SlideShare a Scribd company logo

An approach to containing computer viruses

U
UltraUploader

This document proposes a mechanism for detecting modifications to executable files using encryption. The mechanism works by encrypting executables using a cryptosystem. At runtime, the encrypted executable is decrypted and checked for modifications before being executed. If modifications are detected, the proper authorities are notified. While this mechanism cannot prevent modifications, it can detect them when they occur and limit the potential damage of computer viruses. The mechanism is most effective when all executables are encrypted, but can still provide some protection even if not all files are encrypted.

1 of 11
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
321 An Approach to Containing Computer Viruses * Maria M. Pozzo Terence E. Gray ComputerScienceLqmrrmenr,Unioersity of Cnlifornrn, Los Angeles, Los Angeles, CA 90024, U.S.A. This paper presents a mechanism for containing the spread of computer viruses by detecting at run-time whether or not an executable has been modified since its installation. The detec- tion strategy uses encryption and is held to be better for virus containment than conventional computer security mechanisms which are based on the incorrect assumption that preventing modification of executables by unauthorized users is sufficient. Although this detection mechanism is most effective when all executables in a system are encrypted, a scheme is presented that shows the usefulness of the encryption approach when this is not the case. The detection approach is also better suited for use in untrusted computer systems. The protection of this mechanism in untrusted computing environments is addressed. Keywords: Infection, Integrity, Trojan horse, Computer viruses Terry Gray is Director of the UCLA Distributed Systems Laboratory, and an Adjunct Associate Professor in the UCLA Computer Science Department. He received a BSEE from Northrop University in 1967, and a Ph.D. in Computer Science from UCLA in 1978. Prior to joining the UCLA faculty, Dr. Gray was Manager of Software En- gineering at Ampex Corporation. He has also served on the technical staff of Transaction Technology, Inc. and Bell Laboratories. Current research in- terests include distributed system architecture, computer secur- ity, software engineering, advanced office systems, and the social impact of technology. He is a member of IEEE, ACM, Tau Beta Pi, and Upsilon Pi Epsilon. * This research was supported in part by the NSF Coordinated Experimental Research program under grant NSF/MCS 8121696 and by the IBM Corporation under contract D850915. 0. Introduction The infection property of a malicious computer virus [l] which causes modifications to executables is a concern in computer security. Modifications to executables are much less noticeable than those made to text or data files, and often go unde- tected. Such modifications often cause unex- pected, unauthorized, or malicious side-effects in a computer system. This discussion is primarily con- cerned with the infection property of a malicious computer virus which causes modifications to ex- ecutables. Protecting executables from modification can be accomplished in two general ways: (1) by ren- dering the executable immutable and thus prevent- ing all modifications, or (2) by detecting any changes to the executable prior to its execution, The first method can be accomplished by storing the executable in a read-only storage medium such as a ROM, a read-only directory or a read-only disk. Thus, the protection mechanism is coupled with the system or storage medium employed; its usefulness relies upon the security of the underly- ing system. Even if complete confidence in the security of the operating system is warranted, there is a problem in employing discretionary access controls (DAC) for read-only protection. Current implementations of DAC are fundamentally flawed [2] in that programs executing on a user’s behalf legitimately assume all the user’s access rights. This flaw could allow a computer virus to perform modifications despite read-only protection. The second method (detection) can be accomplished North-Holland Computers 62 Security 6 (1987) 321-331 Maria Pozzo received her MS. degree in Computer Science from the Univer- sity of Connecticut in 1981. She began her work in the area of Computer Security in 1982 while working for the Mitre Corporation. She was a member of the Multics Evaluation team and subsequently worked for Honeywell Information Systems to help achieve a B2 security rating for Multics. She is currently working on her Ph.D. at UCLA pursuing research in computer sect&v. 0167~4048/87/$3.50 0 1987, Elsevier Science Publishers B.V. (North-Holland)
322 M.M. Pozzo, T.E. Gray / Approach to Containing Computer Virusa by encrypting the executable using conventional or public-key cryptography, or by recording a cryptographic checksum, so that any modification can be detected prior to execution. The detection approach links the protection mechanism to the object to be protected rather than the system or storage medium, and thus, its usefulness depends less on the security of the underlying system. Furthermore, modifications to executables can still be detected outside the realm of a particular sys- tem. For example, if encryption is used when transferring executables between sites, modifica- tions can be detected at the destination site. This technique is promising for protecting software dis- tribution. This discussion is concerned with the integrity of executables and provides a generalized mecha- nism for detecting modification of executables and limiting the potential damage of a computer virus. This research was motivated by recent work in the area of computer viruses [l]. Section 1 provides background material on computer viruses and dis- cusses the seriousness of the virus problem. Sec- tion 2 describes the encryption mechanism and proposes one possible implementation. This mech- anism is then discussed by considering its strengths and weaknesses in Section 3. An overview of the current prototype and a discussion of the open issues is presented in the conclusion in Section 4. The issues discussed in this paper are part of an ongoing effort. Our long-range goal is to develop a complementary set of independent mechanisms for protection against computer viruses and other malcious programs. 1. Computer Virus Background A malicious computer virus, like a Trojan Horse i, lures unsuspecting users into executing it by pre- 1 “The Trojan Horse works much like the original wooden statue that the Greeks presented at the walls of Troy - it is an attractive or innocent-looking structure (in this case, a program) that contains a hidden trick, a trick in the form of buried programming code that can give a hacker surrepti- tious entry to the system that unknowingly invites the Trojan Horse within its figurative walls. The Trojan Horse is very simple in theory, but also very effective when it works. The program that is written or modified to be a Trojan Horse is designed to achieve two major goals: first, it tries to look very innocent and tempting to run, and second, it has within itself a few high-security tasks to try [3]. tending to be nothing more than a useful or interesting program [4], while in reality it contains additional functions intended to “. . .gain un- authorized access to the system or to [cause a] . . .malicious side effect” [5]. Programs of this type are particulary insidious because they operate through legitimate access paths. The difference between a computer virus and a traditional Trojan Horse is that a virus “ . . .can ‘infect’ other pro- grams by modifying them to include, a possibly evolved, copy of itself” [l]. The process of infec- tion is depicted in Fig. 1. The victim’s file space contains several “clean” executables to which the victim possesses modify access. The villain creates an executable that per- forms a function designed to entice unsuspecting victims to invoke it. Embedded in the executable is a piece of clandestine code that is a virus. When the program is executed, the hidden viral code is executed in addition to the program’s normal service. The victim, however, only sees the normal service, and therefore, does not detect the pres- ence of malicious activity. The virus program, when executed by the victim, carries the victim’s access rights and, therefore, has modify access to all of the victim’s executables as well as any other programs for which the victim has legitimate mod- ify access. In this case, the virus spreads by di- rectly copying itself to the target executables. Al- ternatively, the virus can spread by replacing the target executables with an executable that con- tains the virus. Furthermore, when any other user with access to the victim’s executables, invokes one of the infected programs, the virus spreads to that user’s executables and so on. In addition to the spread- ing capability, the virus may contain other code, such as a Trojan Horse, intended to cause damage of some kind. The most serious impact of a virus, however, is the rapidity with which it propagates through the system undetected. Worm programs (programs or computations that move around a network gather- ing needed resources and replicating as necessary) propagate with similar speed [6]. This potential widespread security problem is detailed in [l] and the potential damage to both the public and private sector is extreme. Several properties of typical computer systems lead to an environment in which computer viruses can wreak havoc: the need for program sharing
M.M. Pozzo, T.E. Gray / Approach to Containing Computer Viruses 323 / !tVillain 0 RVietim 1. Villain creates b enticing program containing virus Virus 3. Viral program coverlly modifies clean exeartties “clean” exectiables victim has rrodify acozi 4. result b infected execirlabfes ETY AFTER Fig. 1. The process of infection. [5], the difficulty in confining programs *, and the fact that existing discretionary access control (DAC) mechanisms are fundamentally flawed with re- spect to limiting computer virus [2]. Mechanisms exist for limiting the amount of sharing such as the security and integrity policies [8,9], and flow lists or flow distance policies [l]. However, to the extent that these mechanisms permit any sharing, the damage caused by computer viruses cannot be eliminated since their malicious activity is con- ducted via legitimate access paths due to the fundamental flaw in current DAC implementations. 1.1 Scope Not all computer viruses are bad [l]. This discus- sion, however, is primarily concerned with the infection property of a malicious computer virus. Viral infection is caused by modification of execu- tables. For this discussion, modification means directly changing the target executable or sub- stituting the target executable with an executable that has been modified. Lastly, the system admin- istrator discussed here is one or more persons trusted not to compromise the security or integrity ’ A program that cannot retain or leaks any of its proprietary information to a third party is confined [7]. of the system. This research does not address the case of a system administrator or other privileged systems user who has decided to corrupt the sys- tem. 2. Detecting Modification of Executables Using Encryption Both conventional and public-key cryptography [lO,ll] have been used successfully to ensure the integrity of messages. Our solution proposes the use of cryptography to protect the integrity of executables, and thus provide a mechanism to detect viral spread and limit potential viral damage. Fig. 2 depicts the proposed detection mecha- nism. The executable, E, is encrypted by the cryptosystem to produce E’. The run-time en- vironment passes E’ to the cryptosystem where the decryption is performed. The deciphered ex- ecutable is passed back to the run-time environ- ment which will attempt to run the results. If this attempt fails, the executable has been modified since it was encrypted and the proper authorities are modified. Thus, the run-time environment de- tects any modification, whether unintended or due to a viral attack. Note that modification of execu- tables is not prevented; however, since any mod-
324 M.M. Pozzo, 7:E. Gray /Approach to Containing Computer Viruses Jncryption Environment: Cm-Time Environment: Fig. 2. The detection mechanism. ification is detected at run-time (when the virus strikes), potential damage is limited. With respect to the damage that a virus can cause there are two cases to consider (Fig. 3). If all the executables in the system are virus-free and encrypted, attempts to infect an executable by inserting a virus will be detected and, thus, this mechanism completely halts any further viral damage. If a virus exists in an executable prior to its encryption, its presence will not be detected by this mechanism. This type of virus can still spread to other executables but the infection will be detected when the encrypted, infected program is executed. The original virus, however, can still accomplish its hidden function and, in effect, will behave like a traditional Trojan Horse. It should be noted that denial of service does occur since the executables will be destroyed when the infection attempts to spread. The usefulness of this approach is dependent on the type of cryptosystem chosen, particularly the management of the encryption and decryption key(s). There are several advantages to using pub- lic-key cryptography as opposed to conventional cryptography. In a conventional cryptosystem, the keys used for enciphering and deciphering are either the same, or each key can be computed from the other [2,13]. Thus protecting the key(s), not only from modification but also from dis- closure, becomes essential to the protection of the entire mechanism. In a public-key cryptosystem, enciphering and deciphering is accomplished via two keys, a private key and a public key [11,12,14]. In the mechanism described above, the private key is used to encrypt the executable while anyone with knowledge of the public key can decipher it. Protecting the private key from disclosure be- comes the responsibility of the key’s owner and is no longer part of the mechanism itself. Thus, protecting the integrity of the mechanism becomes a matter of protecting the algorithms and the public keys from modification. In a public-key cryptosystem, the private key is bound to a par- ticular individual or group of individuals. This affords the additional advantage of authenticating the identity of the encryptor of an executable which provides additional assurance that the ex- ecutable has not been replaced by an imposter program. This can be accomplished in a conven- tional cryptosystem if the encryptor and decryptor agree in advance on the key(s) to be used, how- ever, the practicality of this approach is questiona- ble. Except for the need for authentication, simply storing characteristic values of executables and protecting these values from modification, would be sufficient to achieve the goal of detecting changes to an executable. One possible implementation of the mechanism described above is to employ a public-key crypto-
M.M. Pozzo, T.E. Gray /Approach to Containing Computer Viruses 325 nitial System Virus-Free: HALT Initial Infected System: EXECUTES HALT Fig. 3. Virus-free vs. infected system. Sign Environment: Run-Time Environment: , ESB I IlZSUltS System-protected ti I public +RT+ keys I I Fig. 4. Signature block mechanism. (RTVM = run-time validation mechanism).
326 M.M. Pozzo, T.E. Gray /Approach to Containing Computer Viruxs system to append an encrypted signature block to the plaintext executable (Fig. 4). The signature block contains the result of applying a strong one-way function (characteristic value or crypto- graphic checksum) to the entire executable plus some additional information such as the identity of the signer and a time stamp. The private key of the signer is used to encrypt the signature block. At run-time, the signature block is deciphered with the associated public key, the characteristic value regenerated and the two values compared. If the two results differ, a modification has occurred and the proper authorities are notified. In this implementation, the system must maintain a list of public keys and protect them from modifica- tion. This implementation affords a large degree of flexibility in determining the set of public keys that will reside on the system-protected public key list (SPKL); these are the only keys that will be recognized by the run-time environment. In ad- dition, since the executable itself is not encrypted, the run-time environment will not attempt to run deciphered code that is garbage. Authentication is a well-known advantage of signature block mecha- nisms [15], further indicating that this implemen- tation is a viable solution. Essential to the correct operation of this mech- anism, is determining the public keys that reside on the SPKL. The system administrator should only allow public keys of individuals and organizations trusted to supply software that does not contain a computer virus. Basically, anyone can sign soft- ware; the issue is who can sign software and also have their public key on the public key list. 3. Strengths and Weaknesses The mechanism described above is most effective if all the executables in the system are encrypted. In reality, however, it may not be feasible to require all executables in the system to be en- crypted or signed. Of particular concern is the software development process which requires many executions during program debugging. Encrypting and deciphering on every test run will significantly lengthen this process. Providing a separate de- velopment environment, although one solution, may not be practical. Another concern is software developed by users for their own use, software not available to the entire system. Since residence in the system-protected public key list is restricted as described in the previous section, it is unlikely that the public key of a normal user will be in the list. This makes execution of personal software impossible. Lastly, the system administrator has the responsibility for ensuring that individuals and organizations who encrypt software for the sys- tem, and also have their associated public key on the system-protected public key list, provide software that does not contain computer viruses and other types of malicious programs such as Trojan horses. Requiring the system administrator to perform this task for all executables on the system may be impractical, depending on the de- gree of protection needed for the type of work performed by the system. Thus, for practical rea- sons, it may be necessary for encrypted and unen- crypted executables to reside on a system simulta- neously. 3.1 The Coexistence of Encrypted and &encrypted Executables One way to allow the coexistence of encrypted and unencrypted executables in a system is via the Risk Management Scheme. This scheme allows administrative classification of software, and per- mits users to specify the classes of software they wish to execute. The classes of software corre- spond to the likelihood that the executable con- tains malicious code such as a computer virus. Unencrypted software might be considered most likely to contain a virus. Thus, a user wishing to be protected from potential malicious activity would only allow execution of low-risk software. This classification, although subjective, serves as a warning mechanism to users, making them aware of the potential risk in executing certain programs. An overview of the Risk Management Scheme is presented here. For a detailed discussion see [16]. The Risk Management Scheme. The Risk Management Scheme has two domains: programs and processes. Programs are assigned “credibility values” (by the system administrator) and processes inherit a “risk level” from their parent process, or ultimately, from the user on whose behalf they are operating. The operating system is responsible for preventing a process at risk-level N from invoking a program whose credibility value is less than N. The system administrator assigns software a
M.M. Porro, T.E. Gray /Approach to Containing Computer Viruses 327 credibility value which identifies the likelihood that the software contains malicious code. In gen- eral, this value is based on the origin of the software. Credibility values range from zero to N, where software with the lowest credibility has the value of zero and software with the highest credi- bility on the system has the highest value. Soft- ware that is formally verified, so that the possibil- ity of it containing malicious code is small, is always assigned the highest value. The number of credibility values is determined by the system administrator and can be one. For example, in an environment where security is of primary concern such as a military installation, a system may be restricted to only verified software. An environ- ment where security is of less concern, is unlikely to have any formally verified software. But, since differences exist in the credibility of the various sources of executables, the system administrator can choose some number of credibility values to reflect the classes of software on the system. Fig. 5 depicts a possible configuration for credibility val- ues. Risk levels specify what classes of software can be executed for a user. They correspond inversely to credibility values. If the user’s risk level is set to the highest credibility value on the system, the risk of damage to that user is the lowest possible. On the other hand, the greatest risk is taken when the user specifies a risk level of zero. When a user logs in, a risk level is established for the session. This risk level can be determined in two ways. The first way is for the user to specify the desired risk level as an argument to the login command (e.g. login Joe-session-risk 3). The second way is to assume the default risk level for that user. Initially, the default risk level of all users is the highest credibility value on the system. The user can reset this default risk level by speci- fying the desired default as an argument to the login command (e.g. login Joe-default _ risk 2). The user need only set this once and it remains in effect until it is explicitly reset by the user. Thus, assuming the default risk level as the risk level for the session requires no explicit action on the user’s part once it is set. Once the risk level for a session is established, any processes that are spawned inherit the risk level of the parent, restricting children to running software of the same credibil- ity value or higher. The only way for a user to override the risk level for a particular session is via the RUN-UNTRUSTED command which takes one executable program as an argument. This program can have a credibility value less than the risk level. The duration of this exception is the execution of the program supplied as an argument. The objec- tive of the “RUN-UNTRUSTED” command is to make execution of high-risk programs explicit, but not too inconvenient. As an example, Fig. 6 shows five possible credi- bility values for software, where the existence of malicious code in software with a value of 5 is unlikely and in software with a value of 0 is most likely. The initial default for the user is the ability to run software with a value of 5 only, unless the user explicitly logs in at a lower risk level or resets the default risk level. If the user chooses to estab- lish a session with a risk level of 3, software with Origin Credibility User’s Risk User Files 0 - Lowest User Contributed S/W 1 S/W from Bulletin Board 2 S/W from System Staff 3 Commercial Application S/W 4 S/W from OS Vendor 5 - Highest 0 - Highest Risk 5 - Lowest Risk Fig. 5. Credibility value and risk level.
328 Credibility VAN2 M.M. Pozzo, T.E. Gray / Approach to Containing Computer Viruses __._~__. __----_ ___-. _ Execution User’s Risk Mode Level 0 RUN-UNTRUSTED 1 RUN-UNTRUSTED 2 RUN-UNTRUSTED 3 normal 4 normal 5 normal RiskLevel= 3 Fig. 6. User’s risk level. values of 0, 1, and 2 cannot be run without using the RUN-UNTRUSTED command. Of course, the user has increased the potential risk of exposure to malicious activity. Once a credibility value has been assigned to software, the information must be conveyed to the run-time environment. This can be accomplished in several ways. The first approach is to store the credibility value as part of the executable, compar- ing the value with the user’s risk level prior to permitting execution. This approach requires that the executable be protected from modification to ensure the integrity of the credibility value. A second approach is to keep a list of all executable software in the system and the associated credibil- ity values. When a user executes a program, the run-time environment searches the list for the program’s credibility value and compares it with the user’s risk level before allowing execution. Such a list must be protected from illicit modifica- tion. This approach may not be practical depend- ing on the time it takes to complete the search. A third approach is to group software of the same credibility value in the same place in secondary storage, and maintain a short, protected list map- ping credibility values to each file group. Software of the same credibility value could be stored in the same directory, in the same filesystem 3, or some other mechanism used to partition software. The 3 In Unix, a filesystem contains a hierarchical structure of directories and files and corresponds to a partition of a disk. Each filesystem is represented internally by a unique number v71. list identifying each partition and the associated credibility value is then short enough to avoid performance problems, but must still be protected from modification by anyone except the system administrator. Fig. 7 shows possible credibility values for software grouped using Unix 4 directo- ries as the partitions. As the number of credibility values is de- termined by the system administration, so is the granularity of the partitions. For example, one system might partition all vendor software into one partition with the same credibility value while another system might have separate partitions for IBM, DEC and AT&T software, each with a different credibility value. If an individual program becomes suspected of containing malicious code, perhaps based on re- ports from other installation, it can be moved to a different directory of appropriate credibility value. However, one disadvantage of associating a credi- bility value with entire directories or filesystems is that the full name of a program may be embedded in other programs or scripts; thus moving a pro- gram to a different directory having the desired credibility level is essentially a name change for that program, and may cause existing scripts to break. This observation argues in favor of assign- ing credibility values to individual programs, even though to do so is more administratively demand- ing. A combined approach that allows easy assign- ment of credibility levels to collections of pro- 4 Unix is a trademark of AT&T Information Systems.
M.M. Pozzo, T.E. Gray /Approach to Containing Computer Viruses 329 Origin Credibility Partition User Files User Contributed S/W Bulletin Board S/W Commercial S/W S/W from System Staff Commercial S/w Verified S/W S/W from OS Vendor 0 -Lowest 1 I 2 3 3 4 5 - Highest lusr lusrlflakey lusrlnet lusrlbin2 hsdlocal lusrlbio /usr/vi?r lbin Fig. 7. Partitioning software of different credibility values. grams, but provides for individual exceptions may be the winning strategy. Encryption Identification. Another major con- cern in allowing unencrypted and encrypted ex- ecutables to coexist in a system is communication with the Run-Time Validation Mechanism (RTVM). There must be a way for the RTVM to know exactly which executables are required by the system ad- ministrator to be encrypted. Furthermore, this in- formation must be trusted to accurately reflect the intention of the system administrator, i.e. it must be tamperproof. There are many ways to represent this “encryption identification”; several are listed below. l Record the information as a protected attribute of the executable. l Keep a system-protected list of all executables that are required by the system administrator to be encrypted. l Group all encrypted and unencrypted software in the same place in secondary storage, and maintain a short, protected list identifying which locations must contain encrypted software. In all cases, however, this information must be protected from illicit modification. For example, if an executable is identified as “must be encrypted” and this information is not protected from modifi- cation, a perpetrator could remove the encryption identification so that it is not validated by the RTVM. Essentially, unless the encryption identifica- tion is protected, the encryption mechanism is useless when unencrypted software is allowed to exist in the system. 3.2 Protecting the Protection Mechanism The protection of the proposed mechanism itself is dependent on the integrity of the operating sys- tem. Protection of the mechanism does not require preventing disclosure of information, only its modification. Critical elements include the public key list (SPKL), and the RTVM. In systems where unencrypted executables are allowed, the encryp- tion identification must also be protected as men- tioned above. If the system is secure, the Trusted Computing Base (TCB) mediates all access between subjects and objects [18]. Routines that manipu- late the public key list and the encryption identifi- cation would be considered privileged operations and part of the TCB. The operation of the RTVM would be considered a trusted operation and also part of the TCB. If the TCB provides multilevel security, additional protection is afforded by the security levels, since in general, a virus cannot spread between levels. 5 If the underlying system is an Untrusted Com- puting Base (UCB), alternative measures must be taken to ensure the integrity of this mechanism. In addition to restricting valid public keys, the fol- lowing issues are of primary concern: 0 Protect the public key list and encryption iden- tification from modification, 0 Protect the routines that manipulate the public key list and the encryption identification from modification; 5 The *-property [S] does not allow write-down to a lower security level.
330 M.M. Porro, T.E. Gray / Approach to Containing Computer Viruses l Limit execution of routines that manipulate the public key list and the encryption identifica- tion; l Protect the Run-Time Validation Mechanism from modification. For a more detailed discussion about protecting this mechanism when the underlying system is an Untrusted Computing Base see [19]. 4. Conclusion 4.1 Open Issues Performance issues are an area yet to be examined but an overall decrease in performance seems likely. This model requires the operating system environment to perform several additional services that will decrease performance. First, the credibil- ity value of the software to be executed must be determined and compared to the risk level of the process executing the software. Secondly, the validation routines must be invoked for all en- crypted software. The performance of the valida- tion routine is dependent on the cryptosystem employed. Regardless of the one that is chosen, performance will be decreased. Another open issue is that of name resolution. In the proposed model, when an executable is encountered with a credibility value lower than the process’s default risk level, resolution is dis- continued even if the entire name has not been examined. It may be possible to allow resolution to continue until an appropriate executable is found or the entire name has been resolved. 4.2 Current Prototype The first prototype was implemented on the Locus distributed operating system [20], which is a net- work-transparent version of the Unix operating system. This prototype implements a framework for the signature mechanism. The primary goal of the implementation was to investigate the feasibil- ity of protecting executables by using a signature block such as the one described. The Risk Mana- gement Scheme was not included in the first im- plementation. A SIGN program was implemented in the initial system. The cryptosystem used, however, was trivial, and unsuitable for a real system. The parti- tions were simulated by using Unix directories. Both the SPKJ_ and the list mapping the partitions into credibility values were assumed to already exist so that routines for manipulating them were not provided. The characteristic function was im- plemented by using the Unix “crypt” function to provide a 4-byte characteristic function. To test this mechanism, a program was written that in- voked the RTVM if an executable resided in one of the “must be encrypted” partitions. If the execu- table was valid (not modified since it had been signed), it was executed. Initial test results showed that modification to a signed executable would be detected in most cases. However, the characteristic function genera- tor must provide a much stronger function than the 4-byte function supplied by the prototype. In general, however, any modifications made to the executable portion of the load module were de- tected. Appending a virus to the signed executable was also detected. 4.3 Future Work The next step is to investigate a more rigorous characteristic function and to find a suitable pub- lic-key cryptosystem. The current simulation sys- tem must be moved to the operating system kernel and tested in real-time. A workstation may prove the best environment for the next level of the prototype. Once a more extensive signature mech- anism is in place, the next step is to implement the Risk Management Scheme. Once the entire model has been implemented, solutions must be found for the assumptions that were made. For example, a means for protecting the operating system kernel when the underlying system is an Untrusted Computing Base must be investigated. Also measurement of performance degradation introduced by the validation step is crucial to determining the overall feasibility of this approach. References [l] Cohen, F.: “Computer Viruses”, Proceedings of the 7th DOD/NBS Computer Security Conference, September 1984, pp. 240-263. [2] Boebert, W.E., and Ferguson, CT.: A Partial Solution to the Discretionary Trojan Horse Problem, Honeywell Secure Technology Center, Minneapolis, MN.
MM. Pozzo, T.E. Gray /Approach to Containing Computer Viruses 331 [3] Landreth, B.: Out of the Inner Circle: A Hacker’s Guide to Computer Security, Microsoft Press, Bellevue, WA, 1985. [4] Anderson, J.P.: Computer Security Technology Planning Study, USAF Electronic Systems Division, Bedford, MA., Oct. 1972, ESD-TR-73-51. [5] Denning, D.E.: CTptography and Data Security, Addison-Wesley Publishing Co., Reading, Ma, 1982. [6] Shoch, J.F., and Hupp, J.A.: The ‘Worm’ Programs - Early Experience with a Distributed Computation”. Com- munications of ACM 25, 3 (March 1982), 172-180. [7] Lampson, B.W.: “A Note on the Confinement Problem”, Communications of the ACM 16 (10): 613-615, Ott, 1973. [8] Bell, D.E., and LaPadula, L.J.: Secure Computer System: Unified Exposition and Mu/tics Interpretation, MITRE Technical Report, MTR-2997, July 1975. [9] Biba, K.J.: Integrity Considerations for Secure Computer Systems, MITRE Technical Report, MTR-3153, June 1975. [lo] Campbell, C.M.: The Design and Specification of Crypto- graphic Capabilities, IEEE Communication Society Mag- azine, Nov. 1978, pp. 273-278. [ll] Diffie, W., and Helhnan, M.E.: Privacy and Authentica- tion: An Introduction to Cryptography, Proceedings of the IEEE, Vol. 67, No. 3, March 1979. [12] Meyer, C.H., Matyas, S.M.: Cryptography: A New Dimen- sion in Computer Data Security, John Wiley & Sons, 1976. [13] Kahn, D.: The Codebreakers, MacMillan, New York, 1972. [14] Shannon, C.E.: “Communication Theory of Secrecy Sys- tems”, BeN System Technical Journal, 28, 1949, pp. 656-715. [15] Kline, C.S., Popek, G.J., Thiel, G., and Walker, B.J.: “Digital Signatures: Principles and Implementations”, Journal of Tele-Communication Networks, Vol. 2, No. 1, 1983, pp. 61-81. [16] Pozzo, M.M., Gray, T.E.: “Managing Exposure to Poten- tially Malicious Programs”, Proceedings of the 9th Na- tional Computer Security Conference, Sept. 1986. [17] Boume, SE.: 7’he UNIX System, International Computer Science Series. Addison-Wesley Publishing Company, 1983. [18] DOD Computer Security Center, “Department of Defense Trusted Computer System Evaluation Criteria”, DOD, CSC-STD-001-83, 1983. [19] Pozzo, M.M., Gray, T.E.: “Computer Virus Containment in Untrusted Computing Environments”, ZFZP/SEC Fourth International Conference and Exhibition on Com- puter Security, December 1986. [20] WaIker, B.J., Popek, G.J., English, R., Kline, C.S., and Thiel, G.: “The Locus Distributed Operating System”, Proceedings of the Ninth ACM Symposium on Operating System Principles, October 1983.

More Related Content

DOCX
Final Project _Smart Utilities
Pasan Alagiyawanna
 
PDF
Ijfls05
ijfls
 
PDF
2011-A_Novel_Approach_to_Troubleshoot_Security_Attacks_in_Local_Area_Networks...
Mrunalini Koritala
 
PPTX
Mitppt
Aarti Prakash
 
PDF
Virus detection based on virus throttle technology
Ahmed Muzammil
 
PDF
Malware Detection Module using Machine Learning Algorithms to Assist in Centr...
IJNSA Journal
 
PDF
A memory symptom based virus detection approach
UltraUploader
 
PPTX
Program security
Prachi Gulihar
 
Final Project _Smart Utilities
Pasan Alagiyawanna
 
Ijfls05
ijfls
 
2011-A_Novel_Approach_to_Troubleshoot_Security_Attacks_in_Local_Area_Networks...
Mrunalini Koritala
 
Mitppt
Aarti Prakash
 
Virus detection based on virus throttle technology
Ahmed Muzammil
 
Malware Detection Module using Machine Learning Algorithms to Assist in Centr...
IJNSA Journal
 
A memory symptom based virus detection approach
UltraUploader
 
Program security
Prachi Gulihar
 

What's hot (20)

PDF
341 346
Editor IJARCET
 
PDF
Remote File Inclusion
Imperva
 
PPTX
Security and ethics
Argie242424
 
PPTX
Program and System Threats
Reddhi Basu
 
PPTX
Malicious software and software security
Prachi Gulihar
 
PPT
Virus and Malicious Code Chapter 5
AfiqEfendy Zaen
 
PDF
Self Evolving Antivirus Based on Neuro-Fuzzy Inference System
IJRES Journal
 
PPTX
Malicious software
CAS
 
PDF
A critical look at the regulation of computer viruses
UltraUploader
 
DOC
Wireless network security threats countermeasure
Edie II
 
PDF
A comprehensive study on classification of passive intrusion and extrusion de...
csandit
 
PPT
Computer Virus
bebo
 
PDF
Survey on Computer Worms
rahulmonikasharma
 
PDF
Program security chapter 3
Education
 
PPS
Virus & Computer security threats
Azri Abdin
 
PPTX
Network Security Risk
Dedi Dwianto
 
PPTX
Network security and viruses
Aamlan Saswat Mishra
 
PDF
20111204 intro malware_livshits_lecture02
Computer Science Club
 
PPT
Stuxnet flame
Santosh Khadsare
 
PPT
Computer viruses and antiviruses PPT
Eva Harshita
 
341 346
Editor IJARCET
 
Remote File Inclusion
Imperva
 
Security and ethics
Argie242424
 
Program and System Threats
Reddhi Basu
 
Malicious software and software security
Prachi Gulihar
 
Virus and Malicious Code Chapter 5
AfiqEfendy Zaen
 
Self Evolving Antivirus Based on Neuro-Fuzzy Inference System
IJRES Journal
 
Malicious software
CAS
 
A critical look at the regulation of computer viruses
UltraUploader
 
Wireless network security threats countermeasure
Edie II
 
A comprehensive study on classification of passive intrusion and extrusion de...
csandit
 
Computer Virus
bebo
 
Survey on Computer Worms
rahulmonikasharma
 
Program security chapter 3
Education
 
Virus & Computer security threats
Azri Abdin
 
Network Security Risk
Dedi Dwianto
 
Network security and viruses
Aamlan Saswat Mishra
 
20111204 intro malware_livshits_lecture02
Computer Science Club
 
Stuxnet flame
Santosh Khadsare
 
Computer viruses and antiviruses PPT
Eva Harshita
 
Ad

Similar to An approach to containing computer viruses (20)

PDF
An overview of computer viruses in a research environment
UltraUploader
 
PDF
A fault tolerance approach to computer viruses
UltraUploader
 
PDF
A short course on computer viruses
UltraUploader
 
PDF
A framework for modelling trojans and computer virus infection
UltraUploader
 
PPT
viruses
khadija habib
 
PPT
Computer security
Dhani Ahmad
 
PPT
Presentation24190
KRT395
 
PPTX
Information security and privacy
Joy Chakraborty
 
PPTX
Information security and privacy
Joy Chakraborty
 
PPTX
Viruses and virus countetmeasures
prawinrajanIT
 
PPT
Itc lec 15 Computer security risks
AnzaDar3
 
PDF
Computer Viruses and Malware by John Aycock (auth.) (z-lib.org).pdf
Angelika B.
 
PDF
A model for detecting the existence of unknown computer viruses in real time
UltraUploader
 
PPT
maliciouse code malwere dan bentuk penyebarannya
SYYULIANISKOMMT
 
PPT
Iss lecture 9
Ali Habeeb
 
PPTX
virus
增福 蔡增福
 
PPT
Presentation2
Jeslynn
 
PPTX
Computer virus
dineshrwt911
 
PDF
INT 1010 05-3.pdf
Luis R Castellanos
 
PPTX
Isas
CODERS TECHNOLOGIES
 
An overview of computer viruses in a research environment
UltraUploader
 
A fault tolerance approach to computer viruses
UltraUploader
 
A short course on computer viruses
UltraUploader
 
A framework for modelling trojans and computer virus infection
UltraUploader
 
viruses
khadija habib
 
Computer security
Dhani Ahmad
 
Presentation24190
KRT395
 
Information security and privacy
Joy Chakraborty
 
Information security and privacy
Joy Chakraborty
 
Viruses and virus countetmeasures
prawinrajanIT
 
Itc lec 15 Computer security risks
AnzaDar3
 
Computer Viruses and Malware by John Aycock (auth.) (z-lib.org).pdf
Angelika B.
 
A model for detecting the existence of unknown computer viruses in real time
UltraUploader
 
maliciouse code malwere dan bentuk penyebarannya
SYYULIANISKOMMT
 
Iss lecture 9
Ali Habeeb
 
virus
增福 蔡增福
 
Presentation2
Jeslynn
 
Computer virus
dineshrwt911
 
INT 1010 05-3.pdf
Luis R Castellanos
 
Isas
CODERS TECHNOLOGIES
 
Ad

More from UltraUploader (20)

PDF
1 (1)
UltraUploader
 
DOC
01 intro
UltraUploader
 
DOC
01 le 10 regole dell'hacking
UltraUploader
 
DOC
00 the big guide sz (by dr.to-d)
UltraUploader
 
PDF
[E book ita] php manual
UltraUploader
 
PDF
[Ebook ita - security] introduzione alle tecniche di exploit - mori - ifoa ...
UltraUploader
 
PDF
[Ebook ita - database] access 2000 manuale
UltraUploader
 
DOC
(E book) cracking & hacking tutorial 1000 pagine (ita)
UltraUploader
 
DOC
(Ebook ita - inform - access) guida al database access (doc)
UltraUploader
 
PDF
(Ebook computer - ita - pdf) fondamenti di informatica - teoria
UltraUploader
 
PDF
Broadband network virus detection system based on bypass monitor
UltraUploader
 
PDF
Botnetsand applications
UltraUploader
 
PDF
Bot software spreads, causes new worries
UltraUploader
 
PDF
Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...
UltraUploader
 
PDF
Blast off!
UltraUploader
 
PDF
Bird binary interpretation using runtime disassembly
UltraUploader
 
PDF
Biologically inspired defenses against computer viruses
UltraUploader
 
PDF
Biological versus computer viruses
UltraUploader
 
PDF
Biological aspects of computer virology
UltraUploader
 
PDF
Biological models of security for virus propagation in computer networks
UltraUploader
 
1 (1)
UltraUploader
 
01 intro
UltraUploader
 
01 le 10 regole dell'hacking
UltraUploader
 
00 the big guide sz (by dr.to-d)
UltraUploader
 
[E book ita] php manual
UltraUploader
 
[Ebook ita - security] introduzione alle tecniche di exploit - mori - ifoa ...
UltraUploader
 
[Ebook ita - database] access 2000 manuale
UltraUploader
 
(E book) cracking & hacking tutorial 1000 pagine (ita)
UltraUploader
 
(Ebook ita - inform - access) guida al database access (doc)
UltraUploader
 
(Ebook computer - ita - pdf) fondamenti di informatica - teoria
UltraUploader
 
Broadband network virus detection system based on bypass monitor
UltraUploader
 
Botnetsand applications
UltraUploader
 
Bot software spreads, causes new worries
UltraUploader
 
Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...
UltraUploader
 
Blast off!
UltraUploader
 
Bird binary interpretation using runtime disassembly
UltraUploader
 
Biologically inspired defenses against computer viruses
UltraUploader
 
Biological versus computer viruses
UltraUploader
 
Biological aspects of computer virology
UltraUploader
 
Biological models of security for virus propagation in computer networks
UltraUploader
 

An approach to containing computer viruses

  • 1. 321 An Approach to Containing Computer Viruses * Maria M. Pozzo Terence E. Gray ComputerScienceLqmrrmenr,Unioersity of Cnlifornrn, Los Angeles, Los Angeles, CA 90024, U.S.A. This paper presents a mechanism for containing the spread of computer viruses by detecting at run-time whether or not an executable has been modified since its installation. The detec- tion strategy uses encryption and is held to be better for virus containment than conventional computer security mechanisms which are based on the incorrect assumption that preventing modification of executables by unauthorized users is sufficient. Although this detection mechanism is most effective when all executables in a system are encrypted, a scheme is presented that shows the usefulness of the encryption approach when this is not the case. The detection approach is also better suited for use in untrusted computer systems. The protection of this mechanism in untrusted computing environments is addressed. Keywords: Infection, Integrity, Trojan horse, Computer viruses Terry Gray is Director of the UCLA Distributed Systems Laboratory, and an Adjunct Associate Professor in the UCLA Computer Science Department. He received a BSEE from Northrop University in 1967, and a Ph.D. in Computer Science from UCLA in 1978. Prior to joining the UCLA faculty, Dr. Gray was Manager of Software En- gineering at Ampex Corporation. He has also served on the technical staff of Transaction Technology, Inc. and Bell Laboratories. Current research in- terests include distributed system architecture, computer secur- ity, software engineering, advanced office systems, and the social impact of technology. He is a member of IEEE, ACM, Tau Beta Pi, and Upsilon Pi Epsilon. * This research was supported in part by the NSF Coordinated Experimental Research program under grant NSF/MCS 8121696 and by the IBM Corporation under contract D850915. 0. Introduction The infection property of a malicious computer virus [l] which causes modifications to executables is a concern in computer security. Modifications to executables are much less noticeable than those made to text or data files, and often go unde- tected. Such modifications often cause unex- pected, unauthorized, or malicious side-effects in a computer system. This discussion is primarily con- cerned with the infection property of a malicious computer virus which causes modifications to ex- ecutables. Protecting executables from modification can be accomplished in two general ways: (1) by ren- dering the executable immutable and thus prevent- ing all modifications, or (2) by detecting any changes to the executable prior to its execution, The first method can be accomplished by storing the executable in a read-only storage medium such as a ROM, a read-only directory or a read-only disk. Thus, the protection mechanism is coupled with the system or storage medium employed; its usefulness relies upon the security of the underly- ing system. Even if complete confidence in the security of the operating system is warranted, there is a problem in employing discretionary access controls (DAC) for read-only protection. Current implementations of DAC are fundamentally flawed [2] in that programs executing on a user’s behalf legitimately assume all the user’s access rights. This flaw could allow a computer virus to perform modifications despite read-only protection. The second method (detection) can be accomplished North-Holland Computers 62 Security 6 (1987) 321-331 Maria Pozzo received her MS. degree in Computer Science from the Univer- sity of Connecticut in 1981. She began her work in the area of Computer Security in 1982 while working for the Mitre Corporation. She was a member of the Multics Evaluation team and subsequently worked for Honeywell Information Systems to help achieve a B2 security rating for Multics. She is currently working on her Ph.D. at UCLA pursuing research in computer sect&v. 0167~4048/87/$3.50 0 1987, Elsevier Science Publishers B.V. (North-Holland)
  • 2. 322 M.M. Pozzo, T.E. Gray / Approach to Containing Computer Virusa by encrypting the executable using conventional or public-key cryptography, or by recording a cryptographic checksum, so that any modification can be detected prior to execution. The detection approach links the protection mechanism to the object to be protected rather than the system or storage medium, and thus, its usefulness depends less on the security of the underlying system. Furthermore, modifications to executables can still be detected outside the realm of a particular sys- tem. For example, if encryption is used when transferring executables between sites, modifica- tions can be detected at the destination site. This technique is promising for protecting software dis- tribution. This discussion is concerned with the integrity of executables and provides a generalized mecha- nism for detecting modification of executables and limiting the potential damage of a computer virus. This research was motivated by recent work in the area of computer viruses [l]. Section 1 provides background material on computer viruses and dis- cusses the seriousness of the virus problem. Sec- tion 2 describes the encryption mechanism and proposes one possible implementation. This mech- anism is then discussed by considering its strengths and weaknesses in Section 3. An overview of the current prototype and a discussion of the open issues is presented in the conclusion in Section 4. The issues discussed in this paper are part of an ongoing effort. Our long-range goal is to develop a complementary set of independent mechanisms for protection against computer viruses and other malcious programs. 1. Computer Virus Background A malicious computer virus, like a Trojan Horse i, lures unsuspecting users into executing it by pre- 1 “The Trojan Horse works much like the original wooden statue that the Greeks presented at the walls of Troy - it is an attractive or innocent-looking structure (in this case, a program) that contains a hidden trick, a trick in the form of buried programming code that can give a hacker surrepti- tious entry to the system that unknowingly invites the Trojan Horse within its figurative walls. The Trojan Horse is very simple in theory, but also very effective when it works. The program that is written or modified to be a Trojan Horse is designed to achieve two major goals: first, it tries to look very innocent and tempting to run, and second, it has within itself a few high-security tasks to try [3]. tending to be nothing more than a useful or interesting program [4], while in reality it contains additional functions intended to “. . .gain un- authorized access to the system or to [cause a] . . .malicious side effect” [5]. Programs of this type are particulary insidious because they operate through legitimate access paths. The difference between a computer virus and a traditional Trojan Horse is that a virus “ . . .can ‘infect’ other pro- grams by modifying them to include, a possibly evolved, copy of itself” [l]. The process of infec- tion is depicted in Fig. 1. The victim’s file space contains several “clean” executables to which the victim possesses modify access. The villain creates an executable that per- forms a function designed to entice unsuspecting victims to invoke it. Embedded in the executable is a piece of clandestine code that is a virus. When the program is executed, the hidden viral code is executed in addition to the program’s normal service. The victim, however, only sees the normal service, and therefore, does not detect the pres- ence of malicious activity. The virus program, when executed by the victim, carries the victim’s access rights and, therefore, has modify access to all of the victim’s executables as well as any other programs for which the victim has legitimate mod- ify access. In this case, the virus spreads by di- rectly copying itself to the target executables. Al- ternatively, the virus can spread by replacing the target executables with an executable that con- tains the virus. Furthermore, when any other user with access to the victim’s executables, invokes one of the infected programs, the virus spreads to that user’s executables and so on. In addition to the spread- ing capability, the virus may contain other code, such as a Trojan Horse, intended to cause damage of some kind. The most serious impact of a virus, however, is the rapidity with which it propagates through the system undetected. Worm programs (programs or computations that move around a network gather- ing needed resources and replicating as necessary) propagate with similar speed [6]. This potential widespread security problem is detailed in [l] and the potential damage to both the public and private sector is extreme. Several properties of typical computer systems lead to an environment in which computer viruses can wreak havoc: the need for program sharing
  • 3. M.M. Pozzo, T.E. Gray / Approach to Containing Computer Viruses 323 / !tVillain 0 RVietim 1. Villain creates b enticing program containing virus Virus 3. Viral program coverlly modifies clean exeartties “clean” exectiables victim has rrodify acozi 4. result b infected execirlabfes ETY AFTER Fig. 1. The process of infection. [5], the difficulty in confining programs *, and the fact that existing discretionary access control (DAC) mechanisms are fundamentally flawed with re- spect to limiting computer virus [2]. Mechanisms exist for limiting the amount of sharing such as the security and integrity policies [8,9], and flow lists or flow distance policies [l]. However, to the extent that these mechanisms permit any sharing, the damage caused by computer viruses cannot be eliminated since their malicious activity is con- ducted via legitimate access paths due to the fundamental flaw in current DAC implementations. 1.1 Scope Not all computer viruses are bad [l]. This discus- sion, however, is primarily concerned with the infection property of a malicious computer virus. Viral infection is caused by modification of execu- tables. For this discussion, modification means directly changing the target executable or sub- stituting the target executable with an executable that has been modified. Lastly, the system admin- istrator discussed here is one or more persons trusted not to compromise the security or integrity ’ A program that cannot retain or leaks any of its proprietary information to a third party is confined [7]. of the system. This research does not address the case of a system administrator or other privileged systems user who has decided to corrupt the sys- tem. 2. Detecting Modification of Executables Using Encryption Both conventional and public-key cryptography [lO,ll] have been used successfully to ensure the integrity of messages. Our solution proposes the use of cryptography to protect the integrity of executables, and thus provide a mechanism to detect viral spread and limit potential viral damage. Fig. 2 depicts the proposed detection mecha- nism. The executable, E, is encrypted by the cryptosystem to produce E’. The run-time en- vironment passes E’ to the cryptosystem where the decryption is performed. The deciphered ex- ecutable is passed back to the run-time environ- ment which will attempt to run the results. If this attempt fails, the executable has been modified since it was encrypted and the proper authorities are modified. Thus, the run-time environment de- tects any modification, whether unintended or due to a viral attack. Note that modification of execu- tables is not prevented; however, since any mod-
  • 4. 324 M.M. Pozzo, 7:E. Gray /Approach to Containing Computer Viruses Jncryption Environment: Cm-Time Environment: Fig. 2. The detection mechanism. ification is detected at run-time (when the virus strikes), potential damage is limited. With respect to the damage that a virus can cause there are two cases to consider (Fig. 3). If all the executables in the system are virus-free and encrypted, attempts to infect an executable by inserting a virus will be detected and, thus, this mechanism completely halts any further viral damage. If a virus exists in an executable prior to its encryption, its presence will not be detected by this mechanism. This type of virus can still spread to other executables but the infection will be detected when the encrypted, infected program is executed. The original virus, however, can still accomplish its hidden function and, in effect, will behave like a traditional Trojan Horse. It should be noted that denial of service does occur since the executables will be destroyed when the infection attempts to spread. The usefulness of this approach is dependent on the type of cryptosystem chosen, particularly the management of the encryption and decryption key(s). There are several advantages to using pub- lic-key cryptography as opposed to conventional cryptography. In a conventional cryptosystem, the keys used for enciphering and deciphering are either the same, or each key can be computed from the other [2,13]. Thus protecting the key(s), not only from modification but also from dis- closure, becomes essential to the protection of the entire mechanism. In a public-key cryptosystem, enciphering and deciphering is accomplished via two keys, a private key and a public key [11,12,14]. In the mechanism described above, the private key is used to encrypt the executable while anyone with knowledge of the public key can decipher it. Protecting the private key from disclosure be- comes the responsibility of the key’s owner and is no longer part of the mechanism itself. Thus, protecting the integrity of the mechanism becomes a matter of protecting the algorithms and the public keys from modification. In a public-key cryptosystem, the private key is bound to a par- ticular individual or group of individuals. This affords the additional advantage of authenticating the identity of the encryptor of an executable which provides additional assurance that the ex- ecutable has not been replaced by an imposter program. This can be accomplished in a conven- tional cryptosystem if the encryptor and decryptor agree in advance on the key(s) to be used, how- ever, the practicality of this approach is questiona- ble. Except for the need for authentication, simply storing characteristic values of executables and protecting these values from modification, would be sufficient to achieve the goal of detecting changes to an executable. One possible implementation of the mechanism described above is to employ a public-key crypto-
  • 5. M.M. Pozzo, T.E. Gray /Approach to Containing Computer Viruses 325 nitial System Virus-Free: HALT Initial Infected System: EXECUTES HALT Fig. 3. Virus-free vs. infected system. Sign Environment: Run-Time Environment: , ESB I IlZSUltS System-protected ti I public +RT+ keys I I Fig. 4. Signature block mechanism. (RTVM = run-time validation mechanism).
  • 6. 326 M.M. Pozzo, T.E. Gray /Approach to Containing Computer Viruxs system to append an encrypted signature block to the plaintext executable (Fig. 4). The signature block contains the result of applying a strong one-way function (characteristic value or crypto- graphic checksum) to the entire executable plus some additional information such as the identity of the signer and a time stamp. The private key of the signer is used to encrypt the signature block. At run-time, the signature block is deciphered with the associated public key, the characteristic value regenerated and the two values compared. If the two results differ, a modification has occurred and the proper authorities are notified. In this implementation, the system must maintain a list of public keys and protect them from modifica- tion. This implementation affords a large degree of flexibility in determining the set of public keys that will reside on the system-protected public key list (SPKL); these are the only keys that will be recognized by the run-time environment. In ad- dition, since the executable itself is not encrypted, the run-time environment will not attempt to run deciphered code that is garbage. Authentication is a well-known advantage of signature block mecha- nisms [15], further indicating that this implemen- tation is a viable solution. Essential to the correct operation of this mech- anism, is determining the public keys that reside on the SPKL. The system administrator should only allow public keys of individuals and organizations trusted to supply software that does not contain a computer virus. Basically, anyone can sign soft- ware; the issue is who can sign software and also have their public key on the public key list. 3. Strengths and Weaknesses The mechanism described above is most effective if all the executables in the system are encrypted. In reality, however, it may not be feasible to require all executables in the system to be en- crypted or signed. Of particular concern is the software development process which requires many executions during program debugging. Encrypting and deciphering on every test run will significantly lengthen this process. Providing a separate de- velopment environment, although one solution, may not be practical. Another concern is software developed by users for their own use, software not available to the entire system. Since residence in the system-protected public key list is restricted as described in the previous section, it is unlikely that the public key of a normal user will be in the list. This makes execution of personal software impossible. Lastly, the system administrator has the responsibility for ensuring that individuals and organizations who encrypt software for the sys- tem, and also have their associated public key on the system-protected public key list, provide software that does not contain computer viruses and other types of malicious programs such as Trojan horses. Requiring the system administrator to perform this task for all executables on the system may be impractical, depending on the de- gree of protection needed for the type of work performed by the system. Thus, for practical rea- sons, it may be necessary for encrypted and unen- crypted executables to reside on a system simulta- neously. 3.1 The Coexistence of Encrypted and &encrypted Executables One way to allow the coexistence of encrypted and unencrypted executables in a system is via the Risk Management Scheme. This scheme allows administrative classification of software, and per- mits users to specify the classes of software they wish to execute. The classes of software corre- spond to the likelihood that the executable con- tains malicious code such as a computer virus. Unencrypted software might be considered most likely to contain a virus. Thus, a user wishing to be protected from potential malicious activity would only allow execution of low-risk software. This classification, although subjective, serves as a warning mechanism to users, making them aware of the potential risk in executing certain programs. An overview of the Risk Management Scheme is presented here. For a detailed discussion see [16]. The Risk Management Scheme. The Risk Management Scheme has two domains: programs and processes. Programs are assigned “credibility values” (by the system administrator) and processes inherit a “risk level” from their parent process, or ultimately, from the user on whose behalf they are operating. The operating system is responsible for preventing a process at risk-level N from invoking a program whose credibility value is less than N. The system administrator assigns software a
  • 7. M.M. Porro, T.E. Gray /Approach to Containing Computer Viruses 327 credibility value which identifies the likelihood that the software contains malicious code. In gen- eral, this value is based on the origin of the software. Credibility values range from zero to N, where software with the lowest credibility has the value of zero and software with the highest credi- bility on the system has the highest value. Soft- ware that is formally verified, so that the possibil- ity of it containing malicious code is small, is always assigned the highest value. The number of credibility values is determined by the system administrator and can be one. For example, in an environment where security is of primary concern such as a military installation, a system may be restricted to only verified software. An environ- ment where security is of less concern, is unlikely to have any formally verified software. But, since differences exist in the credibility of the various sources of executables, the system administrator can choose some number of credibility values to reflect the classes of software on the system. Fig. 5 depicts a possible configuration for credibility val- ues. Risk levels specify what classes of software can be executed for a user. They correspond inversely to credibility values. If the user’s risk level is set to the highest credibility value on the system, the risk of damage to that user is the lowest possible. On the other hand, the greatest risk is taken when the user specifies a risk level of zero. When a user logs in, a risk level is established for the session. This risk level can be determined in two ways. The first way is for the user to specify the desired risk level as an argument to the login command (e.g. login Joe-session-risk 3). The second way is to assume the default risk level for that user. Initially, the default risk level of all users is the highest credibility value on the system. The user can reset this default risk level by speci- fying the desired default as an argument to the login command (e.g. login Joe-default _ risk 2). The user need only set this once and it remains in effect until it is explicitly reset by the user. Thus, assuming the default risk level as the risk level for the session requires no explicit action on the user’s part once it is set. Once the risk level for a session is established, any processes that are spawned inherit the risk level of the parent, restricting children to running software of the same credibil- ity value or higher. The only way for a user to override the risk level for a particular session is via the RUN-UNTRUSTED command which takes one executable program as an argument. This program can have a credibility value less than the risk level. The duration of this exception is the execution of the program supplied as an argument. The objec- tive of the “RUN-UNTRUSTED” command is to make execution of high-risk programs explicit, but not too inconvenient. As an example, Fig. 6 shows five possible credi- bility values for software, where the existence of malicious code in software with a value of 5 is unlikely and in software with a value of 0 is most likely. The initial default for the user is the ability to run software with a value of 5 only, unless the user explicitly logs in at a lower risk level or resets the default risk level. If the user chooses to estab- lish a session with a risk level of 3, software with Origin Credibility User’s Risk User Files 0 - Lowest User Contributed S/W 1 S/W from Bulletin Board 2 S/W from System Staff 3 Commercial Application S/W 4 S/W from OS Vendor 5 - Highest 0 - Highest Risk 5 - Lowest Risk Fig. 5. Credibility value and risk level.
  • 8. 328 Credibility VAN2 M.M. Pozzo, T.E. Gray / Approach to Containing Computer Viruses __._~__. __----_ ___-. _ Execution User’s Risk Mode Level 0 RUN-UNTRUSTED 1 RUN-UNTRUSTED 2 RUN-UNTRUSTED 3 normal 4 normal 5 normal RiskLevel= 3 Fig. 6. User’s risk level. values of 0, 1, and 2 cannot be run without using the RUN-UNTRUSTED command. Of course, the user has increased the potential risk of exposure to malicious activity. Once a credibility value has been assigned to software, the information must be conveyed to the run-time environment. This can be accomplished in several ways. The first approach is to store the credibility value as part of the executable, compar- ing the value with the user’s risk level prior to permitting execution. This approach requires that the executable be protected from modification to ensure the integrity of the credibility value. A second approach is to keep a list of all executable software in the system and the associated credibil- ity values. When a user executes a program, the run-time environment searches the list for the program’s credibility value and compares it with the user’s risk level before allowing execution. Such a list must be protected from illicit modifica- tion. This approach may not be practical depend- ing on the time it takes to complete the search. A third approach is to group software of the same credibility value in the same place in secondary storage, and maintain a short, protected list map- ping credibility values to each file group. Software of the same credibility value could be stored in the same directory, in the same filesystem 3, or some other mechanism used to partition software. The 3 In Unix, a filesystem contains a hierarchical structure of directories and files and corresponds to a partition of a disk. Each filesystem is represented internally by a unique number v71. list identifying each partition and the associated credibility value is then short enough to avoid performance problems, but must still be protected from modification by anyone except the system administrator. Fig. 7 shows possible credibility values for software grouped using Unix 4 directo- ries as the partitions. As the number of credibility values is de- termined by the system administration, so is the granularity of the partitions. For example, one system might partition all vendor software into one partition with the same credibility value while another system might have separate partitions for IBM, DEC and AT&T software, each with a different credibility value. If an individual program becomes suspected of containing malicious code, perhaps based on re- ports from other installation, it can be moved to a different directory of appropriate credibility value. However, one disadvantage of associating a credi- bility value with entire directories or filesystems is that the full name of a program may be embedded in other programs or scripts; thus moving a pro- gram to a different directory having the desired credibility level is essentially a name change for that program, and may cause existing scripts to break. This observation argues in favor of assign- ing credibility values to individual programs, even though to do so is more administratively demand- ing. A combined approach that allows easy assign- ment of credibility levels to collections of pro- 4 Unix is a trademark of AT&T Information Systems.
  • 9. M.M. Pozzo, T.E. Gray /Approach to Containing Computer Viruses 329 Origin Credibility Partition User Files User Contributed S/W Bulletin Board S/W Commercial S/W S/W from System Staff Commercial S/w Verified S/W S/W from OS Vendor 0 -Lowest 1 I 2 3 3 4 5 - Highest lusr lusrlflakey lusrlnet lusrlbin2 hsdlocal lusrlbio /usr/vi?r lbin Fig. 7. Partitioning software of different credibility values. grams, but provides for individual exceptions may be the winning strategy. Encryption Identification. Another major con- cern in allowing unencrypted and encrypted ex- ecutables to coexist in a system is communication with the Run-Time Validation Mechanism (RTVM). There must be a way for the RTVM to know exactly which executables are required by the system ad- ministrator to be encrypted. Furthermore, this in- formation must be trusted to accurately reflect the intention of the system administrator, i.e. it must be tamperproof. There are many ways to represent this “encryption identification”; several are listed below. l Record the information as a protected attribute of the executable. l Keep a system-protected list of all executables that are required by the system administrator to be encrypted. l Group all encrypted and unencrypted software in the same place in secondary storage, and maintain a short, protected list identifying which locations must contain encrypted software. In all cases, however, this information must be protected from illicit modification. For example, if an executable is identified as “must be encrypted” and this information is not protected from modifi- cation, a perpetrator could remove the encryption identification so that it is not validated by the RTVM. Essentially, unless the encryption identifica- tion is protected, the encryption mechanism is useless when unencrypted software is allowed to exist in the system. 3.2 Protecting the Protection Mechanism The protection of the proposed mechanism itself is dependent on the integrity of the operating sys- tem. Protection of the mechanism does not require preventing disclosure of information, only its modification. Critical elements include the public key list (SPKL), and the RTVM. In systems where unencrypted executables are allowed, the encryp- tion identification must also be protected as men- tioned above. If the system is secure, the Trusted Computing Base (TCB) mediates all access between subjects and objects [18]. Routines that manipu- late the public key list and the encryption identifi- cation would be considered privileged operations and part of the TCB. The operation of the RTVM would be considered a trusted operation and also part of the TCB. If the TCB provides multilevel security, additional protection is afforded by the security levels, since in general, a virus cannot spread between levels. 5 If the underlying system is an Untrusted Com- puting Base (UCB), alternative measures must be taken to ensure the integrity of this mechanism. In addition to restricting valid public keys, the fol- lowing issues are of primary concern: 0 Protect the public key list and encryption iden- tification from modification, 0 Protect the routines that manipulate the public key list and the encryption identification from modification; 5 The *-property [S] does not allow write-down to a lower security level.
  • 10. 330 M.M. Porro, T.E. Gray / Approach to Containing Computer Viruses l Limit execution of routines that manipulate the public key list and the encryption identifica- tion; l Protect the Run-Time Validation Mechanism from modification. For a more detailed discussion about protecting this mechanism when the underlying system is an Untrusted Computing Base see [19]. 4. Conclusion 4.1 Open Issues Performance issues are an area yet to be examined but an overall decrease in performance seems likely. This model requires the operating system environment to perform several additional services that will decrease performance. First, the credibil- ity value of the software to be executed must be determined and compared to the risk level of the process executing the software. Secondly, the validation routines must be invoked for all en- crypted software. The performance of the valida- tion routine is dependent on the cryptosystem employed. Regardless of the one that is chosen, performance will be decreased. Another open issue is that of name resolution. In the proposed model, when an executable is encountered with a credibility value lower than the process’s default risk level, resolution is dis- continued even if the entire name has not been examined. It may be possible to allow resolution to continue until an appropriate executable is found or the entire name has been resolved. 4.2 Current Prototype The first prototype was implemented on the Locus distributed operating system [20], which is a net- work-transparent version of the Unix operating system. This prototype implements a framework for the signature mechanism. The primary goal of the implementation was to investigate the feasibil- ity of protecting executables by using a signature block such as the one described. The Risk Mana- gement Scheme was not included in the first im- plementation. A SIGN program was implemented in the initial system. The cryptosystem used, however, was trivial, and unsuitable for a real system. The parti- tions were simulated by using Unix directories. Both the SPKJ_ and the list mapping the partitions into credibility values were assumed to already exist so that routines for manipulating them were not provided. The characteristic function was im- plemented by using the Unix “crypt” function to provide a 4-byte characteristic function. To test this mechanism, a program was written that in- voked the RTVM if an executable resided in one of the “must be encrypted” partitions. If the execu- table was valid (not modified since it had been signed), it was executed. Initial test results showed that modification to a signed executable would be detected in most cases. However, the characteristic function genera- tor must provide a much stronger function than the 4-byte function supplied by the prototype. In general, however, any modifications made to the executable portion of the load module were de- tected. Appending a virus to the signed executable was also detected. 4.3 Future Work The next step is to investigate a more rigorous characteristic function and to find a suitable pub- lic-key cryptosystem. The current simulation sys- tem must be moved to the operating system kernel and tested in real-time. A workstation may prove the best environment for the next level of the prototype. Once a more extensive signature mech- anism is in place, the next step is to implement the Risk Management Scheme. Once the entire model has been implemented, solutions must be found for the assumptions that were made. For example, a means for protecting the operating system kernel when the underlying system is an Untrusted Computing Base must be investigated. Also measurement of performance degradation introduced by the validation step is crucial to determining the overall feasibility of this approach. References [l] Cohen, F.: “Computer Viruses”, Proceedings of the 7th DOD/NBS Computer Security Conference, September 1984, pp. 240-263. [2] Boebert, W.E., and Ferguson, CT.: A Partial Solution to the Discretionary Trojan Horse Problem, Honeywell Secure Technology Center, Minneapolis, MN.
  • 11. MM. Pozzo, T.E. Gray /Approach to Containing Computer Viruses 331 [3] Landreth, B.: Out of the Inner Circle: A Hacker’s Guide to Computer Security, Microsoft Press, Bellevue, WA, 1985. [4] Anderson, J.P.: Computer Security Technology Planning Study, USAF Electronic Systems Division, Bedford, MA., Oct. 1972, ESD-TR-73-51. [5] Denning, D.E.: CTptography and Data Security, Addison-Wesley Publishing Co., Reading, Ma, 1982. [6] Shoch, J.F., and Hupp, J.A.: The ‘Worm’ Programs - Early Experience with a Distributed Computation”. Com- munications of ACM 25, 3 (March 1982), 172-180. [7] Lampson, B.W.: “A Note on the Confinement Problem”, Communications of the ACM 16 (10): 613-615, Ott, 1973. [8] Bell, D.E., and LaPadula, L.J.: Secure Computer System: Unified Exposition and Mu/tics Interpretation, MITRE Technical Report, MTR-2997, July 1975. [9] Biba, K.J.: Integrity Considerations for Secure Computer Systems, MITRE Technical Report, MTR-3153, June 1975. [lo] Campbell, C.M.: The Design and Specification of Crypto- graphic Capabilities, IEEE Communication Society Mag- azine, Nov. 1978, pp. 273-278. [ll] Diffie, W., and Helhnan, M.E.: Privacy and Authentica- tion: An Introduction to Cryptography, Proceedings of the IEEE, Vol. 67, No. 3, March 1979. [12] Meyer, C.H., Matyas, S.M.: Cryptography: A New Dimen- sion in Computer Data Security, John Wiley & Sons, 1976. [13] Kahn, D.: The Codebreakers, MacMillan, New York, 1972. [14] Shannon, C.E.: “Communication Theory of Secrecy Sys- tems”, BeN System Technical Journal, 28, 1949, pp. 656-715. [15] Kline, C.S., Popek, G.J., Thiel, G., and Walker, B.J.: “Digital Signatures: Principles and Implementations”, Journal of Tele-Communication Networks, Vol. 2, No. 1, 1983, pp. 61-81. [16] Pozzo, M.M., Gray, T.E.: “Managing Exposure to Poten- tially Malicious Programs”, Proceedings of the 9th Na- tional Computer Security Conference, Sept. 1986. [17] Boume, SE.: 7’he UNIX System, International Computer Science Series. Addison-Wesley Publishing Company, 1983. [18] DOD Computer Security Center, “Department of Defense Trusted Computer System Evaluation Criteria”, DOD, CSC-STD-001-83, 1983. [19] Pozzo, M.M., Gray, T.E.: “Computer Virus Containment in Untrusted Computing Environments”, ZFZP/SEC Fourth International Conference and Exhibition on Com- puter Security, December 1986. [20] WaIker, B.J., Popek, G.J., English, R., Kline, C.S., and Thiel, G.: “The Locus Distributed Operating System”, Proceedings of the Ninth ACM Symposium on Operating System Principles, October 1983.