Computer Viruses Theory and Experiments - PowerPoint PPT Presentation

Computer viruses theory and experiments l.jpg
Download
1 / 19

Computer Viruses Theory and Experiments By Dr. Frederick B. Cohen Presented by Jose Andre Morales Background Originally written in 1984 Published in Computers and Security, Vol. 6, pp. 22-35 Appeared in DOD/NBS 7 th Conference on Computer Security

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

Download Presentation

Computer Viruses Theory and Experiments

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Computer viruses theory and experiments l.jpg

Computer Viruses Theory and Experiments

By

Dr. Frederick B. Cohen

Presented by

Jose Andre Morales


Background l.jpg

Background

  • Originally written in 1984

  • Published in Computers and Security, Vol. 6, pp. 22-35

  • Appeared in DOD/NBS 7th Conference on Computer Security

  • Considered the foundation of computer virus research


Highlights l.jpg

Highlights

  • Coined the phrase “Computer Virus”

  • Gave a definition for a computer virus

  • Showed multiple aspects of dealing with viruses are not decidable

  • Presented many fundamental properties of computer viruses


Computer virus defined l.jpg

Computer Virus Defined

A computer virus is defined as:

A program that can infect other programs by modifying them to include a possibly evolved copy of itself

Key Property: the ability to infect other programs.


An example l.jpg

An Example

  • We have a file sharing system

  • User A has program P1 that is infected by a virus

  • User B runs P1 from the file sharing system and P1 infects B’s program P2

  • User C runs P2 from the same file sharing system and P2 infects C’s program P3

  • Virus spreads from program to program and user to user


Deeper description of a virus l.jpg

Deeper Description of a Virus

  • A computer virus can be viewed as sequences of symbols in the memory of a machine in some form

  • Ex. main memory, registers, disk, tape, etc…

  • One of those sequences of symbols (v) is an element of a viral set (V) if

    • when interpreted by the machine it causes some other element of the viral set or itself (v’) to appear somewhere else in the system at a later point in time


Formal definition of language v l.jpg

Formal Definition of Language V

M V (M,V) V 

[V  I*] and [MM] and vV H t, j  N

[[Pt = j] and [t = 0] and (t,j,…, t,j+|v|-1) = v] 

v’V, t’, t’’, j  N and t’ > t

[[j’ + |v’|)  j] or [(j + |v|)  j’]] and

[((t’,j’,…, t’,j’+|v’|-1) = v’] and

[t’’[t < t’’ < t’] and [Pt’’  {j’,…j’ + |v’| -1}]]


Description of formal definition l.jpg

Description of Formal Definition

  • For all M and V, the pair (M,V)  Vif and only if

  • V is a set of TM sequences and M is a TM where

  • M’s tape head is at a cell j at time t and the tape cells starting at j hold the virus v

  • At a time t’ > t tape cells starting at cell j’, far enough away from v hold the virus v’ such that

  • At time t < t’’ < t’, v’ is written by M to tape cells starting at j’


Detection of a virus l.jpg

Detection of a Virus

  • P is a virus if it is determined that P infects other programs

  • This is not a decidable problem

  • P can infect if and only if a detection process D finds P to be non-viral

  • Thus finding a virus by appearance may be infeasible


Detection of a virus 2 l.jpg

Detection of a Virus 2

An example

program contradictory-virus:=

{...

main-program:=

{if ~D(contradictory-virus) then

{infect-executable;

if trigger-pulled then do-damage; }

goto next; } }

The virus CV will only infect if the detector D returns

False, if D returns True no infection takes place.


Detection of a virus 3 l.jpg

Detection of a Virus 3

  • If D returns true then the virus CV will not act like a virus

  • If D returns false then the virus CV will act as one.

  • Clearly detector D is self contradictory


Formal proof 1 l.jpg

Formal Proof 1

Can a Turing Machine be created that can

determine in a finite amount of time

If a set of sequences of symbols V for a given

Turing Machine M is a virus.

Cohen showed that it is not decidable whether or not

(M,V) V

This is done via a reduction from Atm


Formal proof 2 l.jpg

Formal Proof 2

  • A Turing Machine M’ that decides if (M,V) V

  • On input <M,V>

  • Run M on V

  • If M accepts V then accept  (M,V)V

  • If M rejects V then reject  (M,V)notV

  • (M,V) Vif and only if

  • M accepts and halts on V

  • Thus we have Atm≤ V

  • Since Atm is not decidable then V is also not decidable.

  • QED


Removal of a virus 1 l.jpg

Removal of a Virus 1

  • Removal of a virus depends on detection

  • Detection is not decidable

  • the removal of a virus is not absolutely guaranteed

  • Therefore not all viruses can be precisely detected and removed from a given computer system.


Removal of a virus 2 l.jpg

Removal of a Virus 2

  • If a more liberal detection method is used then detection and removal is possible

  • But at the expense of producing false positives and false negatives.

  • Ex. Erase all files created after a specific date from the system.


Cohen s not decidable detection problems l.jpg

Cohen’s Not Decidable Detection Problems

  • Detection of a virus by its appearance and behavior

  • Detection of an evolution of a known virus

  • Detection of a triggering mechanism by its appearance and behavior

  • Detection of an evolution of a known triggering mechanism

  • Detection of a virus detector by its appearance and behavior

  • Detection of an evolution of a known viral detector


Cohen s conclusions l.jpg

Cohen’s Conclusions

  • Precise viral detection is not decidable

  • Multiple detection problems dealing with virus are not decidable

  • Viral removal is not always guaranteed because it is dependent on detection


Slide19 l.jpg

Questions?

sawaal

soru

問題

¿Preguntas?


  • Login