Understanding Malware
Recently I set out to learn about malware. To organize my thoughts, I created a model of the relevant concepts. Malware involves software programs, so I needed to model programs - their inputs and outputs. I learned that malware involves an intent to cause harm, so I needed to model people creating programs with intent (either malicious or benign) and model the notion of harm. I learned that there isn’t a commonly accepted definition of malware. Some people define malware as software created with malicious intent; others define it as software that causes harm. I adopted the definition that malware is software created with malicious intent and when executed its results cause harm.
Below are statements of the entities and relations I expressed in my model. Please note that I use the word program rather than software. I distinguish between programs and inputs to programs. Inputs may be software, code, text, or binary. Programs process (execute/interpret) inputs. The objective is to determine which inputs are malware.
- Programs are created by people.
- Inputs to programs are created by people.
- Each input to a program produces one output.
- Given the same input, a program always produces the same output.
- A program is created to process a certain set of inputs and produce a certain set of outputs. The actual set of inputs into a program and outputs produced by a program might be larger. That is, the expected I/O is a subset of the actual I/O.
- When a person creates an input to a program, he has either benign or malicious intentions.
- Some outputs cause harm.
- The inputs that a program is created to process are benign. The outputs that a program is created to produce do not cause harm.
-
If the above statements are satisfied, then the following conclusions logically follow:
- Inputs that a program was created to process are not malware; only inputs that a program was not created to process can be malware.
- Software written with benign intent can be malware. There can be benign inputs that, when executed by a program, result in outputs that cause harm.
------------------------------
Modeling involves abstracting away irrelevant aspects and simplifying some relevant aspects. I showed the above statements to a friend and he identified things that my model had omitted and simplified. Below are my friends' comments, in red.
-
Programs are created by people.
Some programs are created by other programs. For example, Lex is given a grammar as input and outputs a parser (which is a program). So, a program created a program.
-
Inputs to programs are created by people.
Most of today's software is embedded software. Those programs get their inputs from sensors and actuators. So, most input is from non-humans.
-
Each input to a program produces one output.
If a program fails, it might not produce any output, or it might produce the wrong output, or it might produce the right output at the wrong time (which, essentially, is the same thing as the wrong output).
-
Given the same input, a program always produces the same output.
That is almost never true in embedded real-time programs. For example, the program's input is a coffee maker valve which controls water flow into the coffee machine and the output is the water level. Give the program the same input (valve) and almost always the output (water level) will be different.
-
A program is created to process a certain set of inputs and produce a certain set of outputs. The actual set of inputs into a program and outputs produced by a program might be larger. That is, the expected I/O is a subset of the actual I/O.
A program should always check inputs before processing them. So, the set of inputs that are processed should equal the set of inputs the program was created to process.
-
When a person creates an input to a program, he has either benign or malicious intentions.
As stated earlier, people aren't the only entities that create inputs. Do sensors and actuators have intentions?
-
Some outputs cause harm.
Okay.
-
The inputs that a program is created to process are benign. The outputs that a program is created to produce do not cause harm.
Consider a program that controls a wing. Input is from a pitot tube. Suppose there is ice on the pitot tube, resulting in input to the program which produces an output (wing configuration) that causes the plane to stall. The input is in the range expected by the program and has benign intentions (assuming a pitot tube has intentions) but the output produces harm.
- If the above statements are satisfied, then the following conclusions logically follow:
-
Inputs that a program was created to process are not malware; only inputs that a program was not created to process can be malware.
Neat.
-
Software written with benign intent can be malware. There can be benign inputs that, when executed by a program, result in outputs that cause harm.
Yes, there are some inputs that are benign and yet result in harm. Nobody intended for the radiation system to cause harm, but due to errors in the system, someone was killed.
-
------------------------------
Recall that I adopted the definition that malware is software created with malicious intent and when executed causes harm. Here's what my friend had to say about that:
Suppose there is a flaw in a program's design, which exposes a vulnerability that someone exploits; is that program malware? Is a buggy implementation malware just because it can be exploited? I think it was SSH that had a bug in it for something like 10 years until someone exploited the bug. Was the SSH program malware for the 10 years that the bug wasn't detected? What if there is a flaw in a program's design that has the potential to cause harm, e.g., a flaw in the aircraft's software that may cause it to crash. Is that malware?
Translations
This web page has been translated to Turkish by Zoltan Solak http://thesciencexperts.com/kotu-amacli-yazilimlari-anlama/
This web page has been translated to Macedonian by Katerina Nestiv http://sciencevobe.com/2019/10/25/understanding-malware/
This web page has been translated to Bosnian by Amina Dugalić http://the-sciences.com/2019/06/19/understanding-malware/
Slovak translation by tr-ex.me
This web page has been translated to Croatian by Milica Novak http://pro4education.com/understanding-malware/
Last Updated: August 23, 2021. Author: Roger Costello