Interested in Contributing? Read this
Earlier in the first part of the “Deep Definition of the Computer Virus” article series, I gave a Basic Introduction to Computer Virus and explained the definition and concept of recursive replication put up by Fred Cohen, known as the Cohen Model and in the Second Part of the series I explained how Leonard Adleman interpreted the notion of Computer Virus and elaborating on the harmful behaviour of the code. In this part, we will continue the discussion but in terms of Violation of Code.
Definition of a Computer Virus in Violation of the Code
The impossibility of reliable determining of viruses within the frame of classical models gives reason to think about the approach to solving the problem from the other side.
With the traditional approach, the most accurate model of the virus is created, based on the concepts of “recursive replication” and, optionally, “harmfulness”. Within the frame of the created model, a definition of a virus is given. Then, it is stated that it is impossible to use this definition to assess the compliance of the information objects under investigation with it.
But we can do the opposite: put the practical applicability of the definition of a virus for a simple and guaranteed solution of the problem of its recognition – and for a comprehensive solution to the problem of digital infections in general. Then, using this definition, we find out which model of the virus corresponds to it.
For the purposes of Information Security, the most convenient is a strictly formalized, commensurate and systemic definition, which makes it easy to assess the compliance of arbitrary information objects with it. The procedure for comparing the properties of each object under investigation with the definition should take the form of a short, reliable and well-controlled algorithm so that it can be automated and applied in practice.
The simplest and most obvious solution is to consider as a virus any intrusion of extraneous code (ie, an arbitrary sequence of symbols) into the original, uninfected program. This means rejection of the resource-intensive and generally unsolvable task of analyzing the processes of interaction of the code being checked with the machine – and refusing attempts to formalize these processes.
The virus is determined not through the properties of the sequence of symbols, but through its location in the machine (computer, computer system). In other words, the same sequence of symbols can be considered or not considered a virus depending on where it is in relation to the “coordinate system” of the machine – at which location of the Turing tape, in which area of RAM, hard disk, and etc. A virus is any sequence of characters that is “in the wrong place”, i.e. in the area reserved for another information object – protected code.
A strict definition for a conventional SISD machine that can be adapted to a wider range of information systems is formulated as follows: a computer virus is a modified part of the code compared to the standard.
Using in practice a model that corresponds to the above definition of a virus, you are reinsured and go into a deep and very reliable defense. Instead of analyzing the unknown code for an exact answer to the question about the possibility of initiating recursive replication, you assume that this possibility is not excluded. Instead of analyzing the unknown code for an exact answer to the question of its harmfulness, you assume that entering into the protected code of any, even the smallest, change with some probability causes a violation of its functions – just as the violation of the functions of biological DNA can be caused by substitution single nucleotide in the sequence.
For the convenience of solving many practical problems in complex information systems, the definition can be extended to those data areas that should have the same immunity as the executable code in the system.
In the general case, any protected information object is declared infected, to the boundaries of which another object has fallen.
Note that in the absence of a standard for arbitrary code, all this code is considered a virus by this definition. Although this sounds unusual, it should be well understood and always bear in mind. About where the standard comes from, we’ll talk in the next issues of the blog: this requires the involvement of social factors.
The word “virus” appeared in modern languages over 100 years ago, after the discovery of biological viruses. Their characteristic feature is replication, performed by the appropriate environment. But the word “virus” has another, the original meaning: in Latin, this word denotes poison. There is no connection with replication: a virus is an object characterized by a violation of the functions of the external object, into which it penetrated. The use of the term “computer virus” in the context of destructive impact is as correct as in the context of replication. The use of informal terms “harmful” or “malicious” is undesirable, especially in technological terminology, outside the social context. The term “antivirus protection” (not “anti-malware”) is the most stable and has obvious connotations.
To be Continued…
Alex Bod is a cybersecurity expert and the CEO of Bod Security, Bod Intelligent Antivirus provider company.