Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!tut.cis.ohio-state.edu!rutgers!netnews.upenn.edu!vax1.cc.lehigh.edu!sei.cmu.edu!krvw From: RWALLACE@vax1.tcd.ie Newsgroups: comp.virus Subject: Re: Virus Modeling Message-ID: <0007.9002011922.AA24486@ge.sei.cmu.edu> Date: 31 Jan 90 23:07:00 GMT Sender: Virus Discussion List Lines: 45 Approved: krvw@sei.cmu.edu Opitz@DOCKMASTER.ARPA writes: > A co-worker of mine wrote: > One way to characterize a Trojan Horse or a virus is to build > mathematical, abstract models of them. Such a model may be an > n-tuple of interrelated subjects, objects, and operations. > Thereafter, abstracted audit data and host machine > characteristics can be organized to find if all the components of > such an n-tuple are present. > > My assignment was to help with the research in attempting to come up > with such a model. Now, from what I have been reading on the Virus > forum, I am wondering if this task is even possible. > ... > Is it possible to come up with such a model? Is it possible to list > ALL of the characteristics of a virus? If so, what might these > characteristics be? If not, why not? > > David T. Opitz - NSCS I would estimate that such a program would be only slightly easier than a program to pass the Turing test. As someone pointed out, a real computer isn't a finite state machine because it includes the person operating it (well the whole universe has a finite number of states but we're getting way beyond anything of practical use). Therefore there is no universal algorithm for detecting viruses a priori. How about a non-universal algorighm that will detect a virus say 95% of the time? I don't think that's possible either. Consider possible countermeasures: The virus inspects a component of the operating system or hardware (e.g. checks if files of certain names are present, the files in question being essential components of the operating system), and uses the result to generate a 32-bit number which it then uses to decrypt a chunk of data which contains the infector code. It then executes the infector code. Even a brute-force inspect all possible execution paths approach won't work here because infection depends on things outside the program itself .. unless you're going to simulate the suspect program in a simulation of an entire machine which isn't very practical. Consider: even a good human hacker would have great difficulty finding a cunningly-hidden virus in a big program. You're going to need something pretty close to true AI. "To summarize the summary of the summary: people are a problem" Russell Wallace, Trinity College, Dublin VMS: rwallace@vax1.tcd.ie UNIX: rwallace@unix1.tcd.ie