Core War Virtual Machines, Viruses, and Defense Against the Dark Arts Philip W. L. Fong pwlfong@cs.uregina.ca Department of Computer Science University of Regina Regina, Saskatchewan, Canada S4S 0A2
Overview 1. Core War – The Game 2. Malicious Code 3. Java Virtual Machine 4. My research Core War – p.1/34
Core War Author : A. K. Dewdney (1984) Objective : Players launch virus programs that attempt to terminate each other. The Core : Virtual machine architecture on which viruses execute. Redcode : Assembly language for programming viruses MARS (Memory Array Redcode Simulator) : Software simulator for the virtual machine. Core War – p.2/34
The Core A memory array of 8000 cells. Every cell holds an integer representing either an instruction or random data. 0 - 1 - . . . . . . 7998 - 7999 - Array is circular: address 8000 = address 0 Core War – p.3/34
The Rules Competing viruses are loaded at random locations. Viruses are executed in turns, one instruction at a time. The first program to execute an illegal instruction loses. Goal: Overwrite opponent with illegal instructions. Core War – p.4/34
Redcode Example: MOV 2 -1 Meaning: opcode source destination MOV 2 -1 Move the content 2 cells ahead to the location 1 cell behind. Core War – p.5/34
Redcode Effect: . . . . . . 1373 - 1374 MOV 2 -1 1375 - 1376 DAT 99 . . . . . . Core War – p.6/34
Redcode Effect: . . . . . . 1373 DAT 99 1374 MOV 2 -1 1375 - 1376 DAT 99 . . . . . . Core War – p.7/34
Self-Destruct Here is a short Redcode program that self-destructs: . . . MOV #0 1 Immediate addressing → - . . . Core War – p.8/34
Self-Destruct Here is a short Redcode program that self-destructs: . . . MOV #0 1 Move number 0. → DAT 0 . . . Core War – p.9/34
Self-Destruct Here is a short Redcode program that self-destructs: . . . MOV #0 1 DAT 0 Illegal instruction! → . . . Core War – p.10/34
Self-Destruct Here is a short Redcode program that self-destructs: . . . MOV #0 1 DAT 0 Execution terminated! → . . . Core War – p.11/34
Imp A self-replicating program: . . . MOV 0 1 → - - - . . . Core War – p.12/34
Imp A self-replicating program: . . . MOV 0 1 Copy itself to next address → MOV 0 1 - - . . . Core War – p.13/34
Imp A self-replicating program: . . . MOV 0 1 MOV 0 1 → - - . . . Core War – p.14/34
Imp A self-replicating program: . . . MOV 0 1 MOV 0 1 Copy again. → MOV 0 1 - . . . Core War – p.15/34
Imp A self-replicating program: . . . MOV 0 1 MOV 0 1 MOV 0 1 Copy . . . → - . . . Core War – p.16/34
Imp A self-replicating program: . . . MOV 0 1 MOV 0 1 MOV 0 1 MOV 0 1 Copy . . . → . . . Core War – p.17/34
Imp A self-replicating program: . . . MOV 0 1 MOV 0 1 MOV 0 1 MOV 0 1 . . . → Sweeping through the core. Overwriting opponent with itself, thereby forcing a tie. Core War – p.18/34
Dwarf A bombing program: 0 DAT -1 Counter. 1 ADD #5 -1 → 2 MOV #0 @-2 3 JMP -2 Core War – p.19/34
Dwarf A bombing program: 0 DAT 4 Counter. 1 ADD #5 -1 Increment counter by 5. → 2 MOV #0 @-2 3 JMP -2 Core War – p.20/34
Dwarf A bombing program: 0 DAT 4 Counter. 1 ADD #5 -1 Increment counter by 5. 2 MOV #0 @-2 Bomb address 4. → 3 JMP -2 Core War – p.21/34
Dwarf A bombing program: 0 DAT 4 Counter. 1 ADD #5 -1 Increment counter by 5. 2 MOV #0 @-2 Bomb address 4. 3 JMP -2 Loop. → Core War – p.22/34
Dwarf A bombing program: 0 DAT 9 Counter. 1 ADD #5 -1 Increment counter by 5. 2 MOV #0 @-2 Bomb address 9. → 3 JMP -2 Loop. Core War – p.23/34
Dwarf A bombing program: 0 DAT 14 Counter. 1 ADD #5 -1 Increment counter by 5. 2 MOV #0 @-2 Bomb address 14. → 3 JMP -2 Loop. Core War – p.24/34
Dwarf A bombing program: 0 DAT 14 Counter. 1 ADD #5 -1 Increment counter by 5. 2 MOV #0 @-2 Bomb address 14. → 3 JMP -2 Loop. Systematically bombing: 4, 9, 14, 19, 24, 29, . . . . Effectively terminating opponent. Core War – p.25/34
MARS A MARS is a simulator for the Core virtual machine. Most popular one is pMARS (portable MARS). Freely available from the internet. Core War – p.26/34
Malicious Code Easy Cases: What if applications run wild like Redcode programs? Multiprogramming Operating Systems (e.g., UNIX, WinXP) How do you know the programs you download from the internet behave in a benign way? Virus scanners Core War – p.27/34
Malicious Code Hard Cases: Mobile code: embedding programs in transactions! Plug-ins: what if your left hand does not trust your right hand? One promising solution approach . . . Core War – p.28/34
Language-based Security Use a safe language for software distribution. Then use programming language technologies to enforce security. Example: Java Virtual Machine (JVM) Core War – p.29/34
Protection Mechanisms in JVM Virtual machine Bytecode runs in a sandbox. Just like a MARS. Strongly typed Writing to arbitrary address is forbidden. Sorry, Dwarfs not welcome. Constrained control-flow Bytecode never runs wild. Sorry, Imps not welcome. Core War – p.30/34
Protection Mechanisms in JVM Safe dynamic linking No type spoofing. No impersonation (or identity crisis) allowed. Security manager Complete mediation. No unauthorized access. Core War – p.31/34
What I do for a living Language-based security research Pluggable Verification Modules Aegis VM (http://aegisvm.sourceforge.net) Type system for access control Mathematical theory of security policies Core War – p.32/34
Where to go from here . . . http://www.cs.uregina.ca/˜pwlfong/Projects/AnnualComputerCamps Core War – p.33/34
Thank You Core War – p.34/34
Recommend
More recommend