Formalization of malware through process calculi

Since the seminal work from F. Cohen in the eighties, abstract virology has seen the apparition of successive viral models, all based on Turing-equivalent formalisms. But considering recent malware such as rootkits or k-ary codes, these viral models only partially cover these evolved threats. The problem is that Turing-equivalent models do not support interactive computations. New models have thus appeared, offering support for these evolved malware, but loosing the unified approach in the way. This article provides a basis for a unified malware model founded on process algebras and in particular the Join-Calculus. In terms of expressiveness, the new model supports the fundamental definitions based on self-replication and adds support for interactions, concurrency and non-termination allows the definition of more complex behaviors. Evolved malware such as rootkits can now be thoroughly modeled. In terms of detection and prevention, the fundamental results of undecidability and isolation still hold. However the process-based model has permitted to establish new results: identification of fragments from the Join-Calculus where malware detection becomes decidable, formal definition of the non-infection property, approximate solutions to restrict malware propagation.

[1]  Peep Küngas,et al.  Petri Net Reachability Checking Is Polynomial with Optimal Abstraction Hierarchies , 2005, SARA.

[2]  Fred Cohen,et al.  Computational aspects of computer viruses , 1989, Comput. Secur..

[3]  Grant Malcolm,et al.  Reproducer Classification Using the Theory of Affordances , 2007, 2007 IEEE Symposium on Artificial Life.

[4]  Fred Cohen,et al.  Computer viruses—theory and experiments , 1990 .

[5]  Greg Hoglund,et al.  Rootkits: Subverting the Windows Kernel , 2005 .

[6]  Peter Y. A. Ryan,et al.  Process algebra and non-interference , 1999, Proceedings of the 12th IEEE Computer Security Foundations Workshop.

[7]  Eric Filiol,et al.  Malware as interaction machines: a new framework for behavior modelling , 2008, Journal in Computer Virology.

[8]  Pascal Véron,et al.  Another Formal Proposal For Stealth , 2008 .

[9]  Cosimo Laneve May and Must Testing in the Join-Calculus , 1996 .

[10]  Joachim Niehren,et al.  Gene Regulation in the Pi Calculus: Simulating Cooperativity at the Lambda Switch , 2006, Trans. Comp. Sys. Biology.

[11]  Luca Cardelli,et al.  A Process Model of Actin Polymerisation , 2009, Electron. Notes Theor. Comput. Sci..

[12]  Davide Sangiorgi,et al.  Communicating and Mobile Systems: the π-calculus, , 2000 .

[13]  Roberto M. Amadio,et al.  On Decidability of the Control Reachability Problem in the Asynchronous pi-Calculus , 2002, Nord. J. Comput..

[14]  Mingtian Zhou,et al.  Some Further Theoretical Results about Computer Viruses , 2004, Comput. J..

[15]  Cédric Fournet,et al.  The reflexive CHAM and the join-calculus , 1996, POPL '96.

[16]  Cédric Fournet,et al.  The Join Calculus: A Language for Distributed Mobile Programming , 2000, APPSEM.

[17]  Li Gong,et al.  Inside Java 2 Platform Security: Architecture, API Design, and Implementation , 1999 .

[18]  Roch Guérin,et al.  A Framework for Policy-based Admission Control , 2000, RFC.

[19]  Guillaume Bonfante,et al.  On Abstract Computer Virology from a Recursion Theoretic Perspective , 2006, Journal in Computer Virology.

[20]  Leonard M. Adleman,et al.  An Abstract Theory of Computer Viruses , 1988, CRYPTO.

[21]  James Riely,et al.  Information Flow vs. Resource Access in the Asynchronous Pi-Calculus , 2000, ICALP.

[22]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[23]  Éric Filiol Computer Viruses: from Theory to Applications , 2005 .

[24]  J. Schwartz,et al.  Theory of Self-Reproducing Automata , 1967 .

[25]  Jr. Hartley Rogers Theory of Recursive Functions and Effective Computability , 1969 .

[26]  Eric Filiol,et al.  Formalisation and implementation aspects of K-ary (malicious) codes , 2007, Journal in Computer Virology.