/~~~~~~\ *********** ***********
~\( * * )/~ *********** ***********
( \___/ ) *** *** ***
\______/ *********** *** *** *** *******
@/ \@ *** *** *** *** *** ***
*** *** *** *** *** ***********
*** *** *** *** *** *********** |\__/|
******** *** ***** / \
******** *** *** ~\( 0 0 )/~
*** ( /---\ )
*** \______/
*** @/ \@
***
==============================================================
March, 1994. Volume I, Issue 0
==============================================================
CONTENTS:
1. "ALIVE" next host to you (a word of introduction)
2. Results of Contest for the Best Virus Definition in technical
categories
3. Puzzle - is this piece of (pseudo)code a sign of "life" ?
4. A comment on Cohen's theorem about undecidability of viral detection
..................................Dr Franz X. Steinparz
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% %
% ALIVE, Copyright 1994. By Suzana Stojakovic-Celustka %
% This magazine may be archived and reproduced without charge %
% throughout Cyberspace under the condition that it is left %
% in its entirety. Send submissions, comments, etc. to %
% celust@cslab.felk.cvut.cz and subscription requests to %
% mxserver@ubik.demon.co.uk %
% %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*
1. "ALIVE" next host to you (a word of introduction)
====================================================
Dear Readers!
I guess you are already impatient to find out what "Alive" is. Calm down till
I tell you something about its history.
So, once upon a time...actually about a year ago I started a long search for
the best definition of a computer virus. Surprisingly, it wasn't an easy
task. Discussions on Virus-L and some private discussions didn't bring any
satisfying results. I even started the Contest for the Best Virus Definition
in despair. Well, the prizes were rather symbolic and probably it caused a
low response. Never mind. All those attempts to answer the question : "What
is a computer virus ?" only opened new questions. It appeared that computer
viruses could be considered as members of a big family of so called
"artificial life". Naturally, new questions were: "What is artificial life?",
then "How to define a life?", etc.
This magazine is one more try to find answers to some questions. The search
for the best definition of computer virus will be continued. It is a general
opinion that computer viruses are inherently malicious software. The
possibility of viruses to be beneficial will be (hopefully) discussed here.
However, protection against malicious viruses will not be neglected. This
magazine will try to introduce new ways of protection, e.g. "immune systems".
The question "What can be 'alive' in a computer environment ?" will be
repeated in all possible variations as long as wish to find answers exists.
The examples or descriptions of "liveware" will be presented here as soon as
they appear. Probably some new topics will arise as "Alive" progresses. And,
of course, I expect a lot of fun for both readers and contributors.
About this issue:
-----------------
This is 0th issue or beta version of "Alive". It means - feel free to
criticise every detail in it (in a civilized and constructive way, of
course).
The first topic is presentation of results from Contest for the Best Virus
Definition in technical categories. The Contest was announced in April last
year on Virus-L. Originally it had 8 categories: 1. Technical definition in
plain language, 2. Technical definition - mathematical, 3. Legislative
definition, 4. Ethical definition, 5. Philosophical definition, 6. Poetical
definition, 7. Funny definition and 8. Other definitions. The response was
significant only in the first two categories and (surprisingly) in the
poetical one.The jury for technical categories worked hard and the results
of its voting are presented here. Regretfully, it will not be possible to
publish many of the valuable comments that members of the jury gave during
their work. I wish to thank the members of the jury again for their efforts
and to all contributors to the Contest for their contributions.
The second topic is a kind of puzzle. It concerns one of the standard
distributed algorithms which could be possibly considered as a sign of
"life". The readers are asked to help to find a solution.
The third contribution is an article which is rewritten here without
permission from something which looks like a copy of an internal document
from Johannes Kepler University, Linz. I hope that one day I will find the
author's address and that he will have nothing against publishing his article
in "Alive". The article has a very interesting conclusion and I am not going
to tell you anything in advance. Just read it!
About contributions and subscriptions:
--------------------------------------
Preferred form of contributions are short articles or previews. Comments on
contributions will be deeply appreciated, but will be published only if they
have a convenient form. This is -not- a place for polemics or blames, so
please don't send your comments if you have nothing constructive to say. The
preferred form of code examples is pseudo-code. The code of existing viruses
which somebody could consider beneficial will not be published here. Send
your contributions and comments to celust@cslab.felk.cvut.cz
Subscriptions requests should be sent to mxserver@ubik.demon.co.uk
Ftp sites:
----------
The magazine will be available for anonymous ftp from following sites:
ftp.informatik.uni-hamburg.de in /pub/virus/texts/alive
ftp.demon.co.uk in /pub/antivirus/journal/alive
Any offer from other sites will be appreciated.
About editor:
-------------
The editor is currently a Ph.D student on Computer Department, Faculty of
Electrical Engineering, Czech Technical University in Prague. Is working on
her Ph.D thesis and hoping that "Alive" will bring a lot of useful material
and a lot of fun.
So, dear readers, enjoy the reading and make your copy of "Alive" really
alive: SPREAD IT WIDELY!
*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*
"Life is all memory, except for the one present moment
that goes by so quick you can hardly catch it going."
- Tennessee Williams -
*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*
2. The results of the Contest for the Best Virus Definition in technical
========================================================================
categories
==============
The members of jury for the first two categories from Contest for the Best
Virus Definition (1. Technical definition in plain language, 2. Mathematical
technical definition) were:
1. Vesselin Bontchev, VTC Hamburg, Germany
e-mail bontchev@informatik.uni-hamburg.de
2. Anthony Naggs, consultant, UK
e-mail amn@ubik.demon.co.uk
3. Yaron Goland, U.C.L.A, USA
e-mail ygoland@SEAS.UCLA.EDU
4. Roberto Reymond, IBM C.E.R.T., Italy
e-mail rreymond@vnet.IBM.COM
The guidelines were:
--------------------
1. Technical definition (in plain language - preferably English)
- The definition should be concise, without reference to the user's state
of mind and free of value judgements, e.g. "good", "bad", "beneficial".
The definition should be unambiguous, and include a statement of the
environment to which it applies, (e.g. the operating system).
2. Technical definition (mathematical)
- The meaning of every symbol in mathematical formula(s) should be clearly
explained.
The jury used the following evaluation scale:
---------------------------------------------
1 - useless
2 - has serious problems
3 - must be improved
4 - good enough
5 - very good
6 - excellent
Results in category 1.: Technical definition in plain language
----------------------------------------------------------------------------
1. Author: William Walker Submitted by: author Source: Contest posting
[ ENGLISH LANGUAGE DEFINITION OF A COMPUTER VIRUS
A "COMPUTER VIRUS" is a sequence (or set of sequences) of symbols
which, when executed or interpreted under certain conditions or in
certain environments, will make a possibly altered, functionally
similar copy of this sequence (or set of sequences) and will place
this copy where it will intercept execution or interpretation at a
later time under certain conditions. This is called "REPLICATION,"
and the copy retains AT LEAST the capability to recursively
replicate further. A virus may also have an additional function (or
functions) not related to replication, sometimes called a "payload,"
but this is NOT necessary for something to be a virus. ]
Comments on the above definition:
1. This definition is not tied to any specific machine or operating
system. The phrase "sequence of symbols" is used rather than "sequence
of instructions" or "program" to help keep the definition as generic as
possible.
2. A computer virus may not be restricted to a single sequence of
symbols, but may consist of two or more sequences that individually do
not constitute a virus, but working together satisfy the criteria of
being a virus.
3. The phrase "intercept execution or interpretation" refers to the
fact that a computer virus must somehow be placed on a host machine where
it will be executed or interpreted in order to survive. This is done by
forcing the host machine to execute or interpret the virus before,
during, after, or instead of some other sequence of symbols on that
system; in other words, "intercept execution or interpretation."
4. "Replication" (or "spreading"), as defined above, is the key point
in defining a computer virus. A sequence of symbols which does not
replicate cannot be a virus. Likewise, every virus must replicate, or it
is not a virus. On the other hand, the inclusion of a "payload"
is not essential for something to be a computer virus.
Jury's decision : 4 (good enough)
-----------------------------------------------------------------------------
2. Author : Vesselin Bontchev Submitted by : Suzana Stojakovic-Celustka
Source : e-mail conversation
[ A computer virus is a sequence of symbols, which, when interpreted by
computer, attaches itself to other computer interpretable symbol
sequences in such a way that they become able to recursively spread
the (possibly modified) initial sequence further. ]
Additional explanations of used terms:
"Infection" is the process of attaching a computer virus to other computer
interpretable symbol sequences.
"Attaching" means that the interpretation of the infected symbol sequences
causes the interpretation of (possibly part of) the computer virus.
"Interpretable" is anything that a computer can interpret.
"Able to spread recursively" means when a virus infects an executable object,
this object is able to spread virus to another object, which in turn is able
to cause the infection of another object and so on.
Jury's decision : 3 (must be improved)
--------------------------------------------------------------------------
3. Author: Fred Cohen Submitted by: Suzana Stojakovic-Celustka
Source: Article "Computational Aspects of Computer Viruses", Computers &
Security, 8 (1989.), pp 325-344
[ We informally define a "computer virus" as a program that can "infect"
other programs by modifying them to include a, possibly evolved, copy of
itself. With the infection property, a virus can spread throughout a computer
system or network using the authorizations of every user using it to infect
their programs. Every program that gets infected may also act as a virus and
thus the infection spreads. ]
Jury's decision : 3 (must be improved)
-----------------------------------------------------------------------------
4. Author: Greg Hale Submitted by: author Source: Contest posting
[ For a program to qualify as computer virus, the program must meet two
qualifications:
1. The virus must replicate itself and all subsequent reproductions
(exempting unsuccessful infections) must be able to replicate.
2. The virus must execute by replacing or redirecting the user's
request for the computer to start the normal operating system or
execute a familiar program. ]
Jury's decision : 3 (must be improved)
-----------------------------------------------------------------------------
5. Author: Roberto Reymond Submitted by: author Source : Contest posting
[ A set of instructions that, once executed or interpreted, gains the control
of the environment.
That done, those instructions will, in specific circumstances, make at least
one copy of the initial set, identical or modified, placing it/them somewhere
in the environment, with the intention that, if and when executed or
interpreted, it/they will repeat at least one time the above cycle. ]
Additional explanation of terms:
Environment: it means the whole system, that is the combination of all the
hardware (fixed and removable) and the software presents at the
moment of the virus actions.
Jury's decision : 3 (must be improved)
-----------------------------------------------------------------------------
6. Author : Fred Cohen Submitted by : author Source : Contest posting
[ A program that reproduces.]
Jury's decision : 2 (has serious problems)
-----------------------------------------------------------------------------
Results in category 2. : Mathematical technical definition
-----------------------------------------------------------------------------
1. Author: Fred Cohen Submitted by: Vesselin Bontchev Source: Short article
"Formal Definition" written by Vesselin Bontchev, based on private
discussion with the author
(The contribution is not presented here, because of mathematical symbols).
As in this category were no other contributions, this one was considered as
a winner without jury's voting.
Editor's note:
--------------
Either the jury was too severe or plain language is not suitable to define
computer virus properly. The winning definition is evaluated as "good enough"
only. The others must be improved. However, it seems that the key point in
defining a computer virus is a "replication" (as stated by W. Walker).
Personally, I found comment 2. in W. Walker's definition very interesting for
possible future development of computer viruses.
***^^***^^***^^***^^***^^***^^***^^***^^***^^***^^***^^***^^***^^***^^***
"A virus is a virus!"
- Nobel laureate Andre Lwoff's answer on the question "What is a virus?"
(1959.) -
***^^***^^***^^***^^***^^***^^***^^***^^***^^***^^***^^***^^***^^***^^***
3. Puzzle - is this piece of pseudo(code) a sign of "life" ?
=============================================================
I was wondering if Misra's algorithm for regenerating token in logical
ring could be considered as a sign of "life". Help me to solve this puzzle!
Some explanations:
------------------
Distributed algorithm - it has two basic elements: the processes that
receive, manipulate, transform and output data and
the links along which these data flow and which form
a network having both structural and dynamic
properties.
Ring - each process is aware of its two immediate neighbours, called for the
convenience the left and right neighbour respectively.
Token - special message which the processes hand from one to another around
the ring.
The method uses two tokens, each of which serves to detect the possible
loss of the other, by this means: a token T1 arriving at the process Pi
can guarantee that the other token T2 has been lost - and can therefore
regenerate it - if neither it nor Pi has encountered T2 since T1's last
passage through Pi.
The loss of a token is detected by the other in one passage round the
ring; and the algorithm works only when one token having been lost, the
other makes a complete turn round the ring without itself being lost.
The algorithm:
--------------
Let us call the tokens Ping and Pong, and with these associate numbers
NPing and NPong, equal in absolute value but opposite in sign, that record
the number of times the tokens have met; these numbers are therefore
related by the constraint:
NPing + NPong = 0
Initially the two tokens are both in an arbitrarily chosen process and the
values are:
NPing = 1, NPong = -1
Each process Pi carries an integer variable Mi, initialized to 0, that
records the number, NPing or NPong, associated with the token that last
passed through Pi. The behaviour of Pi is as follows:
when received Ping(NPing) do
if M = NPing {Pong is lost, regenerate it}
then
begin
NPing:=NPing + 1;
NPong:=-NPing
end
else
M:=NPing
when received Pong(NPong) do
if M = NPong {Ping is lost, regenerate it}
then
begin
NPong:=NPong - 1;
NPing:=-NPong
end
else
M:=Npong
when meeting (Ping, Pong) do {Meeting Ping and Pong}
begin
NPing:=NPing + 1;
NPong:=NPong - 1
end
In practical realization of algorithm numbers NPing and NPong should be
limited by modulo P where P > or = N+1 (number of processes in logical ring
+ 1).
Literature:
-----------
1. Janacek J., Distributed systems, 1993., Vydavatelstvi CVUT, (in Czech)
2. Raynal M., Distributed Algorithms and Protocols, 1988., John Wiley & Sons
Editor's hypothesis:
--------------------
Consider that each process itself is "alive" by consuming, transforming and
extracting data as a "food". Then regeneration of token(s) is necessary for
its "life-time" and above algorithm is vital to keep a process "alive". Here
we have the following signs of "life": "metabolism", ability to produce new
"living" entities (tokens which help in their reproduction themselves) and
ability to communicate with "neighbours".
/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=
Ikite iru Simply alive
bakari zo ware to me -
keshi no hana and poppy-flower
- Issa -
/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=
4. Article:
===========
A COMMENT ON COHEN'S THEOREM ABOUT
UNDECIDABILITY OF VIRAL DETECTION
Dr Franz X. Steinparz
Johannes Kepler University, Linz
October, 1991.
Abstract:
This paper shows that Cohen's Theorem, stating the undecidability of viral
detection does not hold. It is shown that each algorithm discerning a virus
from other program by examining its code must be a virus itself.
Keywords: computer viruses
Introduction:
In [2] Cohen introduces Computer Viruses and summarizes some work he did on
this topic. Aside other results of his work, he gives a rather informal
definition of Computer Viruses and the proof of his well known theorem
stating that a program discerning a virus from any other program by examining
its appearance is infeasible. In [1] Burger expressed his doubt about this
theorem. However, to our knowledge, no fault in Cohen's proof has been
published, and in discussions about viruses, the theorem is widely ( [3],
[4], [5] and others) referred to.
Cohen's Theorem:
In Section 2 of [2] Cohen defines:
"..a computer virus as a program that can 'infect' other programs by
modifying them to include a possibly evolved copy of itself."
In Section 4.1. of [2] Cohen states the undecidability of viral detection.
His proof follows a well known proof technique. He argues:
"In order to determine that a given program 'P' is a virus, it must be
determined that P infects other programs. This is undecidable since P could
invoke any proposed decision procedure 'D' and infect other programs if and
only if D determines that P is not a virus. We conclude that a program that
precisely discerns a virus from any other program by examining its appearance
is infeasible. In the following ... program ..., we use the hypothetical
decision procedure D which returns "true" if its argument is a virus to
exemplify the undecidability of viral detection.
....., we have assured that, if the decision procedure D determines (the
following program contradictory-virus) CV to be a virus, CV will not infect
other programs and thus will not act as a virus. If D determines that CV is
not a virus, CV will infect other programs and thus be a virus. Therefore,
the hypothetical decision procedure D is self contradictory, and precise
determination of a virus by its appearance is undecidable.
program contradictory-virus :=
{....
main-program :=
{if D(contradictory-virus) then
{infect-executable;
if trigger-pulled then
do-damage;
}
goto next;
}
}
Fig..Contradiction of decidability of a virus.."
Discussion:
First, we notice an inaccuracy in Cohen's paper in defining a virus as a
program, which -can- infect other programs and using this term in his proof
for a program which actually -does- it. However, this inaccuracy can be
corrected by adjusting the definition.
But even if we adjust the definition, the proof in its generality is wrong:
It is based on the implicit assumption that the decision procedure D is not
a virus itself.
Suppose the decision procedure D is a virus itself. Then contradictory-virus
infects an executable by calling D and consequently is a virus too. Now D,
when deciding that contradictory-virus is a virus, gives a correct result
even if contradictory-virus, based on D's decision does not execute its own
viral code.
However, under the restriction, that only non-virus decision procedures are
permitted, Cohen's proof holds. Consequently, each decision procedure D must
be a virus.
References:
[1] R. Burger: Das Grosse Computer-Viren Buch, ISBN 3-89011-200-5, DATA
BECKER, Duesseldorf, 1987.
[2] F. Cohen: Computer Viruses Theory and Experiments, Computers & Security
6 (1987) pp 22-35, North-Holland, 1987.
[3] G. Futschek: Computerviren fuer LOGO Programme Bauanleitung,
Wirkungsweise und Abwehrmechanismen, interner Bericht,
Technische Universitat Wien, 1988.
[4] F. Hoffmeister: Sicherheitsrisken durch Computerviren - erste
Losungansatze, Bericht Nr. 232 der Abteilung Informatik
der Universitat Dortmund, Dortmund, 1987.
[5] C.A. Neumann: Computerviren und verwandte Anomalien, GI Symposium "PC's
in kleineren und mittleren Unternehmungen", Leipzig 17-19
September 1991., Tagungsbad der Fachgruppe 2.0.1. Personal
Computing der GI, 1991.
(:)**(:)**(:)**(:)**(:)**(:)**(:)**(:)**(:)**(:)**(:)**(:)**(:)**(:)**(:)**
The Virus Syllogism:
Computers are made to run programs.
Computer viruses are computer programs.
Therefore, computers are made to run computer viruses.
- Peter S. Tippett -
(:)**(:)**(:)**(:)**(:)**(:)**(:)**(:)**(:)**(:)**(:)**(:)**(:)**(:)**(:)**
____________________________________________________
/ / | |
/ |\__/| / | THAT'S ALL FOLKS !! |
/~~~~~~\ / \ | NEW "ALIVE" IS COMING NEXT |
~\( * * )/~~\( 0 0 )/~ | HOST TO YOU SOON !! |
( O ) ( O ) |______________________________|
\______/ \______/
@/ \@ @/ \@
.