On the defence notion

On the defence notion ⋆ Anne Bonfante 1 and Jean-Yves Marion 1 , 2 1 Loria-INPL ´ Equip e Carte anne.bonfa nte@libert ysurf.fr,Jean-Yves .Marion@loria.fr 2 ´ Ecole Nationale Su p´ erieure Mines de Nancy 1 Computer virology and art of w a r “T ro jan horses” , “logic bombs”, “a rmoured viruses ” and “cryptovirology ” are terms recalling war gears. In fact, concepts of a ttac k and defence drive the world of computer virolo gy , which lo oks like a war universe in an informatio n s oc ie t y . This war has several shap es, from inv asions of a netw ork by worms, to military and industr ial espionag e . . . F or c o n venience, and b ecause the term “vir us” ha s a bigger impact from an epistemologica l po in t of vie w, (the word “virus” was adopted after theoretica l w orks of Co hen [1] and Adle- man [2]) we will refer to “vir us” or all the different kinds of computer infections . The rea der may consult Filiol’s b o oks [3 , 16] for further infor mation ab out the definitions and classificatio ns of malware. W e could think at first sig ht that ques tions ab out computer secur it y , and particularly ab out fights ag a inst co mputer vir uses, ar e just a ma tter of highly trained secur ity computer officer s, and that a victo ry just dep ends on scientific and technical knowledge. But sometimes algor ithmic and progr a mming are no t enough to catc h t he whole picture. Indeed, the study of ma lware strateg ies shows that they are close to the battle of the Hora cii against the Curia cii. . . A different point of view co uld then bring to co mputer virolog y a new prosp ect. This study is a par t of a g eneral inv estigation, which tries to under- stand viral strategie s in order to a n ticipate a ttacks and improve defences, and to define the philosophical and po litical issues. Reading famous strateg ists and philosophers could giv e precious information a bout conscious- or uncons cious v i- ral pr actices, ex plic it- and implicit behaviour o f the malware’s writers, w ha tev er kind of attacks they launch. F or this, a case study is a go o d wa y to make the connection b e t w een the technical or scientific profiles of a virus and the kind of strategy used (the meaning of the word ” strategy” is he r e conv eyed by p oliti- cal a nd war philosophies). The case o f the Whale vir us can b e extended to the Bradley concept, its epistemolo g ical mo del, which is meaningful. The questio n of W ar , as w ell a s the b est w ay to do it and the p olitica l- and human issues rela ted to it, is very old in the history of philosophy , as we ⋆ This w ork has b een sup p orted by pro ject AR A V irus. can already find it in the Pelop onnesian war [4], written by Thucydide, a Greek general and historian in 430 BC, or Plato’s R epublic [5] (420-34 0 BC). Philoso ph y of war has a lw ays b een an active theme of philoso ph y and was the ma in issue for some authors like Machia velli (1 469-15 27), who wro te the Art of war [6] in 1519. Are the writers of malware Machia v elli’s r eaders? This questio n sounds like a joke, but is legitimate, as we shall see. Indeed, the mo re dangerous viruses are the ones which seem to a pply principles and to use str ategies of the a rt of war, like Machia v elli’s, or from other war theoris ts like Claus ewitz [7]. 2 Bradley defences The Whale virus challenged Scotland Y ard for ab out tw o weeks during the 199 0’s [8]. This vir us is a typical case study , b ecause it has its own defensive weapons. F rom the Whale v irus, a virus shap e named Bra dley w as pro pos e d b y Filiol [9]. This shap e, which could also be cons ide r ed as an epistemologica l model, will guide us in our study on virus defences. Indeed, it uses very complex notions coming from mathematics and computer science in order to defend and a ttack. Bradley pr o tection systems are first us ed to prev ent the detection of the viruses by an antivirus softw are, and then to bypass the defences of the host system, which is under attack. W e will s tudy the tw o most int eresting types o f defence: the ar moured co de as pect a nd the virus’s o ne b ecause they are typical and r elev a n t. It is worth to no tice that the furtive asp ect w as a Whale feature. An ar moured code consis ts in protecting a co de from a n analysis, which can be static by disasse mbling, or dynamic, by mo nito ring executions . Protecting a co de against s tatic analysis is a scientific challenge. The pa per of Barak & al [10 ] on obfuscatio n is a g o o d illustration of these difficulties. With the bene fit of hindsigh t, a ll the protection metho ds used lea n on the sa me approa c h. The co de protection is p erfor med by a n o bfuscator. In fact, the latter is a kind o f compiler, which trans fo rms a so urce pr ogramme s into a scrambled prog r amme s ′ in such a wa y that: 1. The scr ambled progra mme s ′ computes the same thing a s the source pro- gramme s . (in other words, there are sema n tically equiv alen t). 2. The runtime of the scrambled pr ogramme s ′ is close to the one of s . (that is up to a p olynomial). 3. The programme s ′ is unreadable a s well for a human analyst as for a de- obfuscation progr amme. The third po in t corresp onds to the obfuscation clause, which turns o ut to be difficult to formalize. Obfuscation consists in rewriting the co de in order to make it less understandable. Cry pto graphy plays a crucial role in this task. The int erested rea der may consult the recen t paper of Beaucamps a nd Filiol [12 ] ab out the practical obfuscation metho ds. Moreover, a virus may mutate when it duplicates with p olymorphism or metamorphism techniques. An obfuscator protects a pr ogramme in a wa y that we could ca ll pa ssive, unlike furtivity techniques. It aims to camouflage a co de in order to slow the analysis o f its adversaries down. Adv an tage for the attack er with this metho d: the guarantee of immunit y for a while, b ecause the time sp e nt to camouflag e is ever shorter than the one sp en t by the a dversar y to detect it. Thus, the attacker protects itself against an tivirus so ft w are, which, o n the one hand search for a signature of a known ma lw are. On the other hand, it protects itself against the work of analysts, which are try ing to understand the mea ning of its co de . This metho d us e d by virus lo oks like b oth a c amouflage and a shield, which are designed to r esist an attack as long a s p ossible. It app ears then to b e a metho d of passive defence. A Bradley virus also combines an active defence method: ”furtivity”. It con- sists in deceiving a host system, by mo difying , for example, sys tem interruptions. In the case of Whale, techniques of furtivity allow to detect a debugger . The de- fence b ecomes a ctiv e, b ecause a virus c a n trigger an action o ff, if it is aware that some agent is trying to ana lyse it. F urtivity then a llows the preven tion of behavioura l a nalysis techniques used by antivirus. Moreov er, the resista nce of a virus to s uch an analy s is allows the collec tio n of informa tion ab out the defence metho ds of the host system. Cons e quen tly , we may supp ose that this fact is a piece of its attack plan and the rea s ons why the v irus w as launc hed. . . W e m ust then lo ok a t the reaso ns for which a virus like Bradley integrates so many defence techniques. 3 Wh y does a virus defend itself ? The part of the virus co de whic h purpos e is to infiltrate a system and to deceive the a n tivirus can be considered a s b oth an offensive weap on (it en ters a fortress) and a defensive weapon (camouflage). A par ticularity of Whale , a s well as the Bradley concept, is that its co de contains a dv anced defensive functionalities, which go b eyond the traditional ones used to enter a system. If a virus w as a mere offensive weapon, why allowing such defence mechanisms then? If w e s end tro ops to attack a place, and whatever the issues are, it seems normal to ar m them and to g ive them some mea ns to pr otect themselves. Such defensive means a re necessar y in order to pro tect tro ops and a void ca sualties. How ev er, in the co n text of a conflict in the infor ma tion so ciety , what do es the attack er try to protect? If the only go al is to get some information back, the loss of a vir us is a part of the op era tion. Wh y ar e viruses pro tected then? W e think that the host systems should address those questions in or der to prepa re its defence. This brings us to a first h ypo thesis. The attack er is a Machia velli’s r eader without knowing it. Indeed, one of the fundamental principles of the a rt of war is that we must hav e b oth offensive and defensive weaponries . A go o d defence is meaning less if it is not ar med: the only g uarantee of autonomy and indepe n- dence is the ability to b e in a defensive p osition a s well as in an offensive one if neces sary . Computer s ecurity questions should then necessarily consider the po ssibilit y to pr epare and us e offensive metho ds. Ho w ever, state legislations, like the F rench o ne, do not allow attacks and force secur it y officers to set only defen- sive methods with no po ssibility of counter-attac k. The efficiency o f the defence is also related to the questioning ab out this ba n o n p ossessing and training with its own (offensive) weapo ns. Ma c hiav elli’s reader s know how imp ortant it is to keep control ov er one’s own w eap ons beca use it is a sine qua non condition for security and indep endence. The second hypo thesis is tha t a virus provides a defence b ecause it has some hostile inten tions. If there are as sophisticated high-level defence mec hanisms as the ones mentioned ab ov e, it means that the virus was made for a very imp o rtant purp ose. W e could use this criterion in o rder to set a typology of vir al attacks: the more elab orated the defence is, the more impo rtant the ob jective is. Lastly , the third hypothesis is that we should ca ll security p olicy views into question. If a vir us based on the Bra dley co ncept in tegrates such e la bo r ated sequences of defence, it is b ecause it pro bably exp ects a ser ious counter-attac k. The defences a re th us stronger than what they c la im or than they ar e known to be (but it is maybe a trick: fo oling the a dv ersary while lo ok ing more vulnera ble than you are in reality .) Other hypothes es are conceiv able, and some show that ’viral war’ takes some- times parado xical or new sha p es w e should study in order to anticipate the future. 4 New time scales? Information technology war implies to have to reconsider the scales of the con- flicts, particularly the time scale, but also the one o f the space. The time nec- essary to decipher and analys e a vir us (r emem ber the tw o weeks whic h were necessary to ana lyse Whale!) is a “long” time. It means tha t it corres ponds to a human time-sc a le. On the other hand, if we cons ide r that a vir al a ttac k sym- bo lically represe nts a hostile op eration, the length of the a ttac k is very sho rt (betw een a seco nd and a minu te). There are a t least tw o le vels of a nalysis to bring out in order to understand the defence question: – The human sca le. The co nception of dangerous viruses is a long pro cess bec ause they integrate a lot of mathema tics and a big knowledge in computer science. It is ha rd to capture a vir us and difficult to analy se it. This is the case of Whale. – The computer sca le. A vir us is inside a system, and must fight aga inst an anti-virus. The fight lasts a few seco nds, or min utes, progra mme versus pr o- gramme. W e could think a t firs t sigh t that a viral attack is a completely new kind of war, since it takes place in an entirely different wa y compar ed to traditiona l war. Can we use the term of war aga in, since ther e is nothing in co mmo n b etw een a few-second strike and a real battle in the field? A vir us writer finds time to design a virus efficiently and canno t ignore that it will requir e a lot o f time to decipher and analys e the v irus, if it is captured. Therefore, this time was anticipated and should be cons idered as a genu ine part of the attack. It can b e used to c reate a diversion or to hav e more time (indeed, during the phas e of analys is, the attack er can do something else). Then this t yp e of virus cor resp onds more to a traditiona l war, a nd consequently sets c onflicts back in a long time-scale a nd not in an insta n taneous one. Is n’t it the a im of the attack er? So don’t we hav e to cons ider that a vir a l attack is just a weapo n as another o ne , or just a part, o f a glo bal co nflict? Such a viral attack is a way to set things ba ck in a b etter-known field, which is mor e traditional, in a wa y more human: the field of men, logis tics and “nor mal” time. This shift o f scale b etw een vir al attacks and traditional fights allows us to ask fur ther ques tio ns. F or e x ample, lo ok at the r a tio betw een the 14 days of analysis, whic h is the time necessar y to understand Whale, and 1 minute, whic h will be considered lik e a time-reference at the computer level. The ratio betw een these sca les is around a million. The change of s cale directly implies that whe n a vir al attack is launched, it cannot b e controlled at the human le v el anymore, bec ause it is to o fa s t. Admittedly , the use o f a gun implies that its pro cess is autonomous a nd do es not de p end on a human (when a gun is fired, the bullet is unav oidable. . . except in ” Matrix”!). But in the case of a co mputer war, we should not co nsider a single virus, but a set of viruses against defences. Ea c h of these agents communicates with the others, r eacts to its environment a nd takes decisions, indepe ndently from any h uman interv en tions. Moreov er, if the computer scale is very short, the conflict a rea could be the whole net [13]! This change of the scales maybe implies that we should change our cla ssical concepts of war analysis, as w e traditionally find them in bo oks o f great authors like Clausewitz [7]. 5 A cen tral question: the losses Cyb erwar implies to recons ide r a crucial notion of every armed conflict: the o ne of the casualties. Indeed, why does someone progr a m an armour e d vir us? What is the attacker’s ob jective? What may he lose, and which losses do es he wan t to av oid? In the setting of tra ditional war with different a rmed forces, the question of the ca s ualties is o ne of the most imp ortant to make strateg ic and tactical choices. This question is coupled with an obvious moral issue. This issue is represented by the assessment of the inherent r atio in an y op eration: the (h uman-, technical- or prac tica l) co st o f an action must b e related to the interest o r to the b enefit of this actio n. So, this as sumes the res pons ibility of the militar y leader s and o f the governmen ts, par ticularly a mor al res ponsibility , since casua lties should b e av oided. T aking a risk should then b e justified with resp ect to the current issue, esp ecially when h uman lives are conce r ned. The mo ral re s pons ibilit y is mo re difficult to take, but it just exists in the c a se of real w ars, b ecause we c a n alwa ys know the num ber of deaths, without alwa ys really unders tanding the b enefit of an o per ation. Cyb e rwar changes traditional war catego r ies, since the mora l and the casualty q ue s tion as well as the question of the just ca use, do not come up anymore. Inv ersely , the he r oic figure or the her oic action s uppose s that the loss of a life is there for a grea t collective b enefit. The g r eater the sacr ifice o f the hero is, the more he takes risks; the more conscious he is that he will not survive to his action, the more heroic he is. W e c a n ask if hackers iden tify to the issues of the hero, as we already mentioned, by overcoming all difficulties and resp onding to all challenges. Indeed, the po int for a hacker is here to accomplish a technical exploit giving him the feeling of b eing a hero, even if his actions are reprehensible . Recent movies show that clear ly: it is the hero ic figure of Neo in Matrix. It seems to us that we should understa nd the specificity of moder n w ars with resp ect to how they consider casualties. In the cas e of a virus, the loss of the latter is somehow imma terial, maybe anticipated, or ev en progra mmed by its designer. It means, first, that we do not co nsider loss es as r eal ones (like event s to av oid), or at least that it is a part of the s tr ategy , esp ecially as we can alwa ys replace a virus: losses are duplicable b ecause a virus can b e duplicated. Another c haracteris tic of computer-war is that it do es not lean o n econo mical and industrial res ources, which are decisive facto r s in the case of a “rea l” war, even if they are not the only ones. In the ca se o f a vira l war, the attacker’s strength is not directly rela ted to econo mical- or industrial res ources, but to a scientific and technical knowledge, which then b ecomes a p ossible cause of war, or at least reasons for a comp etition. When an attack er ”loses” a virus, the latter can be ana ly sed. F rom then on, we may repr oduce q uite eas ily its des ign. How ev er, there are so me interests in av oiding the loss of a v iral weapon in order to pr otect k no wledge, in ter ms of cryptogr a ph y fo r exa mple. The a ttac ker, a s a war lea der or a stra teg ist, measures the in terest of a n action and deter mines the ris k he runs. One o f the clear e st sp ecificities of a mo dern or p ost-mo dern conflict is that the technical questions aim more and more a t r eplacing the question of force. Violent confrontation is shifted to technical consider ations. 6 Coun ter-attac k and issues The vira l defence system often allows the attack er to stay anonymous, which preven ts p oss ible counter-attacks. But this fact changes the concept o f war b e- cause the enemy is not identified. What is p eculiar to war is to hav e a n enemy , a known opponent. Once the enemy r emains ano n ymous, confrontation do es not corres p ond to the repre s en tation of war, but more to guerrilla warfare: the enemy is not conv en tional and cannot b e sp otted. F ur ther more, if the a ttac ker tries to hide his stra teg y as long as p ossible, it means that the host system itself can b e protected. Indeed, a virus is able to delude a defence in such a way that it can b e in p ositio n to obse r ve too ls used for defence: a virus is able to b e be hind the line, a nd so is able to list all defensive to ols. Therefore, this means that the virus co de has a mechanism the function of which is to detect the to ols used b y the defence in order to a nalyse intruders, viruses and so on. W e c o uld conclude for the time be ing that the strateg y used by the v irus in this ca se is a prosp ective one. Detecting the defence to ols has a meaning only if another attack is planned in the near future. Conseq ue ntly , we should analyse the aims of the vir us from a temp ora l point of view. A viral attack ca n b e an initial assault b efore a nother one, so we should no t s imply consider what r epresents a given attack at a given time. Lastly , the issues of computer virolog y a re directly rela ted to o ther doma ins where computer net works are used as too ls to exchange information. It is a wa y to say that the field of viral war is also eco nomic and fina nc ia l, and that it implies po litical positions , in particular questions about individual rights. Eco nomic issues ar e not alwa ys per ceptible b ehind s o me b ehaviour, which may ha v e some moral justificatio ns : for example, it is the ca se of So ny ro o tkit [1 5]. The reaso n of the in tegration o f computer vir o logy was to protect a uthor rights, and to protect the da ta contained in the dis k. The rea lit y was that this tec hnology allow ed to sp y the us er’s data (it is of g r eat int erest fr o m a commercial p oint of vie w. . . ). T he ambiguit y is in the fact that Sony was per fectly able to justify this functionality , which is usually used by malware, in o rder to pro tect author rights. This w orry is leg itima te, but nothing pr ov es that the real purp ose was this one. . . So, co mputer virolo gy is the place of different kinds of wars, but the hostility logic often remains the sa me. 7 Ev olutions and p ersp ectives Viral defence, a s a la rge part of co mputer security , depends on the results o f theoretical computer science. F or the record, there are Cohen’s results on vira l detection undecidability: it is not p ossible to constr uc t per fect anti-virus so ft- ware. Other re s ults dep e nd on conjectures of the algo rithmic complexity theory (like if P=P SP ACE, then practically a ll cryptogr aphic co des will b e broken). It is interesting to see once more that we face a s cale pro blem. Indeed, conjec- tures r elated to the a lgorithmic complexity theo ry imply that a g iv en problem is computable but the runtime is b eyond b elief and is greater than the age of the universe! Science acts as a guarant or fo r defence so undness. If a defence depe nds on the algo rithmic co mplexit y theory , so it must take into account the time scales that w e have mentioned previo usly . A vir al defence may b e co nceived to res ist an analys is a t a human scale, and from then on can b e co ns idered as imm une with r espect to the computer time scale (where the time sc a le is ab out a minut e). On the other hand, during a computer attack, and at a computer time scale, this heavy defence slows the virus execution down. So, the issue is to choose the right weaponry according to the targets that are aimed. This sub ject was widely discussed in many stra tegy b o oks, as Ma c hiav elli did in his Art of war . As we saw it ab ov e, vira l w ar integrates the necessity of a prosp ective strat- egy: on the one ha nd, b ecause it co uld use the in formation the virus found, pursuing the elab ora tio n of its attack’s tactics acco rding to the environment it is lo cated in. In this sense, a virus is a mo dern weapon since it is adaptable : there are interactions b e t w een a virus and its environment. There is an episte- mological a nd scientific dimensio n as so on as we think ab out a viral a ttac k as a deployment of a large num ber of autonomous and co op e rative agents. This direction r ecalls analo g ies with biolog ical immune sys tems [14]. Ano ther p ossi- bilit y is to consider the agents of a netw ork with divergent interests like in the algorithmic game theor y . The game theo ry , which tries to predict b ehaviours o f a p opulation in a given environmen t, could then b e used to analyse p olitical and so ciologica l b ehaviours o f agents r unning vira l attac ks, a nd also o f the users who are concerned by those attacks. T o come back to the questio n of the interaction of a virus in its en vironment, we ca n say it is inse parable fr o m a forecast. That is that a virus adapts to its environmen t in or der to pursue an a ttac k, or to send informatio n back with the view to mak e a nother attac k. This temp oral for ecast, even if it is implicit, is the sign that a viral arm cannot be understo o d, or ana lysed, without thinking of the one who po ssesses it. The attack er’s inten tion (or the inten tion of the ones who order this action) is revealed by the ques tion, whic h seems ha rmless at first glance: what is the purp ose of a weapon? If, to b e sp ecific, it can b e used to make another attack, or just to pur sue the current one: this attack is a step. It als o means that it is neces s ary for the ones who ar e fightin g aga ins t v ir al attacks, not only to view a n attack her e and n ow , but a lw ays to think ab out the inten tions that could b e implied. T o give a no ther conclusion to this discussion, we sho uld analyse a vira l attack b y wha t it implicitly discloses: the vir us’s metho d for the attack indicates what its writer knows, or what he thinks he knows ab out the target he a ims. An ybo dy thinking he is a p otential target should integrate in to its secur ity po licy what he wan ts to show to the other s, in such a wa y that he directs the k ind of attack he can b e the ta rget of. The issue at stake here is to apply the go o d old strategy: a false lure, a false ta rget, or a noticeable weakness, which transfor ms stra tagems into an art o f playing with repr esent ations a nd to trick enemies. W e must always come back to this Mac hiav elli’s pr inciple: “ N ever b e lieve that the enemy do esn ’t know what he do es ” , alw ays as sume that you hav e to deal with a smart-, surely cr aft y enem y , whose in ten tions are not alw ays visible. So, the security of a ta rget should no t only stem from the s trength of a defence: the attackers will alwa ys succe e d to p enetrate by a wa y or ano ther. W e should also know ho w to use trick ery , how to play with psychological effects and mak e our oppo nen t b elieve that defences are differen t fro m what they r e ally are. . . Ac kno wledgeme n t W e would like to thank first lieutena n t de Marqueissa c for her v alua ble help in improving the corre c tnes s of our English. References 1. F. Cohen. Comput er Viruses. PhD thesis, Universit y of Southern California, Jan- uary 1986. 2. L. A dleman. An abstract theory of computer v iruses. In Crypto’88 - Advances in Cryptology , Lecture Notes in Comput er Science 403, 1988. 3. E. Filiol. Computer viruses: from theory to applications, IRIS International Serie, Springer, 2004. 4. Thucydide. The P eloponnesian w ar. 5. Platon. The Repub lic. 6. N. Mac hia vel . The art of w ar. 7. C. Clausewitz. On war. 8. E. Filiol. Whale : le virus se rebiffe. Journal de la s´ ecurit ´ e i nformatique MISC 19, Mai 2005. 9. E. Fili ol. Strong Cryptograph y A rmoured Comput er Viruses F orbidd ing Co de Analysis: th e Bradley V irus, In Pro ceedings of the 14th EICAR Conference, pp 216-227, Malta, 2005. 10. B. Barak, O. Goldreic h, R. Impagliazzo, S. R u dic h, A. S aha y , S. V adhan and K . Y ang, On the (Im) p ossibility of Obfuscating Programs. Lecture Notes in Computer Science, 2139, Crypto, 2001. 11. Cryptographie malicieuse. Journal de la s ´ ecurit´ e informatique MISC 20, juillet 2005. 12. P . Beaucamps and E. Filiol. On th e p ossibili ty of practically obfuscating programs: to w ards a unified p ersp ective of co de protection. TCV 2006 Sp ecial Issue, Journal of computer virology , 3 (1), p p. 3–21, 2007. 13. I. Bal epin. Sup erworms an d Cryptovirology: a D eadly Combination. http:// www. csif.cs.uc davis.edu/ ~ balepin/fi les/worms-cryptovirology.pdf , 2003. 14. Editorial, Making connections. N ature Imm unology 3-10, Octobre 2002. 15. Sony Ro otkit Case: http://ww w.sysinter nals.com/b log/2005/10/ sony- rootkits-and- digita l- rights.html 16. E. Filio l, T ec hniques virales a v a nc´ ees, Collection IRIS, Springer, 2007 (an English translation is due on december 2007).