i OF JI 'I Computer Virus Infections Is NSA Vulnerable _ _ _ _ _ _ _ 1 ----------------Ib 3 -P L This paper is concerned with computer viruses - a potentially dangerous attack on computer systems The virus is a special case of the trojan horse problem distinguis' ' programs INTRODUCTION What is a computer virus A computer virus is a self-propagating trojan horse ' A computer virus has three main parts a mission component a trigger mechanism and a self-propagation component The mission comPonent is the executor ofthe deed the virus is designed to accomplish e g erasure of all data on a computer system The mission component lies dormant until activated by the trigger mechanism The trigger mechanism tests one or more dspects of the system state such as the current date to determine whether activate the mission component For example a possible virus may be of the form if today's date is 10 01185 then erase all accessible data on the computer system otherwise propagate self Indeed an actual simple virus is not much longer 0 1- complicated than this The third part of the virus the self-propagation component allows the virus to quickly spread to other programs which the virus is not already attached I call this the nrocess of viral infection I tor to I 1 A trojan horse in the most general sense is a computer program which in addition to performing a desired function causes a malicious side effect when run by an unsuspecting user ' Even though the trojan horse problem is widely recognized trojan horse identification is difficult I ' I 47 b 1 Ib 3 -P L 86-36 lApprovecl for- Release by i JS od b2-28-20CI8 FCIIA Case # 518211 T8PSErERCT 86-36 - - - - - - - - - - - - - - - - - - - - - - - - - - _ _ _ 'Fep 5EEAE'F CRYPrOLOGICQUARTERLY DISCUSSION I The question of whether or not an algorithm exists to decide whether 8 roPT j jPfe with a virus appears to be unr sol'3dons lta tion with qt _ __ and a number of colleagues withir has indicated that a i 'o-r-m-a 'lz-a-tl 'll-o-n-o'1l it e meaning of infected is requ te In order to make any rigorous statements about viruses A theory of viral infection is required to characterize properties associated with viruses and ultimately to prove whether or not a decision algorithm exists r l ' Based on Rice's 'I'heoram it is the author's intuition that a decision algor-ithm to determine whether or not a program is infected does not exist Iri fact even ifit is proved that such an algorithm exists there is no guarantee that the actual algorithm can be found If the algorithm does not exist or cannot be found it would not mean that the problem is hopeless It would mean only that it general solution is not open to mathematically'rlgorous proof This result ould teave two approaches 1 restrict the computer system specification so that ra general solution is not required or 2 solve the problem heuristically acknowledging' that the solution is not rigorously complete The second method seems to provide the cheapest and easiest approach without drastically changing the ' operational environment Ii The thrust of the recommended actions proposed in this paper' is to provide 'mechanisms to make the virus attack more difficult and e pensive to a penetrator This method is known as increasing the work factor the amount of resources the attacker must expend to accomplish a successful pti etration The cost is measured in terms of both time and money If the time required to mount a virus attack against a given system exceeds the life of the system then the system is effectively secure Similarly if the cost is made high enough t e attacker will divert his resources to a more fruitful target In either case an effective solution is r e a c h e d ' f I I Rice's Theorem states that any nontrivial property of the recursively enumerable sets is undecidable A property is Mtrivial if it is either true of all members In the set oi of no members in the set Since the set of all possible algorithms is a recursively enumerable 8e it would seem to follow that the nontrivial property of being infected would be undecidable For further reading on Rice's Theorem see Hopcroft cited in the bibliography I T9P SEERE'F b 3 -r L 86-36 48 1 1 Ib 3 -F L COMPUTER VIRUS INFECTIONS Attack Classes The three major types of computer attacks are compromise spoofing and denial of services They are discussed in detail in the following paragraphs b Sooofina - the unauthorized nf' alteration 0 ' dRJR of cla sified I data Paradoxically the type of program in which the virus lies can tell much about the system Using a biological analogy a human who fihds himself in an alien environment knows a great deal about that environment by virtue of the fact that he is alive e g there is enough oxygen to breath the ambient temperature is within the human-tolerable range etc By the same token a C language program for example knows with a high degree of ce tainty that it will be running in a UNIX-type environment If the host program in which a virus hides will not run in a given computer system there is no reason to ever import that program If it is imported it will not execute and presents no direct threat to the computer system The following two scenarios exemplify the spoofing attack The scenarios are not intended to be of sufficient detail to be beyond criticism but to give a flavor for attacks that might be Possible 49 1 b 3 -r L 86-36 TOP l eRE'f F9PSEERET CRYPTOLOGIC QUARTERLY i c Denial of Service - the unauthorized use of system rd ources to the exclusion of authorized users Examples of denial-of-service attacks include unfair CPU utilization or excessive disk storage space usage by a user or process to a degree that negatively impacts the other users on the lsystem More concretely if a user gets control of the CPU scheduling process thJ computer can be directed to execute only his process to the exclusion of all others J At first glance the infection process itself may seem to represent a denial-of-service attack To a small extent this is true however a iable infection must conceal itself by minimizing the time required to accomplish the infection process before executing the legitimateprogram Specifically the infection time required must be small compared to the time required to execute Ithe legitimate program so that the user does not notice the delay Indsad o nce all of the programs have been infected a process which can occur exponentially fast the infection process consumes no more system resources until its mission component is activated I The denial-of-service attack is similar to the spoofing attack hut uses more brute force Instead of' providingfalse information during times of crises programs are instructed to bring th system to a hait I 1 QP EERET 86-36 50 Tell nERET COMPUTER VIRUS INFECTIONS The threat of computer virus attack 1S very real Fred Cohen s preliminary investigations reported in the paper cited in the bibliography involving the actual production of working viruses on systems which included the· Univac nOB TOPS-20 VMl370 and VMS demonstrates viral production times ranging from 6 to 30 hours The average time to acquisition of full system privileges giving the virus unchallenged access to any data on the computer system was 30 minutes after virus introduction to the targeted computer Virus Uniqueness What makes the computer virus problem different from the more general trojan horse problem The difference is analogous to the differehce between having one traitorous soldier in your ranks versus an infectious disease which converts your soldiers to enemy soldiers The effect of one bad soldier is usually limited to his own group The effect of the infectious disease is likely to be the loss of the entire war I Current computer security research suggests that good security is accomplished by the separation of the computer system into small isolated groups of related programs Should a problem occur this limits the damage to within that group This is analogous to the bulkhead separation of compartments in ships and submarines to prevent uncontrolled flooding from a single leak The virus and the trojan horse in any given partition are indi tinguishable in terms of the amount of damage they can cause The difference is in the ability ofthe infections to escape the-partition The trojan horse is active only within the partition The virus on the other hand has the potential to spread itself to other partitions as well The virus quickly infects virtually all programs in the partition The process is very simple and very fast When the original infected program is run it first finds an executable file appends a copy of itself to the file executes its mission component if the triggering event has occurred and then I executes the program body of the host program ' When a program runs in the user's space it runs with the same access as the user himself The algorithm for infection requires only reads writes and file renaming For example the algorithm could be to copy the vii-us part to a temporary file append the reloaded executable program code to t e virus code delete the old program version and then rename the temporary file to the name of 51 Ib 1 Ib 3 -P L 86-36 I F9P SIO'AIiiT fep 5EEftET CRYPTOLOGICQUARTERLY the old program At this point there would be two infected programs the original and the program the virus infected The accesses required for these operations are almost universally allowed to the owner of the files and hence are available to the virus when run in the user's space The collection of programs to which a virus has the required access to propagate when executed by a given user will be called a parfition Execution of either of the two infected programs can infect other programs in the partition Given that programs in the partition are run with some regularity the number of infected programs increases geometrically until all programs are infected Furthermore information flows must also occasionally take place across partitions by operational necessity When upgrading system software facilities software systems such as data base managers or editors developed on other computers must be loaded on the computer system Programs often need to be copied from one partition to another in 'order to share the benefits of a program developed by users on the system Since all programs within the virus-infected partition are potentially infected the probability of transmission of the virus is greatly increased With the infectiousness of viruses-established I turn to the question of virulence Even though the potential damage within a partition is equivalent between the virus and the trojan horse the reliability and ease with which the damage can be done is greatly increased in the case of a virus Given a fairly large number of programs within a partition a virus infection obviously h s many more traitorous agents doing its bidding This could mean either a large number of agents programs attempting the exact same subversive tas or possibly cooperating in subtle ways to accomplish a larger integrated task fl'he first case yields a high reliability of task success by simple redundancy The second case is much more theoretical and sophisticated but provides the potentlal for more I subtle tasks to be achieved The infectiousness and virulence unique to a virus arises from its ability to propagate itself Solutions should address this particular feature in order to demote the virus to a trojan horse subject to the corresponding protection mechanisms inadequate as they may be Specific solutions are offeied later in the paper I I Specific Vulnerabilities ro' 3f CkEi Ii 1 j -P L 86-36 52 COMPUTER VIRUS INFECTIONS T9P EERET SOLUTIONS The nature of the virus problem requires the simultaneous pursuit of several different solutions First both long- and short-term solutions should be sought Immediate stopgap countermeasures should be taken to minimize the risk from this threat Furthermore some long-term fundamental research is required to 53 1 bi 3 -P L 86-36 'l'CP 3eSRET ie EERE'f CRYPTOLOGIC QUARTERLY investigate the offensive potential of and defensive mechanisms for sophisticated viral attacks Before recommend specific solutions I must preface my remarks with some cautions Persons using the computers should carefully evaluate these suggestions along withany others made as a result ofthe virus problem in terms of operational impact Knee-jerk reactions can cause more problems than they solve Perfect computer security can be achieved by hermetically sealing aU computers but they could then do no useful work Clumsy complicated procedures and policies are more likely to be ignored than followed The cost and benefit of each sugg'estion should be compared and properly weighed and in turn compared to the risk I suggest that formaltechniques of risk analysis be applied to the problem to establish a procedure of measuring this trade-off Considering the above mentioned specific vulnerabilities the steps towards preventing trojan horse importation are as follows I T8P SEERET Ib 1 bi 0 -P L 86-36 54 COMPUTER VIRUS INFECTIONS f r SEERET Virus-specific Countermeasures 55 ' b 1 b 3 -P L T9P5 ERiT 86-36 -- --- - ---- -_ CRYPTOLOGIC QUARTERLY Operational Ramifications I This section may be more appropriately labeled What does this all mean to me This paper should have an immediate effect on operation as wkll asp w b _ '1 T sP r o- y-u 'll'r ge- -----------_ ------ - ' ··--- '-- i i i i C te_r ____ - 1 _ - '811 §efltEf Ib 1 Ib 3 -P L _ I This paper is essentially a call to arms for all computer systems research and support groups to focus attention on tltisve y real problem ' 'he solutions proposed are in various stagesofdevelopment Each should be analyzed implemented and tested New ideas should be generated More re ources should be dedicated to the problem to find viable solutions for both the long and short 86-36 56 I COMPUTER VIRUS INFECTIONS 'f6r EERET Implications to Computer Security Criteria All right then how about adding Biba's integrity extensions to the mandatory model requirements in the Criteria The addition of integrity levels to the mandatory access control mechanisms is certainly a step Iin the right direction This additional control however is not a panacea in fact it is only another measure to increase the work factor of viral penetrations I The integrity dual model suggests the segregation of all of the programs on a computer system based on the degree of trust that the program does exactly what it is designed to accomplish and nothing more For example if the designing software engineers were all Top Secret cleared the software was formally specified and verified correct and a large panel of experts reviewed the final code 3 Biba suggested the addition of the integrity dual of simple security and the ·-prop'erty proposed by Bell and LaPadula In awn the model requires 1 no writing up in integrity simple integrity and 2 no reading down in integrity integrity ·-property Note that here read and execute may be coneideredequivelentacceasee J 57 1 b 3 -P L 86-36 lOP i IifiiAiiT T9P5EEftEf CRYPTOLOGIC QU ARTERLY such a program might be placed in the class of high integrity programs Conversely if a program's origin is no longer known and the source code is not available for inspection then such a program might be placed in the low integrity class of programs All programs would be labeled as to which class they belong Now if the system prevents all low integrity programs from accessing any high integrity programs then there is some measure of protection against the spread of viral infection from lower integrity levels to higher integrity levels The establishment of a hierarchy of integrity levels requires some way of determining the relative degree of reliability With respect to the virus problem this corresponds to determining the probability of an algorithm being infected or its susceptibility of infection The method of such a determination is unclear and may itself be unreliable If the method were implemented as an algorithm on the computer system it too would be susceptible to the very same viral attacks as the other programs There is no way of guaranteeing that the routines labeled as highest integrity are not infected if a decision algorithm to detect viruses does not exist or cannot be found Infection of the highest integrity routines could then eventually lead to a system-wide infection This would make the whole integrity structure useless and could give a false sense of assurance Therefore the addition of integrity levels into mandatory access can only be a part of an integrated strategy to combat the virus attack CONCLUSION ow to increase wor actors to t e extent 0 rna ing t is attac 1 easi e IS a matter for more research I suspect the soluti n will be heuristic ih nature and the final protection system will probably come to resemblel the human immunological system in approach In general I believe pattern r cognition and artificial intelligence will playa key role in long-term research into this problem b 1 Ib 3 -P L 86-36 'Fe'5EEft ET 58 COMPUTER VIRUS INFECTIONS llIBLIOGRAPHY Bell D E and L J LaPadula Secure Computer Systems Unified Exposition and Multics Interpretation MTR-2997 Rev 1 MITRE Oorporetion Bedford Massachusetts March 1976 Biba K J Integrity Considerations for Secure Computer Systems ESD-TR-76372 Electronic Systems Division AFSC Hanscom AFB Bedford Massachusetts April 1977 I I Cohen Fred Computer Viruses Theory and Experiments 7th DOD NBS Computer Security Conference Proceedings 1984 Department of Defense Trusted Computer System Evaluation Criteria DOD Computer Security Center Fort Meade Maryland 15 August 19831 Hopcroft John E and Jeffrey Ullman Introduction to Autbmata Theory Languages and Computation Addison-Wesley 1979 pp 177-213 3 bi l -r L Sl -3l 59 F9A QFFI€IAL 1 15E BNLY