alive00.txt - Alive, Volume I, Issue 0



     /~~~~~~\    ***********                        ***********

  ~\(  * *   )/~ ***********                        *********** 

    ( \___/  )   ***     ***                        ***

     \______/    *********** ***          ***   *** *******  

    @/       \@  ***     *** ***          ***   *** ***

                 ***     *** ***          ***   *** ***********

                 ***     *** ***           *** ***  ***********  |\__/|

                             ******** ***   *****               /      \ 

                             ******** ***    ***             ~\(  0 0   )/~

                                      ***                      ( /---\  )

                                      ***                       \______/ 

                                      ***                      @/      \@ 

                                      ***                                  



                                

                                                                           

                                        

       ==============================================================

       

         March, 1994.                           Volume I, Issue 0



       ==============================================================



                                CONTENTS:                                  





   1. "ALIVE" next host to you (a word of introduction)                 

   2. Results of Contest for the Best Virus Definition in technical

      categories

   3. Puzzle - is this piece of (pseudo)code a sign of "life" ?

   4. A comment on Cohen's theorem about undecidability of viral detection

      ..................................Dr Franz X. Steinparz







       %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

       %                                                               %

       %  ALIVE, Copyright 1994. By Suzana Stojakovic-Celustka         %

       %  This magazine may be archived and reproduced without charge  %

       %  throughout Cyberspace under the condition that it is left    %

       %  in its entirety. Send submissions, comments, etc. to         %

       %  celust@cslab.felk.cvut.cz and subscription requests to       %

       %  mxserver@ubik.demon.co.uk                                    %

       %                                                               %

       %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%





*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*



1. "ALIVE" next host to you (a word of introduction)

====================================================



Dear Readers!



I guess you are already impatient to find out what "Alive" is. Calm down till

I tell you something about its history.



So, once upon a time...actually about a year ago I started a long search for

the best definition of a computer virus. Surprisingly, it wasn't an easy

task. Discussions on Virus-L and some private discussions didn't bring any

satisfying results. I even started the Contest for the Best Virus Definition

in despair. Well, the prizes were rather symbolic and probably it caused a

low response. Never mind. All those attempts to answer the question : "What

is a computer virus ?" only opened new questions. It appeared that computer

viruses could be considered as members of a big family of so called

"artificial life". Naturally, new questions were: "What is artificial life?",

then "How to define a life?", etc.



This magazine is one more try to find answers to some questions. The search

for the best definition of computer virus will be continued. It is a general

opinion that computer viruses are inherently malicious software. The

possibility of viruses to be beneficial will be (hopefully) discussed here.

However, protection against malicious viruses will not be neglected. This

magazine will try to introduce new ways of protection, e.g. "immune systems".

The question "What can be 'alive' in a computer environment ?" will be

repeated in all possible variations as long as wish to find answers exists.

The examples or descriptions of "liveware" will be presented here as soon as

they appear. Probably some new topics will arise as "Alive" progresses. And,

of course, I expect a lot of fun for both readers and contributors.



About this issue:

-----------------



This is 0th issue or beta version of "Alive". It means - feel free to

criticise every detail in it (in a civilized and constructive way, of

course).



The first topic is presentation of results from Contest for the Best Virus

Definition in technical categories. The Contest was announced in April last

year on Virus-L. Originally it had 8 categories: 1. Technical definition in

plain language, 2. Technical definition - mathematical, 3. Legislative

definition, 4. Ethical definition, 5. Philosophical definition, 6. Poetical

definition, 7. Funny definition and 8. Other definitions. The response was

significant only in the first two categories and (surprisingly) in the

poetical one.The jury for technical categories worked hard and the results

of its voting are presented here. Regretfully, it will not be possible to

publish many of the valuable comments that members of the jury gave during

their work. I wish to thank the members of the jury again for their efforts

and to all contributors to the Contest for their contributions.



The second topic is a kind of puzzle. It concerns one of the standard

distributed algorithms which could be possibly considered as a sign of

"life". The readers are asked to help to find a solution.



The third contribution is an article which is rewritten here without

permission from something which looks like a copy of an internal document

from Johannes Kepler University, Linz. I hope that one day I will find the

author's address and that he will have nothing against publishing his article

in "Alive". The article has a very interesting conclusion and I am not going

to tell you anything in advance. Just read it!





About contributions and subscriptions:

--------------------------------------



Preferred form of contributions are short articles or previews. Comments on

contributions will be deeply appreciated, but will be published only if they

have a convenient form. This is -not- a place for polemics or blames, so

please don't send your comments if you have nothing constructive to say. The

preferred form of code examples is pseudo-code. The code of existing viruses

which somebody could consider beneficial will not be published here. Send

your contributions and comments to celust@cslab.felk.cvut.cz



Subscriptions requests should be sent to mxserver@ubik.demon.co.uk





Ftp sites:

----------



The magazine will be available for anonymous ftp from following sites:



ftp.informatik.uni-hamburg.de in /pub/virus/texts/alive

ftp.demon.co.uk in /pub/antivirus/journal/alive



Any offer from other sites will be appreciated.



About editor:

-------------



The editor is currently a Ph.D student on Computer Department, Faculty of

Electrical Engineering, Czech Technical University in Prague. Is working on

her Ph.D thesis and hoping that "Alive" will bring a lot of useful material

and a lot of fun.





So, dear readers, enjoy the reading and make your copy of "Alive" really

alive: SPREAD IT WIDELY!



*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*



          "Life is all memory, except for the one present moment

           that goes by so quick you can hardly catch it going."



                        - Tennessee Williams -



*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*





2. The results of the Contest for the Best Virus Definition in technical

========================================================================

   categories

==============



The members of jury for the first two categories from Contest for the Best

Virus Definition (1. Technical definition in plain language, 2. Mathematical

technical definition) were:

 

1. Vesselin Bontchev, VTC Hamburg, Germany

   e-mail bontchev@informatik.uni-hamburg.de



2. Anthony Naggs, consultant, UK

   e-mail amn@ubik.demon.co.uk



3. Yaron Goland, U.C.L.A, USA

   e-mail ygoland@SEAS.UCLA.EDU



4. Roberto Reymond, IBM C.E.R.T., Italy

   e-mail rreymond@vnet.IBM.COM



The guidelines were:

--------------------



1. Technical definition (in plain language - preferably English)



- The definition should be concise, without reference to the user's state

of mind and free of value judgements, e.g. "good", "bad", "beneficial".

The definition should be unambiguous, and include a statement of the

environment to which it applies, (e.g. the operating system).



2. Technical definition (mathematical)



- The meaning of every symbol in mathematical formula(s) should be clearly

explained.



The jury used the following evaluation scale:

---------------------------------------------



1 - useless

2 - has serious problems

3 - must be improved

4 - good enough

5 - very good

6 - excellent





Results in category 1.: Technical definition in plain language

----------------------------------------------------------------------------



1. Author: William Walker  Submitted by: author  Source: Contest posting



[            ENGLISH LANGUAGE DEFINITION OF A COMPUTER VIRUS



     A "COMPUTER VIRUS" is a sequence (or set of sequences) of symbols 

     which, when executed or interpreted under certain conditions or in 

     certain environments, will make a possibly altered, functionally 

     similar copy of this sequence (or set of sequences) and will place 

     this copy where it will intercept execution or interpretation at a 

     later time under certain conditions.  This is called "REPLICATION," 

     and the copy retains AT LEAST the capability to recursively 

     replicate further.  A virus may also have an additional function (or 

     functions) not related to replication, sometimes called a "payload," 

     but this is NOT necessary for something to be a virus.  ]



Comments on the above definition:



1.   This definition is not tied to any specific machine or operating 

system.  The phrase "sequence of symbols" is used rather than "sequence 

of instructions" or "program" to help keep the definition as generic as 

possible.



2.   A computer virus may not be restricted to a single sequence of 

symbols, but may consist of two or more sequences that individually do 

not constitute a virus, but working together satisfy the criteria of 

being a virus.



3.   The phrase "intercept execution or interpretation" refers to the 

fact that a computer virus must somehow be placed on a host machine where 

it will be executed or interpreted in order to survive.  This is done by 

forcing the host machine to execute or interpret the virus before, 

during, after, or instead of some other sequence of symbols on that 

system; in other words, "intercept execution or interpretation." 



4.   "Replication" (or "spreading"), as defined above, is the key point 

in defining a computer virus.  A sequence of symbols which does not 

replicate cannot be a virus.  Likewise, every virus must replicate, or it 

is not a virus.  On the other hand, the inclusion of a "payload" 

is not essential for something to be a computer virus.  



Jury's decision : 4 (good enough)



-----------------------------------------------------------------------------



2. Author : Vesselin Bontchev  Submitted by : Suzana Stojakovic-Celustka

   Source : e-mail conversation



[ A computer virus is a sequence of symbols, which, when interpreted by

computer, attaches itself to other computer interpretable symbol

sequences in such a way that they become able to recursively spread

the (possibly modified) initial sequence further. ]



Additional explanations of used terms:



"Infection" is the process of attaching a computer virus to other computer

interpretable symbol sequences.

"Attaching" means that the interpretation of the infected symbol sequences

causes the interpretation of (possibly part of) the computer virus.

"Interpretable" is anything that a computer can interpret.

"Able to spread recursively" means when a virus infects an executable object,

this object is able to spread virus to another object, which in turn is able

to cause the infection of another object and so on.



Jury's decision : 3 (must be improved)



--------------------------------------------------------------------------



3. Author: Fred Cohen  Submitted by: Suzana Stojakovic-Celustka 

   Source: Article "Computational Aspects of Computer Viruses", Computers &

           Security, 8 (1989.), pp 325-344



[ We informally define a "computer virus" as a program that can "infect"

other programs by modifying them to include a, possibly evolved, copy of

itself. With the infection property, a virus can spread throughout a computer

system or network using the authorizations of every user using it to infect

their programs. Every program that gets infected may also act as a virus and

thus the infection spreads. ]



Jury's decision : 3 (must be improved)



-----------------------------------------------------------------------------



4. Author: Greg Hale  Submitted by: author  Source: Contest posting



[ For a program to qualify as computer virus, the program must meet two

qualifications:

1. The virus must replicate itself and all subsequent reproductions

(exempting unsuccessful infections) must be able to replicate.

2. The virus must execute by replacing or redirecting the user's

request for the computer to start the normal operating system or

execute a familiar program. ]



Jury's decision : 3 (must be improved)



-----------------------------------------------------------------------------



5. Author: Roberto Reymond  Submitted by: author  Source : Contest posting



[ A set of instructions that, once executed or interpreted, gains the control

of the environment.

That done, those instructions will, in specific circumstances, make at least

one copy of the initial set, identical or modified, placing it/them somewhere

in the environment, with the intention that, if and when executed or

interpreted, it/they will repeat at least one time the above cycle. ]



Additional explanation of terms:



Environment: it means the whole system, that is the combination of all the

             hardware (fixed and removable) and the software presents at the

             moment of the virus actions.



Jury's decision : 3 (must be improved)



-----------------------------------------------------------------------------



6. Author : Fred Cohen   Submitted by : author  Source : Contest posting



[ A program that reproduces.]



Jury's decision : 2 (has serious problems)



-----------------------------------------------------------------------------



Results in category 2. : Mathematical technical definition



-----------------------------------------------------------------------------



1. Author: Fred Cohen  Submitted by: Vesselin Bontchev  Source: Short article

   "Formal Definition" written by Vesselin Bontchev, based on private      

    discussion with the author



   (The contribution is not presented here, because of mathematical symbols).



As in this category were no other contributions, this one was considered as

a winner without jury's voting.





Editor's note:

--------------



Either the jury was too severe or plain language is not suitable to define

computer virus properly. The winning definition is evaluated as "good enough"

only. The others must be improved. However, it seems that the key point in

defining a computer virus is a "replication" (as stated by W. Walker).

Personally, I found comment 2. in W. Walker's definition very interesting for

possible future development of computer viruses.





***^^***^^***^^***^^***^^***^^***^^***^^***^^***^^***^^***^^***^^***^^***





                      "A virus is a virus!"



- Nobel laureate Andre Lwoff's answer on the question "What is a virus?"

  (1959.) -





***^^***^^***^^***^^***^^***^^***^^***^^***^^***^^***^^***^^***^^***^^***





3. Puzzle - is this piece of pseudo(code) a sign of "life" ?

=============================================================



I was wondering if Misra's algorithm for regenerating token in logical 

ring could be considered as a sign of "life". Help me to solve this puzzle!



Some explanations:

------------------



Distributed algorithm - it has two basic elements: the processes that      

                        receive, manipulate, transform and output data and 

                        the links along which these data flow and which form 

                        a network having both structural and dynamic       

                        properties.



Ring - each process is aware of its two immediate neighbours, called for the

       convenience the left and right neighbour respectively.



Token - special message which the processes hand from one to another around

        the ring.





The method uses two tokens, each of which serves to detect the possible 

loss of the other, by this means: a token T1 arriving at the process Pi 

can guarantee that the other token T2 has been lost - and can therefore 

regenerate it - if neither it nor Pi has encountered T2 since T1's last 

passage through Pi.



The loss of a token is detected by the other in one passage round the 

ring; and the algorithm works only when one token having been lost, the 

other makes a complete turn round the ring without itself being lost.





The algorithm:

--------------



Let us call the tokens Ping and Pong, and with these associate numbers 

NPing and NPong, equal in absolute value but opposite in sign, that record 

the number of times the tokens have met; these numbers are therefore 

related by the constraint:



NPing + NPong = 0



Initially the two tokens are both in an arbitrarily chosen process and the 

values are:



NPing = 1, NPong = -1



Each process Pi carries an integer variable Mi, initialized to 0, that 

records the number, NPing or NPong, associated with the token that last 

passed through Pi. The behaviour of Pi is as follows:



when received Ping(NPing) do

 if M = NPing                  {Pong is lost, regenerate it}

 then

   begin

     NPing:=NPing + 1;

     NPong:=-NPing

   end

 else  

   M:=NPing

   

when received Pong(NPong) do

 if M = NPong                  {Ping is lost, regenerate it}

 then

   begin

     NPong:=NPong - 1;

     NPing:=-NPong

   end

 else

   M:=Npong

   

when meeting (Ping, Pong) do    {Meeting Ping and Pong}

 begin

   NPing:=NPing + 1;

   NPong:=NPong - 1

 end

 

In practical realization of algorithm numbers NPing and NPong should be 

limited by modulo P where P > or = N+1 (number of processes in logical ring 

+ 1).



Literature:

-----------



1. Janacek J., Distributed systems, 1993., Vydavatelstvi CVUT, (in Czech)

2. Raynal M., Distributed Algorithms and Protocols, 1988., John Wiley & Sons





Editor's hypothesis:

--------------------



Consider that each process itself is "alive" by consuming, transforming and

extracting data as a "food". Then regeneration of token(s) is necessary for

its "life-time" and above algorithm is vital to keep a process "alive". Here

we have the following signs of "life": "metabolism", ability to produce new

"living" entities (tokens which help in their reproduction themselves) and

ability to communicate with "neighbours". 





/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=



                Ikite iru                      Simply alive 

                bakari zo ware to              me -

                keshi no hana                  and poppy-flower    



                                 - Issa -



/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=



4. Article:

===========





                     A COMMENT ON COHEN'S THEOREM ABOUT

                      UNDECIDABILITY OF VIRAL DETECTION



                            Dr Franz X. Steinparz

                      Johannes Kepler University, Linz

                               October, 1991.





Abstract:



This paper shows that Cohen's Theorem, stating the undecidability of viral

detection does not hold. It is shown that each algorithm discerning a virus

from other program by examining its code must be a virus itself.



Keywords: computer viruses



Introduction:



In [2] Cohen introduces Computer Viruses and summarizes some work he did on

this topic. Aside other results of his work, he gives a rather informal

definition of Computer Viruses and the proof of his well known theorem

stating that a program discerning a virus from any other program by examining

its appearance is infeasible. In [1] Burger expressed his doubt about this

theorem. However, to our knowledge, no fault in Cohen's proof has been

published, and in discussions about viruses, the theorem is widely ( [3],

[4], [5] and others) referred to.



Cohen's Theorem:



In Section 2 of [2] Cohen defines:



"..a computer virus as a program that can 'infect' other programs by

modifying them to include a possibly evolved copy of itself."



In Section 4.1. of [2] Cohen states the undecidability of viral detection.

His proof follows a well known proof technique. He argues:



"In order to determine that a given program 'P' is a virus, it must be

determined that P infects other programs. This is undecidable since P could

invoke any proposed decision procedure 'D' and infect other programs if and

only if D determines that P is not a virus. We conclude that a program that

precisely discerns a virus from any other program by examining its appearance

is infeasible. In the following ... program ..., we use the hypothetical

decision procedure D which returns "true" if its argument is a virus to

exemplify the undecidability of viral detection.

....., we have assured that, if the decision procedure D determines (the

following program contradictory-virus) CV to be a virus, CV will not infect

other programs and thus will not act as a virus. If D determines that CV is

not a virus, CV will infect other programs and thus be a virus. Therefore,

the hypothetical decision procedure D is self contradictory, and precise

determination of a virus by its appearance is undecidable.



program contradictory-virus :=

{....

main-program :=

  {if D(contradictory-virus) then

      {infect-executable;

       if trigger-pulled then

            do-damage;



       }

    goto next;

    }



}



Fig..Contradiction of decidability of a virus.."





Discussion:



First, we notice an inaccuracy in Cohen's paper in defining a virus as a

program, which -can- infect other programs and using this term in his proof

for a program which actually -does- it. However, this inaccuracy can be

corrected by adjusting the definition.



But even if we adjust the definition, the proof in its generality is wrong:

It is based on the implicit assumption that the decision procedure D is not

a virus itself.



Suppose the decision procedure D is a virus itself. Then contradictory-virus

infects an executable by calling D and consequently is a virus too. Now D,

when deciding that contradictory-virus is a virus, gives a correct result

even if contradictory-virus, based on D's decision does not execute its own

viral code.



However, under the restriction, that only non-virus decision procedures are

permitted, Cohen's proof holds. Consequently, each decision procedure D must

be a virus.



References:



[1] R. Burger: Das Grosse Computer-Viren Buch, ISBN 3-89011-200-5, DATA    

               BECKER, Duesseldorf, 1987.



[2] F. Cohen: Computer Viruses Theory and Experiments, Computers & Security 

              6 (1987) pp 22-35, North-Holland, 1987.



[3] G. Futschek: Computerviren fuer LOGO Programme Bauanleitung,           

                 Wirkungsweise und Abwehrmechanismen, interner Bericht,    

                 Technische Universitat Wien, 1988.



[4] F. Hoffmeister: Sicherheitsrisken durch Computerviren - erste          

                    Losungansatze, Bericht Nr. 232 der Abteilung Informatik 

                    der Universitat Dortmund, Dortmund, 1987.



[5] C.A. Neumann: Computerviren und verwandte Anomalien, GI Symposium "PC's 

                  in kleineren und mittleren Unternehmungen", Leipzig 17-19 

                  September 1991., Tagungsbad der Fachgruppe 2.0.1. Personal 

                  Computing der GI, 1991.









(:)**(:)**(:)**(:)**(:)**(:)**(:)**(:)**(:)**(:)**(:)**(:)**(:)**(:)**(:)**



                        The Virus Syllogism:



                  Computers are made to run programs.

                Computer viruses are computer programs.

         Therefore, computers are made to run computer viruses.



                        - Peter S. Tippett -



(:)**(:)**(:)**(:)**(:)**(:)**(:)**(:)**(:)**(:)**(:)**(:)**(:)**(:)**(:)**



                                                                   









              ____________________________________________________ 

             /                /    |                              |

            /         |\__/| /     |      THAT'S ALL FOLKS !!     |

       /~~~~~~\      /      \      |  NEW "ALIVE" IS COMING NEXT  |

    ~\(  * *   )/~~\(  0 0   )/~   |      HOST TO YOU SOON !!     | 

      (   O    )    (   O    )     |______________________________|

       \______/      \______/                        

      @/       \@   @/      \@







.