs to be added to the simulation. (All sets and methods declarations using the disjunctive type must be updated.) The problem was eventually solved by creating an interface to give classes executable status: interface File public abstract Program() Any class that implements File must provide a definition for the abstract method, Program(). In this way, a Set of File can be constructed, and the Program() method can be called on any object in that set, regardless of the object class. Taken within the context of the simulation, the File interface is analogous to the flag an operating system sets for a given file in order to give it executable status. Indeed, within the simulation any file wanting to become executable must implement the File interface.
4.3 Modelling Viral Behaviour The Storage class has an instance variable, FAT, that models the file allo- cation table of the simulated store. FAT is a set of Integer × Seq of File tuples, and associates filenames (integers) with sequences of objects that implement the File interface (Seq of File). When a user selects a file- name to be run by the operating system, the operating system retrieves the sequence of File objects corresponding to the filename given using the FAT instance variable. Then, the operating system (through a low-level method in the Storage class) executes each File object in the sequence in turn, by invoking its Program() method. The code looks something like this: foreach i in seqToRun i.Program() When the viral Program() method is executed, it searches for an unin- fected file. If one is found, a new instance of the virus class is created, and the constructor modifies the file allocation table (FAT instance variable in the Storage class) so that the sequence of File objects corresponding to the filename being infected now includes a virus object (the virus ob- ject refers to itself using the AsmL keyword me). From now on, each time that particular file is executed by the user, the virus object will execute also. The executable has been infected. References 1. Cohen, F.B.: It’s Alive! The New Breed of Living Computer Pro- grams. John Wiley & Sons (1994) ISBN 0471008605. 2. Cohen, F.: Computer viruses – theory and experiments. Computers and Security 6 (1987) 22–35 3. Gurevich, Y.: Evolving algebras 1993: Lipari guide. In B¨orger, E., ed.: Specification and Validation Methods. Oxford University Press (1995) 9–36 4. Microsoft Research: The Abstract State Machine Language. (http:// research.microsoft.com/foundations/AsmL/) Accessed 18th April 2005.

Recommended

[null]Metapwn - Pwn at a puff by Prajwal Panchmahalkar
[null]Metapwn - Pwn at a puff by Prajwal Panchmahalkar[null]Metapwn - Pwn at a puff by Prajwal Panchmahalkar
[null]Metapwn - Pwn at a puff by Prajwal Panchmahalkar
Prajwal Panchmahalkar
 
Metapwn
MetapwnMetapwn
Metapwn
n|u - The Open Security Community
 
Vector nti course
Vector nti courseVector nti course
Vector nti course
xiekezz
 
Anti spyware coalition definitions and supporting documents
Anti spyware coalition definitions and supporting documentsAnti spyware coalition definitions and supporting documents
Anti spyware coalition definitions and supporting documents
UltraUploader
 
Artificial immune system against viral attack
Artificial immune system against viral attackArtificial immune system against viral attack
Artificial immune system against viral attack
UltraUploader
 
(Ebook ita - inform - access) guida al database access (doc)
(Ebook ita - inform - access) guida al database access (doc)(Ebook ita - inform - access) guida al database access (doc)
(Ebook ita - inform - access) guida al database access (doc)
UltraUploader
 
Automatically generating signatures for polymorphic worms
Automatically generating signatures for polymorphic wormsAutomatically generating signatures for polymorphic worms
Automatically generating signatures for polymorphic worms
UltraUploader
 
Anomalous payload based worm detection and signature generation
Anomalous payload based worm detection and signature generationAnomalous payload based worm detection and signature generation
Anomalous payload based worm detection and signature generation
UltraUploader
 

Recommended

[null]Metapwn - Pwn at a puff by Prajwal Panchmahalkar
[null]Metapwn - Pwn at a puff by Prajwal Panchmahalkar[null]Metapwn - Pwn at a puff by Prajwal Panchmahalkar
[null]Metapwn - Pwn at a puff by Prajwal Panchmahalkar
Prajwal Panchmahalkar
 
Metapwn
MetapwnMetapwn
Metapwn
n|u - The Open Security Community
 
Vector nti course
Vector nti courseVector nti course
Vector nti course
xiekezz
 
Anti spyware coalition definitions and supporting documents
Anti spyware coalition definitions and supporting documentsAnti spyware coalition definitions and supporting documents
Anti spyware coalition definitions and supporting documents
UltraUploader
 
Artificial immune system against viral attack
Artificial immune system against viral attackArtificial immune system against viral attack
Artificial immune system against viral attack
UltraUploader
 
(Ebook ita - inform - access) guida al database access (doc)
(Ebook ita - inform - access) guida al database access (doc)(Ebook ita - inform - access) guida al database access (doc)
(Ebook ita - inform - access) guida al database access (doc)
UltraUploader
 
Automatically generating signatures for polymorphic worms
Automatically generating signatures for polymorphic wormsAutomatically generating signatures for polymorphic worms
Automatically generating signatures for polymorphic worms
UltraUploader
 
Anomalous payload based worm detection and signature generation
Anomalous payload based worm detection and signature generationAnomalous payload based worm detection and signature generation
Anomalous payload based worm detection and signature generation
UltraUploader
 
A bypass of cohen's impossibility result
A bypass of cohen's impossibility resultA bypass of cohen's impossibility result
A bypass of cohen's impossibility result
UltraUploader
 
Architecture of a morphological malware detector
Architecture of a morphological malware detectorArchitecture of a morphological malware detector
Architecture of a morphological malware detector
UltraUploader
 
Botnetsand applications
Botnetsand applicationsBotnetsand applications
Botnetsand applications
UltraUploader
 
Antivirus update reaction times of major antivirus vendors
Antivirus update reaction times of major antivirus vendorsAntivirus update reaction times of major antivirus vendors
Antivirus update reaction times of major antivirus vendors
UltraUploader
 
An undetectable computer virus
An undetectable computer virusAn undetectable computer virus
An undetectable computer virus
UltraUploader
 
Automated defense from rootkit attacks
Automated defense from rootkit attacksAutomated defense from rootkit attacks
Automated defense from rootkit attacks
UltraUploader
 
Attacking antivirus
Attacking antivirusAttacking antivirus
Attacking antivirus
UltraUploader
 
Bad transfer
Bad transferBad transfer
Bad transfer
UltraUploader
 
Attack of the killer virus!
Attack of the killer virus!Attack of the killer virus!
Attack of the killer virus!
UltraUploader
 
Automatic comparison of malware
Automatic comparison of malwareAutomatic comparison of malware
Automatic comparison of malware
UltraUploader
 
Are current antivirus programs able to detect complex metamorphic malware an ...
Are current antivirus programs able to detect complex metamorphic malware an ...Are current antivirus programs able to detect complex metamorphic malware an ...
Are current antivirus programs able to detect complex metamorphic malware an ...
UltraUploader
 
Analysis of web application worms and viruses
Analysis of web application worms and virusesAnalysis of web application worms and viruses
Analysis of web application worms and viruses
UltraUploader
 
Applications of immune system computing
Applications of immune system computingApplications of immune system computing
Applications of immune system computing
UltraUploader
 
Metasploit
MetasploitMetasploit
Metasploit
Institute of Information Security (IIS)
 
Metasploit
MetasploitMetasploit
Metasploit
penetration Tester
 
Exploit Frameworks
Exploit FrameworksExploit Frameworks
Exploit Frameworks
phanleson
 
Java programming basics
Java programming basicsJava programming basics
Java programming basics
Hamid Ghorbani
 
Experimentos lab
Experimentos labExperimentos lab
Experimentos lab
George Madson Dias Santos
 
JVM
JVMJVM
JVM
Prity Bhudolia
 
Metasploit - Basic and Android Demo
Metasploit - Basic and Android DemoMetasploit - Basic and Android Demo
Metasploit - Basic and Android Demo
Arpit Agarwal
 
414351_Iason_Papapanagiotakis-bousy_Iason_Papapanagiotakis_Thesis_2360661_357...
414351_Iason_Papapanagiotakis-bousy_Iason_Papapanagiotakis_Thesis_2360661_357...414351_Iason_Papapanagiotakis-bousy_Iason_Papapanagiotakis_Thesis_2360661_357...
414351_Iason_Papapanagiotakis-bousy_Iason_Papapanagiotakis_Thesis_2360661_357...
Jason Papapanagiotakis
 
Infections as Abstract Symbolic Finite Automata: Formal Model and Applications
Infections as Abstract Symbolic Finite Automata: Formal Model and ApplicationsInfections as Abstract Symbolic Finite Automata: Formal Model and Applications
Infections as Abstract Symbolic Finite Automata: Formal Model and Applications
FACE
 

More Related Content

Viewers also liked

A bypass of cohen's impossibility result
A bypass of cohen's impossibility resultA bypass of cohen's impossibility result
A bypass of cohen's impossibility result
UltraUploader
 
Architecture of a morphological malware detector
Architecture of a morphological malware detectorArchitecture of a morphological malware detector
Architecture of a morphological malware detector
UltraUploader
 
Botnetsand applications
Botnetsand applicationsBotnetsand applications
Botnetsand applications
UltraUploader
 
Antivirus update reaction times of major antivirus vendors
Antivirus update reaction times of major antivirus vendorsAntivirus update reaction times of major antivirus vendors
Antivirus update reaction times of major antivirus vendors
UltraUploader
 
An undetectable computer virus
An undetectable computer virusAn undetectable computer virus
An undetectable computer virus
UltraUploader
 
Automated defense from rootkit attacks
Automated defense from rootkit attacksAutomated defense from rootkit attacks
Automated defense from rootkit attacks
UltraUploader
 
Attack of the killer virus!
Attack of the killer virus!Attack of the killer virus!
Attack of the killer virus!
UltraUploader
 
Automatic comparison of malware
Automatic comparison of malwareAutomatic comparison of malware
Automatic comparison of malware
UltraUploader
 
Are current antivirus programs able to detect complex metamorphic malware an ...
Are current antivirus programs able to detect complex metamorphic malware an ...Are current antivirus programs able to detect complex metamorphic malware an ...
Are current antivirus programs able to detect complex metamorphic malware an ...
UltraUploader
 
Analysis of web application worms and viruses
Analysis of web application worms and virusesAnalysis of web application worms and viruses
Analysis of web application worms and viruses
UltraUploader
 
Applications of immune system computing
Applications of immune system computingApplications of immune system computing
Applications of immune system computing
UltraUploader
 

Viewers also liked (13)

A bypass of cohen's impossibility result
A bypass of cohen's impossibility resultA bypass of cohen's impossibility result
A bypass of cohen's impossibility result
 
Architecture of a morphological malware detector
Architecture of a morphological malware detectorArchitecture of a morphological malware detector
Architecture of a morphological malware detector
 
Botnetsand applications
Botnetsand applicationsBotnetsand applications
Botnetsand applications
 
Antivirus update reaction times of major antivirus vendors
Antivirus update reaction times of major antivirus vendorsAntivirus update reaction times of major antivirus vendors
Antivirus update reaction times of major antivirus vendors
 
An undetectable computer virus
An undetectable computer virusAn undetectable computer virus
An undetectable computer virus
 
Automated defense from rootkit attacks
Automated defense from rootkit attacksAutomated defense from rootkit attacks
Automated defense from rootkit attacks
 
Attacking antivirus
Attacking antivirusAttacking antivirus
Attacking antivirus
 
Bad transfer
Bad transferBad transfer
Bad transfer
 
Attack of the killer virus!
Attack of the killer virus!Attack of the killer virus!
Attack of the killer virus!
 
Automatic comparison of malware
Automatic comparison of malwareAutomatic comparison of malware
Automatic comparison of malware
 
Are current antivirus programs able to detect complex metamorphic malware an ...
Are current antivirus programs able to detect complex metamorphic malware an ...Are current antivirus programs able to detect complex metamorphic malware an ...
Are current antivirus programs able to detect complex metamorphic malware an ...
 
Analysis of web application worms and viruses
Analysis of web application worms and virusesAnalysis of web application worms and viruses
Analysis of web application worms and viruses
 
Applications of immune system computing
Applications of immune system computingApplications of immune system computing
Applications of immune system computing
 

Similar to Asm based modelling of self-replicating programs

Exploit Frameworks
Exploit FrameworksExploit Frameworks
Exploit Frameworks
phanleson
 
414351_Iason_Papapanagiotakis-bousy_Iason_Papapanagiotakis_Thesis_2360661_357...
414351_Iason_Papapanagiotakis-bousy_Iason_Papapanagiotakis_Thesis_2360661_357...414351_Iason_Papapanagiotakis-bousy_Iason_Papapanagiotakis_Thesis_2360661_357...
414351_Iason_Papapanagiotakis-bousy_Iason_Papapanagiotakis_Thesis_2360661_357...
Jason Papapanagiotakis
 
Automatic reverse engineering of malware emulators
Automatic reverse engineering of malware emulatorsAutomatic reverse engineering of malware emulators
Automatic reverse engineering of malware emulators
UltraUploader
 
Algebraic specification of computer viruses and their environments
Algebraic specification of computer viruses and their environmentsAlgebraic specification of computer viruses and their environments
Algebraic specification of computer viruses and their environments
UltraUploader
 
Security Applications For Emulation
Security Applications For EmulationSecurity Applications For Emulation
Security Applications For Emulation
Silvio Cesare
 
A network worm vaccine architecture
A network worm vaccine architectureA network worm vaccine architecture
A network worm vaccine architecture
UltraUploader
 
Agent based modeling-presentation
Agent based modeling-presentationAgent based modeling-presentation
Agent based modeling-presentation
Adam Getchell
 
APPBACS: AN APPLICATION BEHAVIOR ANALYSIS AND CLASSIFICATION SYSTEM
APPBACS: AN APPLICATION BEHAVIOR ANALYSIS AND CLASSIFICATION SYSTEMAPPBACS: AN APPLICATION BEHAVIOR ANALYSIS AND CLASSIFICATION SYSTEM
APPBACS: AN APPLICATION BEHAVIOR ANALYSIS AND CLASSIFICATION SYSTEM
ijcsit
 

Similar to Asm based modelling of self-replicating programs (20)

Metasploit
MetasploitMetasploit
Metasploit
 
Metasploit
MetasploitMetasploit
Metasploit
 
Exploit Frameworks
Exploit FrameworksExploit Frameworks
Exploit Frameworks
 
Java programming basics
Java programming basicsJava programming basics
Java programming basics
 
Experimentos lab
Experimentos labExperimentos lab
Experimentos lab
 
JVM
JVMJVM
JVM
 
Metasploit - Basic and Android Demo
Metasploit - Basic and Android DemoMetasploit - Basic and Android Demo
Metasploit - Basic and Android Demo
 
414351_Iason_Papapanagiotakis-bousy_Iason_Papapanagiotakis_Thesis_2360661_357...
414351_Iason_Papapanagiotakis-bousy_Iason_Papapanagiotakis_Thesis_2360661_357...414351_Iason_Papapanagiotakis-bousy_Iason_Papapanagiotakis_Thesis_2360661_357...
414351_Iason_Papapanagiotakis-bousy_Iason_Papapanagiotakis_Thesis_2360661_357...
 
Infections as Abstract Symbolic Finite Automata: Formal Model and Applications
Infections as Abstract Symbolic Finite Automata: Formal Model and ApplicationsInfections as Abstract Symbolic Finite Automata: Formal Model and Applications
Infections as Abstract Symbolic Finite Automata: Formal Model and Applications
 
Backtrack Manual Part7
Backtrack Manual Part7Backtrack Manual Part7
Backtrack Manual Part7
 
proposal
proposalproposal
proposal
 
Roboconf Detailed Presentation
Roboconf Detailed PresentationRoboconf Detailed Presentation
Roboconf Detailed Presentation
 
Automatic reverse engineering of malware emulators
Automatic reverse engineering of malware emulatorsAutomatic reverse engineering of malware emulators
Automatic reverse engineering of malware emulators
 
Algebraic specification of computer viruses and their environments
Algebraic specification of computer viruses and their environmentsAlgebraic specification of computer viruses and their environments
Algebraic specification of computer viruses and their environments
 
Security Applications For Emulation
Security Applications For EmulationSecurity Applications For Emulation
Security Applications For Emulation
 
A network worm vaccine architecture
A network worm vaccine architectureA network worm vaccine architecture
A network worm vaccine architecture
 
Vb.net iv
Vb.net ivVb.net iv
Vb.net iv
 
A holistic Control Flow Integrity
A holistic Control Flow IntegrityA holistic Control Flow Integrity
A holistic Control Flow Integrity
 
Agent based modeling-presentation
Agent based modeling-presentationAgent based modeling-presentation
Agent based modeling-presentation
 
APPBACS: AN APPLICATION BEHAVIOR ANALYSIS AND CLASSIFICATION SYSTEM
APPBACS: AN APPLICATION BEHAVIOR ANALYSIS AND CLASSIFICATION SYSTEMAPPBACS: AN APPLICATION BEHAVIOR ANALYSIS AND CLASSIFICATION SYSTEM
APPBACS: AN APPLICATION BEHAVIOR ANALYSIS AND CLASSIFICATION SYSTEM
 

More from UltraUploader

01 le 10 regole dell'hacking
01 le 10 regole dell'hacking01 le 10 regole dell'hacking
01 le 10 regole dell'hacking
UltraUploader
 
00 the big guide sz (by dr.to-d)
00 the big guide sz (by dr.to-d)00 the big guide sz (by dr.to-d)
00 the big guide sz (by dr.to-d)
UltraUploader
 
[E book ita] php manual
[E book ita] php manual[E book ita] php manual
[E book ita] php manual
UltraUploader
 
[Ebook ita - security] introduzione alle tecniche di exploit - mori - ifoa ...
[Ebook ita - security] introduzione alle tecniche di exploit - mori - ifoa ...[Ebook ita - security] introduzione alle tecniche di exploit - mori - ifoa ...
[Ebook ita - security] introduzione alle tecniche di exploit - mori - ifoa ...
UltraUploader
 
[Ebook ita - database] access 2000 manuale
[Ebook ita - database] access 2000 manuale[Ebook ita - database] access 2000 manuale
[Ebook ita - database] access 2000 manuale
UltraUploader
 
(E book) cracking & hacking tutorial 1000 pagine (ita)
(E book) cracking & hacking tutorial 1000 pagine (ita)(E book) cracking & hacking tutorial 1000 pagine (ita)
(E book) cracking & hacking tutorial 1000 pagine (ita)
UltraUploader
 
(Ebook computer - ita - pdf) fondamenti di informatica - teoria
(Ebook computer - ita - pdf) fondamenti di informatica - teoria(Ebook computer - ita - pdf) fondamenti di informatica - teoria
(Ebook computer - ita - pdf) fondamenti di informatica - teoria
UltraUploader
 
Broadband network virus detection system based on bypass monitor
Broadband network virus detection system based on bypass monitorBroadband network virus detection system based on bypass monitor
Broadband network virus detection system based on bypass monitor
UltraUploader
 
Bot software spreads, causes new worries
Bot software spreads, causes new worriesBot software spreads, causes new worries
Bot software spreads, causes new worries
UltraUploader
 
Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...
Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...
Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...
UltraUploader
 
Bird binary interpretation using runtime disassembly
Bird binary interpretation using runtime disassemblyBird binary interpretation using runtime disassembly
Bird binary interpretation using runtime disassembly
UltraUploader
 
Biologically inspired defenses against computer viruses
Biologically inspired defenses against computer virusesBiologically inspired defenses against computer viruses
Biologically inspired defenses against computer viruses
UltraUploader
 
Biological versus computer viruses
Biological versus computer virusesBiological versus computer viruses
Biological versus computer viruses
UltraUploader
 
Biological aspects of computer virology
Biological aspects of computer virologyBiological aspects of computer virology
Biological aspects of computer virology
UltraUploader
 
Biological models of security for virus propagation in computer networks
Biological models of security for virus propagation in computer networksBiological models of security for virus propagation in computer networks
Biological models of security for virus propagation in computer networks
UltraUploader
 
Binary obfuscation using signals
Binary obfuscation using signalsBinary obfuscation using signals
Binary obfuscation using signals
UltraUploader
 
Beyond layers and peripheral antivirus security
Beyond layers and peripheral antivirus securityBeyond layers and peripheral antivirus security
Beyond layers and peripheral antivirus security
UltraUploader
 

More from UltraUploader (20)

1 (1)
1 (1)1 (1)
1 (1)
 
01 intro
01 intro01 intro
01 intro
 
01 le 10 regole dell'hacking
01 le 10 regole dell'hacking01 le 10 regole dell'hacking
01 le 10 regole dell'hacking
 
00 the big guide sz (by dr.to-d)
00 the big guide sz (by dr.to-d)00 the big guide sz (by dr.to-d)
00 the big guide sz (by dr.to-d)
 
[E book ita] php manual
[E book ita] php manual[E book ita] php manual
[E book ita] php manual
 
[Ebook ita - security] introduzione alle tecniche di exploit - mori - ifoa ...
[Ebook ita - security] introduzione alle tecniche di exploit - mori - ifoa ...[Ebook ita - security] introduzione alle tecniche di exploit - mori - ifoa ...
[Ebook ita - security] introduzione alle tecniche di exploit - mori - ifoa ...
 
[Ebook ita - database] access 2000 manuale
[Ebook ita - database] access 2000 manuale[Ebook ita - database] access 2000 manuale
[Ebook ita - database] access 2000 manuale
 
(E book) cracking & hacking tutorial 1000 pagine (ita)
(E book) cracking & hacking tutorial 1000 pagine (ita)(E book) cracking & hacking tutorial 1000 pagine (ita)
(E book) cracking & hacking tutorial 1000 pagine (ita)
 
(Ebook computer - ita - pdf) fondamenti di informatica - teoria
(Ebook computer - ita - pdf) fondamenti di informatica - teoria(Ebook computer - ita - pdf) fondamenti di informatica - teoria
(Ebook computer - ita - pdf) fondamenti di informatica - teoria
 
Broadband network virus detection system based on bypass monitor
Broadband network virus detection system based on bypass monitorBroadband network virus detection system based on bypass monitor
Broadband network virus detection system based on bypass monitor
 
Bot software spreads, causes new worries
Bot software spreads, causes new worriesBot software spreads, causes new worries
Bot software spreads, causes new worries
 
Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...
Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...
Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...
 
Blast off!
Blast off!Blast off!
Blast off!
 
Bird binary interpretation using runtime disassembly
Bird binary interpretation using runtime disassemblyBird binary interpretation using runtime disassembly
Bird binary interpretation using runtime disassembly
 
Biologically inspired defenses against computer viruses
Biologically inspired defenses against computer virusesBiologically inspired defenses against computer viruses
Biologically inspired defenses against computer viruses
 
Biological versus computer viruses
Biological versus computer virusesBiological versus computer viruses
Biological versus computer viruses
 
Biological aspects of computer virology
Biological aspects of computer virologyBiological aspects of computer virology
Biological aspects of computer virology
 
Biological models of security for virus propagation in computer networks
Biological models of security for virus propagation in computer networksBiological models of security for virus propagation in computer networks
Biological models of security for virus propagation in computer networks
 
Binary obfuscation using signals
Binary obfuscation using signalsBinary obfuscation using signals
Binary obfuscation using signals
 
Beyond layers and peripheral antivirus security
Beyond layers and peripheral antivirus securityBeyond layers and peripheral antivirus security
Beyond layers and peripheral antivirus security
 

Asm based modelling of self-replicating programs

  • 1. ASM-based Modelling of Self-Replicating Programs Computer Science Technical Report ULCS-05-005 Presented at the 11th International Workshop on Abstract State Machines (ASM 2004) Matt Webster M.P.Webster@csc.liv.ac.uk Department of Computer Science, University of Liverpool, Liverpool L69 7ZF, UK Abstract. Self-replicating programs are a class of algorithms it seems has not yet been modelled using the Abstract State Machine (ASM) for- malism. In this paper an attempt at modelling the sub-class of computer viruses is shown. Implicit in modelling a computer virus is modelling the environment it needs to survive, and this also is detailed. Finally, an account of the experience of implementing these models in AsmL, the Abstract State Machine Language from Microsoft Research, is given. 1 Introduction The class of self-replicating programs includes viruses and worms, and was described in detail in [1]. Viruses are the focus for this project, and were defined formally by Cohen [2]: We define a computer ’virus’ as a program that can ’infect’ other programs by modifying them to include a possibly evolved copy of itself. With the infection property, a virus can spread through- out a computer system or network using the authorizations of every user using it to infect their programs. Every program that gets infected may also act as a virus and thus the infection grows. 2 Modelling an Operating System An operating system has been modelled using a distributed ASM. Dis- tributed ASMs are described in the Lipari guide [3]. In the model, mod- ules represent the programs stored in the filestore ready to be run. Agents represent processes in memory, which run a particular module (program). Agents run in parallel with one another. The user is modelled using a (non-deterministic) external function that runs programs randomly by assigning modules to new agents. This could be implemented either by I thank my Honours project supervisor, Alexei Lisitsa, for suggesting I submit this paper to ASM 2004.
  • 2. actual user input, or more likely, by a function that non-deterministically selects executable files to be run. When a particular agent has reached fixpoint, that is, when it has ceased to update the store, it is considered to have finished its execution run and terminated. The operating system is simply the distributed ASM itself. The agents run modules, and run concurrently with one another. We shall see that ASM rules are versatile enough to simulate system calls, e.g. reading and writing files, which are vital for the viral infection process. 3 A Viral Module We use the following universes: – Agents - the set of agents that are run by the distributed ASM. – Modules - the set of modules. Each agent runs a module. Each module is a set of rules (a single-agent program), and is similar to a non-distributed ASM. – Rules - the set of well-formed rules for ASMs. We use the following vocabulary: – Infected : Modules → Boolean. Returns true if a module has been infected with the viral rule. – addRuleToModule : Modules × Rules → Rules, where Rules is the set of well-formed rules. Since a module is just an ASM program, and an ASM program is just a rule composed of other rules, we can assign the rule returned by this function to a module name to model the addition of a rule to a module. We could define this function set theoretically as: addRuleToModule(m, r) = RulesOf(m) ∪ {r}, where RulesOf(m) refers to the set of rules corresponding to the module m. – thisProgram :→ Rules. Returns the viral rule. This models a “real- life” function that can analytically (or otherwise) identify the viral code in the module, and return it. A possible implementation of this would be to delimit the viral code within an infected program using some sequence of bits (e.g. from an assembly language perspective, a number of NOP1 s strung together), which the virus can later use to derive its own code when it comes to copying it for infection. The viral module looks like this: ProgramV iral = choose m in Modules satisfying not( Infected(m) ) m := addRuleToModule( m, thisProgram ) Infected(m) := true endchoose The viral rule above copies itself to other modules in the distributed ASM. When the modified (infected) modules are run, or when new agents run the modified modules, the viral module finds even more modules to infect. 1 NOP is a 68000 assembly language mnemonic, and stands for “No operation”.
  • 3. 4 Implementation using AsmL 4.1 Modelling the Virus’s Environment The object-oriented features of AsmL [4] were most useful during imple- mentation of the model of the computer virus and its environment. The environment was based on the von Neumann computer architecture, and consisted of three classes, Storage, OS and User. It was the intention that the user must only interact with the store via the operating system (OS), although an executable program (e.g. a virus) could interact with the store directly. Storage encapsulates the file store and some low-level operating system methods, e.g. Add(...) and Remove(...) for adding and removing files from the filespace. OS encapsulates user-level operating system methods. The User class models the user, and contains methods for populating the file space with executables, installing the first instance of the virus, and running random programs. The latter method models the external function mentioned earlier, and chooses filenames (which are modelled as integers and stored in a set instance variable within the Storage class) non-deterministically, then uses a method from the OS class to run them: choose f in filenames os1.Run( f ) 4.2 Modelling Executable Files One of the biggest challenges in designing a simulated file system was to be able to have an AsmL set of the various types of executable file (e.g. “Hello world” executable, virus etc.). Ideally, the virtual store consists of such a set, in this case an instance variable within the Storage class. It would be possible to implement such a set by enumerating the desired types during set declaration, e.g. var s as Set of Executable or Virus However this leads to later incompatibility if a new virus class needs to be added to the simulation. (All sets and methods declarations using the disjunctive type must be updated.) The problem was eventually solved by creating an interface to give classes executable status: interface File public abstract Program() Any class that implements File must provide a definition for the abstract method, Program(). In this way, a Set of File can be constructed, and the Program() method can be called on any object in that set, regardless of the object class. Taken within the context of the simulation, the File interface is analogous to the flag an operating system sets for a given file in order to give it executable status. Indeed, within the simulation any file wanting to become executable must implement the File interface.
  • 4. 4.3 Modelling Viral Behaviour The Storage class has an instance variable, FAT, that models the file allo- cation table of the simulated store. FAT is a set of Integer × Seq of File tuples, and associates filenames (integers) with sequences of objects that implement the File interface (Seq of File). When a user selects a file- name to be run by the operating system, the operating system retrieves the sequence of File objects corresponding to the filename given using the FAT instance variable. Then, the operating system (through a low-level method in the Storage class) executes each File object in the sequence in turn, by invoking its Program() method. The code looks something like this: foreach i in seqToRun i.Program() When the viral Program() method is executed, it searches for an unin- fected file. If one is found, a new instance of the virus class is created, and the constructor modifies the file allocation table (FAT instance variable in the Storage class) so that the sequence of File objects corresponding to the filename being infected now includes a virus object (the virus ob- ject refers to itself using the AsmL keyword me). From now on, each time that particular file is executed by the user, the virus object will execute also. The executable has been infected. References 1. Cohen, F.B.: It’s Alive! The New Breed of Living Computer Pro- grams. John Wiley & Sons (1994) ISBN 0471008605. 2. Cohen, F.: Computer viruses – theory and experiments. Computers and Security 6 (1987) 22–35 3. Gurevich, Y.: Evolving algebras 1993: Lipari guide. In B¨orger, E., ed.: Specification and Validation Methods. Oxford University Press (1995) 9–36 4. Microsoft Research: The Abstract State Machine Language. (http:// research.microsoft.com/foundations/AsmL/) Accessed 18th April 2005.