/~~~~~~\ *********** *********** ~\( * * )/~ *********** *********** ( \___/ ) *** *** *** \______/ *********** *** *** *** ******* @/ \@ *** *** *** *** *** *** *** *** *** *** *** *********** *** *** *** *** *** *********** |\__/| ******** *** ***** / \ ******** *** *** ~\( 0 0 )/~ *** ( /---\ ) *** \______/ *** @/ \@ *** ============================================================== March, 1994. Volume I, Issue 0 ============================================================== CONTENTS: 1. "ALIVE" next host to you (a word of introduction) 2. Results of Contest for the Best Virus Definition in technical categories 3. Puzzle - is this piece of (pseudo)code a sign of "life" ? 4. A comment on Cohen's theorem about undecidability of viral detection ..................................Dr Franz X. Steinparz %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% % % % ALIVE, Copyright 1994. By Suzana Stojakovic-Celustka % % This magazine may be archived and reproduced without charge % % throughout Cyberspace under the condition that it is left % % in its entirety. Send submissions, comments, etc. to % % celust@cslab.felk.cvut.cz and subscription requests to % % mxserver@ubik.demon.co.uk % % % %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% *+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+* 1. "ALIVE" next host to you (a word of introduction) ==================================================== Dear Readers! I guess you are already impatient to find out what "Alive" is. Calm down till I tell you something about its history. So, once upon a time...actually about a year ago I started a long search for the best definition of a computer virus. Surprisingly, it wasn't an easy task. Discussions on Virus-L and some private discussions didn't bring any satisfying results. I even started the Contest for the Best Virus Definition in despair. Well, the prizes were rather symbolic and probably it caused a low response. Never mind. All those attempts to answer the question : "What is a computer virus ?" only opened new questions. It appeared that computer viruses could be considered as members of a big family of so called "artificial life". Naturally, new questions were: "What is artificial life?", then "How to define a life?", etc. This magazine is one more try to find answers to some questions. The search for the best definition of computer virus will be continued. It is a general opinion that computer viruses are inherently malicious software. The possibility of viruses to be beneficial will be (hopefully) discussed here. However, protection against malicious viruses will not be neglected. This magazine will try to introduce new ways of protection, e.g. "immune systems". The question "What can be 'alive' in a computer environment ?" will be repeated in all possible variations as long as wish to find answers exists. The examples or descriptions of "liveware" will be presented here as soon as they appear. Probably some new topics will arise as "Alive" progresses. And, of course, I expect a lot of fun for both readers and contributors. About this issue: ----------------- This is 0th issue or beta version of "Alive". It means - feel free to criticise every detail in it (in a civilized and constructive way, of course). The first topic is presentation of results from Contest for the Best Virus Definition in technical categories. The Contest was announced in April last year on Virus-L. Originally it had 8 categories: 1. Technical definition in plain language, 2. Technical definition - mathematical, 3. Legislative definition, 4. Ethical definition, 5. Philosophical definition, 6. Poetical definition, 7. Funny definition and 8. Other definitions. The response was significant only in the first two categories and (surprisingly) in the poetical one.The jury for technical categories worked hard and the results of its voting are presented here. Regretfully, it will not be possible to publish many of the valuable comments that members of the jury gave during their work. I wish to thank the members of the jury again for their efforts and to all contributors to the Contest for their contributions. The second topic is a kind of puzzle. It concerns one of the standard distributed algorithms which could be possibly considered as a sign of "life". The readers are asked to help to find a solution. The third contribution is an article which is rewritten here without permission from something which looks like a copy of an internal document from Johannes Kepler University, Linz. I hope that one day I will find the author's address and that he will have nothing against publishing his article in "Alive". The article has a very interesting conclusion and I am not going to tell you anything in advance. Just read it! About contributions and subscriptions: -------------------------------------- Preferred form of contributions are short articles or previews. Comments on contributions will be deeply appreciated, but will be published only if they have a convenient form. This is -not- a place for polemics or blames, so please don't send your comments if you have nothing constructive to say. The preferred form of code examples is pseudo-code. The code of existing viruses which somebody could consider beneficial will not be published here. Send your contributions and comments to celust@cslab.felk.cvut.cz Subscriptions requests should be sent to mxserver@ubik.demon.co.uk Ftp sites: ---------- The magazine will be available for anonymous ftp from following sites: ftp.informatik.uni-hamburg.de in /pub/virus/texts/alive ftp.demon.co.uk in /pub/antivirus/journal/alive Any offer from other sites will be appreciated. About editor: ------------- The editor is currently a Ph.D student on Computer Department, Faculty of Electrical Engineering, Czech Technical University in Prague. Is working on her Ph.D thesis and hoping that "Alive" will bring a lot of useful material and a lot of fun. So, dear readers, enjoy the reading and make your copy of "Alive" really alive: SPREAD IT WIDELY! *+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+* "Life is all memory, except for the one present moment that goes by so quick you can hardly catch it going." - Tennessee Williams - *+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+* 2. The results of the Contest for the Best Virus Definition in technical ======================================================================== categories ============== The members of jury for the first two categories from Contest for the Best Virus Definition (1. Technical definition in plain language, 2. Mathematical technical definition) were: 1. Vesselin Bontchev, VTC Hamburg, Germany e-mail bontchev@informatik.uni-hamburg.de 2. Anthony Naggs, consultant, UK e-mail amn@ubik.demon.co.uk 3. Yaron Goland, U.C.L.A, USA e-mail ygoland@SEAS.UCLA.EDU 4. Roberto Reymond, IBM C.E.R.T., Italy e-mail rreymond@vnet.IBM.COM The guidelines were: -------------------- 1. Technical definition (in plain language - preferably English) - The definition should be concise, without reference to the user's state of mind and free of value judgements, e.g. "good", "bad", "beneficial". The definition should be unambiguous, and include a statement of the environment to which it applies, (e.g. the operating system). 2. Technical definition (mathematical) - The meaning of every symbol in mathematical formula(s) should be clearly explained. The jury used the following evaluation scale: --------------------------------------------- 1 - useless 2 - has serious problems 3 - must be improved 4 - good enough 5 - very good 6 - excellent Results in category 1.: Technical definition in plain language ---------------------------------------------------------------------------- 1. Author: William Walker Submitted by: author Source: Contest posting [ ENGLISH LANGUAGE DEFINITION OF A COMPUTER VIRUS A "COMPUTER VIRUS" is a sequence (or set of sequences) of symbols which, when executed or interpreted under certain conditions or in certain environments, will make a possibly altered, functionally similar copy of this sequence (or set of sequences) and will place this copy where it will intercept execution or interpretation at a later time under certain conditions. This is called "REPLICATION," and the copy retains AT LEAST the capability to recursively replicate further. A virus may also have an additional function (or functions) not related to replication, sometimes called a "payload," but this is NOT necessary for something to be a virus. ] Comments on the above definition: 1. This definition is not tied to any specific machine or operating system. The phrase "sequence of symbols" is used rather than "sequence of instructions" or "program" to help keep the definition as generic as possible. 2. A computer virus may not be restricted to a single sequence of symbols, but may consist of two or more sequences that individually do not constitute a virus, but working together satisfy the criteria of being a virus. 3. The phrase "intercept execution or interpretation" refers to the fact that a computer virus must somehow be placed on a host machine where it will be executed or interpreted in order to survive. This is done by forcing the host machine to execute or interpret the virus before, during, after, or instead of some other sequence of symbols on that system; in other words, "intercept execution or interpretation." 4. "Replication" (or "spreading"), as defined above, is the key point in defining a computer virus. A sequence of symbols which does not replicate cannot be a virus. Likewise, every virus must replicate, or it is not a virus. On the other hand, the inclusion of a "payload" is not essential for something to be a computer virus. Jury's decision : 4 (good enough) ----------------------------------------------------------------------------- 2. Author : Vesselin Bontchev Submitted by : Suzana Stojakovic-Celustka Source : e-mail conversation [ A computer virus is a sequence of symbols, which, when interpreted by computer, attaches itself to other computer interpretable symbol sequences in such a way that they become able to recursively spread the (possibly modified) initial sequence further. ] Additional explanations of used terms: "Infection" is the process of attaching a computer virus to other computer interpretable symbol sequences. "Attaching" means that the interpretation of the infected symbol sequences causes the interpretation of (possibly part of) the computer virus. "Interpretable" is anything that a computer can interpret. "Able to spread recursively" means when a virus infects an executable object, this object is able to spread virus to another object, which in turn is able to cause the infection of another object and so on. Jury's decision : 3 (must be improved) -------------------------------------------------------------------------- 3. Author: Fred Cohen Submitted by: Suzana Stojakovic-Celustka Source: Article "Computational Aspects of Computer Viruses", Computers & Security, 8 (1989.), pp 325-344 [ We informally define a "computer virus" as a program that can "infect" other programs by modifying them to include a, possibly evolved, copy of itself. With the infection property, a virus can spread throughout a computer system or network using the authorizations of every user using it to infect their programs. Every program that gets infected may also act as a virus and thus the infection spreads. ] Jury's decision : 3 (must be improved) ----------------------------------------------------------------------------- 4. Author: Greg Hale Submitted by: author Source: Contest posting [ For a program to qualify as computer virus, the program must meet two qualifications: 1. The virus must replicate itself and all subsequent reproductions (exempting unsuccessful infections) must be able to replicate. 2. The virus must execute by replacing or redirecting the user's request for the computer to start the normal operating system or execute a familiar program. ] Jury's decision : 3 (must be improved) ----------------------------------------------------------------------------- 5. Author: Roberto Reymond Submitted by: author Source : Contest posting [ A set of instructions that, once executed or interpreted, gains the control of the environment. That done, those instructions will, in specific circumstances, make at least one copy of the initial set, identical or modified, placing it/them somewhere in the environment, with the intention that, if and when executed or interpreted, it/they will repeat at least one time the above cycle. ] Additional explanation of terms: Environment: it means the whole system, that is the combination of all the hardware (fixed and removable) and the software presents at the moment of the virus actions. Jury's decision : 3 (must be improved) ----------------------------------------------------------------------------- 6. Author : Fred Cohen Submitted by : author Source : Contest posting [ A program that reproduces.] Jury's decision : 2 (has serious problems) ----------------------------------------------------------------------------- Results in category 2. : Mathematical technical definition ----------------------------------------------------------------------------- 1. Author: Fred Cohen Submitted by: Vesselin Bontchev Source: Short article "Formal Definition" written by Vesselin Bontchev, based on private discussion with the author (The contribution is not presented here, because of mathematical symbols). As in this category were no other contributions, this one was considered as a winner without jury's voting. Editor's note: -------------- Either the jury was too severe or plain language is not suitable to define computer virus properly. The winning definition is evaluated as "good enough" only. The others must be improved. However, it seems that the key point in defining a computer virus is a "replication" (as stated by W. Walker). Personally, I found comment 2. in W. Walker's definition very interesting for possible future development of computer viruses. ***^^***^^***^^***^^***^^***^^***^^***^^***^^***^^***^^***^^***^^***^^*** "A virus is a virus!" - Nobel laureate Andre Lwoff's answer on the question "What is a virus?" (1959.) - ***^^***^^***^^***^^***^^***^^***^^***^^***^^***^^***^^***^^***^^***^^*** 3. Puzzle - is this piece of pseudo(code) a sign of "life" ? ============================================================= I was wondering if Misra's algorithm for regenerating token in logical ring could be considered as a sign of "life". Help me to solve this puzzle! Some explanations: ------------------ Distributed algorithm - it has two basic elements: the processes that receive, manipulate, transform and output data and the links along which these data flow and which form a network having both structural and dynamic properties. Ring - each process is aware of its two immediate neighbours, called for the convenience the left and right neighbour respectively. Token - special message which the processes hand from one to another around the ring. The method uses two tokens, each of which serves to detect the possible loss of the other, by this means: a token T1 arriving at the process Pi can guarantee that the other token T2 has been lost - and can therefore regenerate it - if neither it nor Pi has encountered T2 since T1's last passage through Pi. The loss of a token is detected by the other in one passage round the ring; and the algorithm works only when one token having been lost, the other makes a complete turn round the ring without itself being lost. The algorithm: -------------- Let us call the tokens Ping and Pong, and with these associate numbers NPing and NPong, equal in absolute value but opposite in sign, that record the number of times the tokens have met; these numbers are therefore related by the constraint: NPing + NPong = 0 Initially the two tokens are both in an arbitrarily chosen process and the values are: NPing = 1, NPong = -1 Each process Pi carries an integer variable Mi, initialized to 0, that records the number, NPing or NPong, associated with the token that last passed through Pi. The behaviour of Pi is as follows: when received Ping(NPing) do if M = NPing {Pong is lost, regenerate it} then begin NPing:=NPing + 1; NPong:=-NPing end else M:=NPing when received Pong(NPong) do if M = NPong {Ping is lost, regenerate it} then begin NPong:=NPong - 1; NPing:=-NPong end else M:=Npong when meeting (Ping, Pong) do {Meeting Ping and Pong} begin NPing:=NPing + 1; NPong:=NPong - 1 end In practical realization of algorithm numbers NPing and NPong should be limited by modulo P where P > or = N+1 (number of processes in logical ring + 1). Literature: ----------- 1. Janacek J., Distributed systems, 1993., Vydavatelstvi CVUT, (in Czech) 2. Raynal M., Distributed Algorithms and Protocols, 1988., John Wiley & Sons Editor's hypothesis: -------------------- Consider that each process itself is "alive" by consuming, transforming and extracting data as a "food". Then regeneration of token(s) is necessary for its "life-time" and above algorithm is vital to keep a process "alive". Here we have the following signs of "life": "metabolism", ability to produce new "living" entities (tokens which help in their reproduction themselves) and ability to communicate with "neighbours". /\=*=/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=/\=*= Ikite iru Simply alive bakari zo ware to me - keshi no hana and poppy-flower - Issa - /\=*=/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=/\=*= 4. Article: =========== A COMMENT ON COHEN'S THEOREM ABOUT UNDECIDABILITY OF VIRAL DETECTION Dr Franz X. Steinparz Johannes Kepler University, Linz October, 1991. Abstract: This paper shows that Cohen's Theorem, stating the undecidability of viral detection does not hold. It is shown that each algorithm discerning a virus from other program by examining its code must be a virus itself. Keywords: computer viruses Introduction: In [2] Cohen introduces Computer Viruses and summarizes some work he did on this topic. Aside other results of his work, he gives a rather informal definition of Computer Viruses and the proof of his well known theorem stating that a program discerning a virus from any other program by examining its appearance is infeasible. In [1] Burger expressed his doubt about this theorem. However, to our knowledge, no fault in Cohen's proof has been published, and in discussions about viruses, the theorem is widely ( [3], [4], [5] and others) referred to. Cohen's Theorem: In Section 2 of [2] Cohen defines: "..a computer virus as a program that can 'infect' other programs by modifying them to include a possibly evolved copy of itself." In Section 4.1. of [2] Cohen states the undecidability of viral detection. His proof follows a well known proof technique. He argues: "In order to determine that a given program 'P' is a virus, it must be determined that P infects other programs. This is undecidable since P could invoke any proposed decision procedure 'D' and infect other programs if and only if D determines that P is not a virus. We conclude that a program that precisely discerns a virus from any other program by examining its appearance is infeasible. In the following ... program ..., we use the hypothetical decision procedure D which returns "true" if its argument is a virus to exemplify the undecidability of viral detection. ....., we have assured that, if the decision procedure D determines (the following program contradictory-virus) CV to be a virus, CV will not infect other programs and thus will not act as a virus. If D determines that CV is not a virus, CV will infect other programs and thus be a virus. Therefore, the hypothetical decision procedure D is self contradictory, and precise determination of a virus by its appearance is undecidable. program contradictory-virus := {.... main-program := {if D(contradictory-virus) then {infect-executable; if trigger-pulled then do-damage; } goto next; } } Fig..Contradiction of decidability of a virus.." Discussion: First, we notice an inaccuracy in Cohen's paper in defining a virus as a program, which -can- infect other programs and using this term in his proof for a program which actually -does- it. However, this inaccuracy can be corrected by adjusting the definition. But even if we adjust the definition, the proof in its generality is wrong: It is based on the implicit assumption that the decision procedure D is not a virus itself. Suppose the decision procedure D is a virus itself. Then contradictory-virus infects an executable by calling D and consequently is a virus too. Now D, when deciding that contradictory-virus is a virus, gives a correct result even if contradictory-virus, based on D's decision does not execute its own viral code. However, under the restriction, that only non-virus decision procedures are permitted, Cohen's proof holds. Consequently, each decision procedure D must be a virus. References: [1] R. Burger: Das Grosse Computer-Viren Buch, ISBN 3-89011-200-5, DATA BECKER, Duesseldorf, 1987. [2] F. Cohen: Computer Viruses Theory and Experiments, Computers & Security 6 (1987) pp 22-35, North-Holland, 1987. [3] G. Futschek: Computerviren fuer LOGO Programme Bauanleitung, Wirkungsweise und Abwehrmechanismen, interner Bericht, Technische Universitat Wien, 1988. [4] F. Hoffmeister: Sicherheitsrisken durch Computerviren - erste Losungansatze, Bericht Nr. 232 der Abteilung Informatik der Universitat Dortmund, Dortmund, 1987. [5] C.A. Neumann: Computerviren und verwandte Anomalien, GI Symposium "PC's in kleineren und mittleren Unternehmungen", Leipzig 17-19 September 1991., Tagungsbad der Fachgruppe 2.0.1. Personal Computing der GI, 1991. (:)**(:)**(:)**(:)**(:)**(:)**(:)**(:)**(:)**(:)**(:)**(:)**(:)**(:)**(:)** The Virus Syllogism: Computers are made to run programs. Computer viruses are computer programs. Therefore, computers are made to run computer viruses. - Peter S. Tippett - (:)**(:)**(:)**(:)**(:)**(:)**(:)**(:)**(:)**(:)**(:)**(:)**(:)**(:)**(:)** ____________________________________________________ / / | | / |\__/| / | THAT'S ALL FOLKS !! | /~~~~~~\ / \ | NEW "ALIVE" IS COMING NEXT | ~\( * * )/~~\( 0 0 )/~ | HOST TO YOU SOON !! | ( O ) ( O ) |______________________________| \______/ \______/ @/ \@ @/ \@