A short overview of advances in computer virology

Size: px

Start display at page:

Download "A short overview of advances in computer virology"

Theodora Paul
7 years ago
Views:

1 A short overview of advances in computer virology LRI/LIMSI Doctoral Seminar Series Hai Nguyen Van Laboratoire de Recherche en Informatique Université Paris-Sud 29 janvier 2015 A short overview of advances in computer virology 1/13

2 Introduction What is a computer virus? Computer Invaders: The 25 Most Infamous PC Viruses of All Time, F-Secure A short overview of advances in computer virology 2/13

3 Introduction What is a computer virus? Two points of view 1 software engineer : some malicious program that copies itself 2 mathematician : self-reproductive TM or some fix point of a malicious reproductive behavior equation Which one appeared first? A short overview of advances in computer virology 3/13

4 Introduction Some history 1948 von Neumann introduces self-reproducing automata 1984 Cohen defines a virus as a self-reproducing program 1986 Brain infects the ARPANET 1990 Adleman splits the definition : injuring, infecting, imitating A short overview of advances in computer virology 4/13

5 Some theoretical framework Turing machines Introduced in 1936 by Alan Turing, a Turing machine can simulate any computer algorithm [Church-Turing-de Bruijn thesis] Informatique théorique, Julien Marcil A short overview of advances in computer virology 5/13

6 Some theoretical framework Viral Turing machines definition given by [Cohen, 1986] Definition.... v... j... v... j q i... q k.... q n. q n q 1 q 0 q 1 q 0 Question. Does v necessary syntactically equal to v? A short overview of advances in computer virology 6/13

7 Some theoretical framework Viral Turing machines definition given by [Cohen, 1986] Definition.... v... j... v... j q i... q k.... q n. q n q 1 q 0 q 1 q 0 Question. Does v necessary syntactically equal to v? NO! polymorphism [Szor, 2005] A short overview of advances in computer virology 6/13

8 Some theoretical framework Viral µ-recursive functions [Bonfante et al., 2006] Definition. Let B be a µ-recursive function. A program (i.e. µ-recursive function) v is viral w.r.t. B iff for all program p and data x, execute v (p, x) = execute B(v,p) (x) A short overview of advances in computer virology 7/13

9 Some theoretical framework Viral µ-recursive functions [Bonfante et al., 2006] Definition. Let B be a µ-recursive function. A program (i.e. µ-recursive function) v is viral w.r.t. B iff for all program p and data x, execute v (p, x) = execute B(v,p) (x) This equations models the propagation behavior B over a virus v. The virus v exists by Kleene recursion theorem! A short overview of advances in computer virology 7/13

10 Some theoretical framework Analyzing and detecting viruses Problem. Can all viruses be detected? A short overview of advances in computer virology 8/13

11 Some theoretical framework Analyzing and detecting viruses Problem. Can all viruses be detected? NO! [Cohen, 1986] Theorem (undecidability of viral detection) [Cohen, 1986] Deciding whether a program v is viral is not possible. Theorem (undecidability of viral evolutivity) [Filiol, 2009] Deciding whether a program v duplicates itself into a semantically equivalent form v is not possible. A short overview of advances in computer virology 8/13

12 Virus detection in practice Analyzing and detecting viruses in pratice! In practice, analysis techniques are divided as follows static detection with syntactic signatures with semantic signatures probabilistic models dynamic detection (human) comprehension A short overview of advances in computer virology 9/13

13 Virus detection in practice Industrial examples of viral syntactic signatures Virus 1 : Boot/Stoned Signature 1 (string matching) BE B D1 41 9C A short overview of advances in computer virology 10/13

14 Virus detection in practice Industrial examples of viral syntactic signatures Virus 1 : Boot/Stoned Virus 2 : W95/Regswap (polymorphic) Signature 1 (string matching) BE B D1 41 9C Signature 2 (regular expressions)? A short overview of advances in computer virology 10/13

Virus detection in practice Industrial examples of viral syntactic signatures Virus 1 : Boot/Stoned Virus 2 : W95/Regswap (polymorphic) Signature 1 (string

15 Virus detection in practice Industrial examples of viral syntactic signatures Virus 1 : Boot/Stoned Virus 2 : W95/Regswap (polymorphic) Signature 1 (string matching) BE B D1 41 9C Signature 2 (regular expressions)???? B???? 0C... A short overview of advances in computer virology 10/13

16 Virus detection in practice Syntactic signatures are not enough Viruses are programmed to protect themselves from being detected and/or understood. Classification. [Nguyen Van, 2013] A short overview of advances in computer virology 11/13

17 Virus detection in practice Semantic approaches : model-checking with PoMMaDe The viral signature is encoded as a logic formula against what a formal model of a program is checked [Song et al., 2012]. Example : Signature of W32.Netsky@mm filename EF( call( GetModuleFileNameA) 0.filename.Γ EF ( call( CopyFileA) filename.γ )) A short overview of advances in computer virology 12/13

18 Virus detection in practice Conclusion Two main points of view of viral programs 1 software engineer : program that copies itself somewhere else 2 mathematician : fix point of µ-recursive functions A short overview of advances in computer virology 13/13

19 Virus detection in practice Conclusion Two main points of view of viral programs 1 software engineer : program that copies itself somewhere else 2 mathematician : fix point of µ-recursive functions Two approaches for static detection of viruses 1 syntactic : cost-effective, high false positive rate 2 semantic : cost-expensive, low false positive rate A short overview of advances in computer virology 13/13

20 Virus detection in practice Conclusion Two main points of view of viral programs 1 software engineer : program that copies itself somewhere else 2 mathematician : fix point of µ-recursive functions Two approaches for static detection of viruses 1 syntactic : cost-effective, high false positive rate 2 semantic : cost-expensive, low false positive rate Are industrial antivirus software enough? NO! 82 percent of all malware it detects stays active for one hour [Z. Bu, FireEye, 2013] traditional antivirus detects a mere 45 percent of all attacks [B. Dye, Symantec, 2014] A short overview of advances in computer virology 13/13

Formal Model Proposal for (Malware) Program Stealth

Formal Model Proposal for (Malware) Program Stealth Eric Filiol efiliol@esat.terre.defense.gouv.fr Army Signals Academy Cryptology and Virology Lab Rennes Virus Bulletin 2007 Plan Introduction 1 Introduction