Core WarVirtual Machines, Viruses, and Defense

Against the Dark Arts

Philip W. L. Fong

pwlfong@cs.uregina.ca

Department of Computer Science

University of Regina

Regina, Saskatchewan, Canada S4S 0A2

Overview

1. Core War – The Game

2. Malicious Code

3. Java Virtual Machine

4. My research

Core War – p.1/34

Core War

Author: A. K. Dewdney (1984)

Objective:Players launch virus programs that attempt toterminate each other.

The Core:Virtual machine architecture on which virusesexecute.

Redcode:Assembly language for programming viruses

MARS (Memory Array Redcode Simulator):Software simulator for the virtual machine.

Core War – p.2/34

The Core

A memory array of 8000 cells.

Every cell holds an integer representing either aninstruction or random data.

0 -1 -...

...7998 -7999 -

Array is circular: address 8000 = address 0

Core War – p.3/34

The Rules

Competing viruses are loaded at random locations.

Viruses are executed in turns, one instruction at atime.

The first program to execute an illegal instructionloses.

Goal: Overwrite opponent with illegal instructions.

Core War – p.4/34

Redcode

Example:

MOV 2 -1

Meaning:

opcode source destinationMOV 2 -1

Move the content 2 cells ahead to the location 1 cellbehind.

Core War – p.5/34

Redcode

Effect:...

...1373 -1374 MOV 2 -11375 -1376 DAT 99

......

Core War – p.6/34

Redcode

Effect:...

...1373 DAT 991374 MOV 2 -11375 -1376 DAT 99

......

Core War – p.7/34

Self-Destruct

Here is a short Redcode program that self-destructs:...

→ MOV #0 1 Immediate addressing-...

Core War – p.8/34

Self-Destruct

Here is a short Redcode program that self-destructs:...

→ MOV #0 1 Move number 0.DAT 0

...

Core War – p.9/34

Self-Destruct

Here is a short Redcode program that self-destructs:...

MOV #0 1→ DAT 0 Illegal instruction!

...

Core War – p.10/34

Self-Destruct

Here is a short Redcode program that self-destructs:...

MOV #0 1→ DAT 0 Execution terminated!

...

Core War – p.11/34

Imp

A self-replicating program:...

→ MOV 0 1---...

Core War – p.12/34

Imp

A self-replicating program:...

→ MOV 0 1 Copy itself to next addressMOV 0 1

--...

Core War – p.13/34

Imp

A self-replicating program:...

MOV 0 1→ MOV 0 1

--...

Core War – p.14/34

Imp

A self-replicating program:...

MOV 0 1→ MOV 0 1 Copy again.

MOV 0 1-...

Core War – p.15/34

Imp

A self-replicating program:...

MOV 0 1MOV 0 1

→ MOV 0 1 Copy . . .-...

Core War – p.16/34

Imp

A self-replicating program:...

MOV 0 1MOV 0 1MOV 0 1

→ MOV 0 1 Copy . . ....

Core War – p.17/34

Imp

A self-replicating program:...

MOV 0 1MOV 0 1MOV 0 1MOV 0 1

→

...

Sweeping through the core.

Overwriting opponent with itself, thereby forcing a tie.

Core War – p.18/34

Dwarf

A bombing program:

0 DAT -1 Counter.→ 1 ADD #5 -1

2 MOV #0 @-23 JMP -2

Core War – p.19/34

Dwarf

A bombing program:

0 DAT 4 Counter.→ 1 ADD #5 -1 Increment counter by 5.

2 MOV #0 @-23 JMP -2

Core War – p.20/34

Dwarf

A bombing program:

0 DAT 4 Counter.1 ADD #5 -1 Increment counter by 5.

→ 2 MOV #0 @-2 Bomb address 4.3 JMP -2

Core War – p.21/34

Dwarf

A bombing program:

0 DAT 4 Counter.1 ADD #5 -1 Increment counter by 5.2 MOV #0 @-2 Bomb address 4.

→ 3 JMP -2 Loop.

Core War – p.22/34

Dwarf

A bombing program:

0 DAT 9 Counter.1 ADD #5 -1 Increment counter by 5.

→ 2 MOV #0 @-2 Bomb address 9.3 JMP -2 Loop.

Core War – p.23/34

Dwarf

A bombing program:

0 DAT 14 Counter.1 ADD #5 -1 Increment counter by 5.

→ 2 MOV #0 @-2 Bomb address 14.3 JMP -2 Loop.

Core War – p.24/34

Dwarf

A bombing program:

0 DAT 14 Counter.1 ADD #5 -1 Increment counter by 5.

→ 2 MOV #0 @-2 Bomb address 14.3 JMP -2 Loop.

Systematically bombing: 4, 9, 14, 19, 24, 29, . . . .

Effectively terminating opponent.

Core War – p.25/34

MARS

A MARS is a simulator for the Core virtual machine.

Most popular one is pMARS (portable MARS).

Freely available from the internet.

Core War – p.26/34

Malicious Code

Easy Cases:

What if applications run wild like Redcodeprograms?

Multiprogramming Operating Systems(e.g., UNIX, WinXP)

How do you know the programs you downloadfrom the internet behave in a benign way?

Virus scanners

Core War – p.27/34

Malicious Code

Hard Cases:

Mobile code: embedding programs intransactions!Plug-ins: what if your left hand does not trust yourright hand?

One promising solution approach . . .

Core War – p.28/34

Language-based Security

Use a safe language for software distribution.

Then use programming language technologies toenforce security.

Example: Java Virtual Machine (JVM)

Core War – p.29/34

Protection Mechanisms in JVM

Virtual machineBytecode runs in a sandbox.Just like a MARS.

Strongly typedWriting to arbitrary address is forbidden.Sorry, Dwarfs not welcome.

Constrained control-flowBytecode never runs wild.Sorry, Imps not welcome.

Core War – p.30/34

Protection Mechanisms in JVM

Safe dynamic linkingNo type spoofing.No impersonation (or identity crisis) allowed.

Security managerComplete mediation.No unauthorized access.

Core War – p.31/34

What I do for a living

Language-based security researchPluggable Verification ModulesAegis VM (http://aegisvm.sourceforge.net)Type system for access controlMathematical theory of security policies

Core War – p.32/34

Where to go from here . . .

http://www.cs.uregina.ca/˜pwlfong/Projects/AnnualCo mputerCamps

Core War – p.33/34

Thank You

Core War – p.34/34