Formalizing and Verification of an Antivirus Protection Service using Model Checking Academic research paper on "Computer and information sciences"

(8)

CrossMark

Available online at www.sciencedirect.com

ScienceDirect

Procedía Computer Science 57 (2015) 1324 - 1331

3rd International Conference on Recent Trends in Computing 2015 (ICRTC-2015)

Formalizing and Verification of an Antivirus Protection Service

using Model Checking

Adalat Safarkhanloua Alireza Souri*a, Monire Norouzib, SeyedHassan Es.haghi

Sardrouda

a Islamic Azad Univeristy, Hadishahr Branch, Hadishahr, Iran _Deprtment of Computer Engineering, Islamic Azad University, Soofian Branch, Soofian, Iran_

Abstract

In this paper, a protection service model is proposed for an antivirus system. The proposed model has been focused on maintaining in secure state of the system. According to the proposed antivirus model, the required behavior has been specified as extended state machine diagrams and translated to temporal logic properties by using Computing Tree Logic language. Also the proposed model has been converted to a Kripke Structure by using formal verification techniques. For proving the correctness and the reachability of proposed model, some properties of the proposed model are verified by using NuSMV model checker.

© 2015TheAuthors. Published byElsevierB.V.Thisis an open access article under the CC BY-NC-ND license (http://creativecommons.Org/licenses/by-nc-nd/4.0/).

Peer-review under responsibility of organizing committee of the 3rd International Conference on Recent Trends in Computing 2015 (ICRTC-2015)

Keywords: Antivirus system, State transition system, verification, Kripke structure, NuSMV.

1. Introduction

Today, antivirus software [1] has important position in business and software development. Any computer requires to a security application for maintaining regularize and security of its data and installed software. In the recent years, many attacks [2] are occurred to home systems, bank servers and military systems by the viruses and malwares. Information maintenance and prevention from unauthorized data access is main reasons for using antimalware against attacks and destroying data which has been occurred by invasive malware [3] widely and suddenly. So, computer users need the powerful security applications that secures their system against the attacks of the viruses and malwares [4].

Most attacks to the computer systems [5] have two phases. In first step, a malware tries to disable security applications of the target computer system. After disabling these applications, the malware like Trojan tries to get access to the important data in the computer system. Malwares like virus removes a set of special files or

* Corresponding author. Tel.: +989125165630; E-mail address: alirezasouri.research@gmail.com

1877-0509 © 2015 The Authors. Published by Elsevier B.V. This is an open access article under the CC BY-NC-ND license (http://creativecommons.Org/licenses/by-nc-nd/4.0/).

Peer-review under responsibility of organizing committee of the 3rd International Conference on Recent Trends in Computing 2015 (ICRTC-2015) doi: 10.1016/j.procs.2015.07.443

destroys the important files. Some attacks are executed and handled from intelligence agencies and hackers on the target computer systems and users. Some attacks do not need to destroy the security application of the computer system. These attacks will be executed by hiding themselves in URL web addresses or in created files by using more commonly used software such as Microsoft office, adobe reader, win zip, etc. This type of attacks benefits from vulnerabilities of this software. Online security checks the mechanisms of the anti-malware defends from computer system against these types of attacks. Offline security mechanisms prevent from data accessibility in the computer system slightly. However, by increasing software technology complication and development, the attackers realize several fresh defenseless spaces in systems that informally called "holes" [6].

Du To some specific problems, verifying the security applications such as antivirus systems are very important and essential in security discussion [7] of the computer systems. There are some antivirus applications in software development market such as Bitdefendert, Kaspersky^ Avira§ and etc **. Each of these applications tries to compete with each other by presenting more services and easy updating. Of course, computer Viruses [8], Spywares [9], Trojans, Worms [10] and other new malwares debut every day.

In this paper, we present a protection service model for the antivirus system [11]. The proposed model has focused on maintaining safe state of the system. We translate the proposed model to a Kripke structure [12] by using model checking techniques [13]. According to the antivirus system, we show how we can verify the specifications of the system by using Computing Tree Logic (CTL) [14]. So, in the results of verifying proposed model if the system output is true, then state of the system is safe and we ensure that the system satisfies the properties. Otherwise, if the system output is false, then CTL rules show a counterexample in specify path which illustrate that the system is unsafe in this path and the system is not satisfies the properties. According to special conditions of the antivirus system security, the counterexamples can be very useful. Because, by modifying these paths we can improve secure states of the system.

This paper is organized as follows: Some of the related works have been shown in section 2. Section 3 presents the antivirus system model. We show that how states of the antivirus system is converted to a state chart model. Also some specification of the system is defined by using CTL rules. In section 4, implementation of the proposed model by using NuSMVtt model checker is presented. Finally, conclusion and future work are provided in section 5.

2. Related Work

Formal verification techniques can be used for analysis of the antivirus and security systems [15]. An antivirus model is used in designing the antivirus software and security protocols. Formal verification of an antivirus model by using model checking methods is a new idea in software development. Some researchers used to formal verification methods for analysis and verification of software systems. In Livadas and Lynch

[16] investigated that how formal techniques can be used for verifying hybrid systems. They presented hybrid I/O automaton model and applied it for specifying and verification of hybrid systems. Qianchuan and Krogh

[17] presented that how CTL specifications for a state chart can be verified by using a finite-state model checker. In [18], a new model has been presented for verifying a website by using Linear Temporal Logic (LTL) logic and formal method. The authors modelled the web pages of a website as states and convert HTTP protocols of the website to transition between the states.

http://www.bitdefender.com/site/view/our-story.html http://www.kaspersky.com/about

http://www.avira.com/en/for-home

http://www.pcmag.com/article/print/256703 ff http://nusmv.fbk.eu/

As another research in this scope Bentahar, Yahyaoui [19] modeled the composite web services based on a division of interests between operational and control behaviors. Some favorable properties such as deadlock freedom, safety and reachability have been analyzed. The proposed behaviors have been converted to Kripke structure by using model checking techniques based on Binary Decision Diagram. Also the Kripke structure models have been translated to Symbolic Model Verifier (SMV) code by means of Java converter tool. Then the models were verified by using NuSMV model checker.

Souri and Navimipour [20] proposed an adapted resource discovery approach to addressing the multi-attribute queries in grid computing. They presented a behavioral model for their proposed approach which separated into data gathering, discovery and control behaviors. So, they used the Kripke structure for modeling these behaviors and verified their behavioral models by using NuSMV model checker.

As we studied in this section, and to the best of our knowledge, formal modeling and verification of the antivirus system is not studied professionally and completely up to now. Therefore, formal verification and modeling of an antivirus system can be one of the interesting subjects for studying. In the next section, we present a model for the antivirus system and analyze the temporal logic of this model.

3. Antivirus Model

This section shows our proposed antivirus model which has two parts: PC protection and Internet protection. In the PC protection section, the aim of the antivirus is scanning files, finding malwares such as viruses, Trojans, worms and finally deleting form the system. By using the offline scanning in the PC protection section, we can prevent the system from inputting the infected files to the system. In the Internet protection section, the antivirus should check the system security in offline and online statuses automatically. We describe the malwares attacks to the system in these statuses, so when the antivirus identifies an infected file or suspicious file as a malware in real-time status, it should remove the infected file immediately. A good antivirus should present accurate information about the system security status to the user, in addition to act as a system protection and the system scan operations. In a systematic vision, the user should aware of the system security status. So, there are suitable relations between the PC protection and the Internet protection sections of the system protection and the system status awareness.

In this section, we describe the states of the antivirus system. Also, we present a model for the antivirus system which we can verify by using formal verifications techniques. Our proposed antivirus system includes two main parts: status section and system protection section. In the follow, we have a brief description for these parts. The status section shows the computer security status. This section demonstrates information about the system protection section which includes PC protection state and Internet protection states, too. One of the important security information of the antivirus system is displaying the system update which is showed in status section. Offline and online scanning have been run in states of PC protection and Internet protection.

PC protection status navigates the system scanning and real-time protection operations in the offline mode. The system scanning operations can be run by two modes for scanning and removing malwares. First mode is scanning local drives such as Hard disks, CD-ROM drives, DVD drives, USB stick... and removing the files includes Viruses, Worms and Trojans. The second mode is scanning and protecting Windows System Directory (WSD), for Microsoft windows, because the important systematic files are holded in path: "C:\windows\the system32". Some malwares attacks have been occurred in this path. By using the system scanning operations with offline scanning, the system must be protected from WSD files. In the real-time operations by calling each file from hard disc to RAM and executing CPU operations on the file, online scanning process is executed on the file paths. In this process, the antivirus system removes this file automatically by finding an infected file or a malware [21]. The Internet protection status navigates web protection operations in online mode. In the Web protection operations by calling each web address or URL by using a web browser, the antivirus system executes the online scanning process on the URL path. In this status, various files such as Audio files (*.mp3, *.wav, *.wma ...), Video files (*.mpg, *.avi, *.mkv, *.flv ...), Executable files (*.exe, *.dll ...), Electronic documents (*.pdf, *.ps, *.doc ...) and Archive files (*.zip. *.rar, *.tgz ...) can be transferred from the web to the

system. So, our proposed antivirus system should allow to the user to manage the scanned files in two ways Interactive and Automatic. According to the above descriptions, we present the following state transition diagram of the antivirus system.

Fig. 1. State transition diagram of Antivirus.

In the Figure 1, there are seven states and two final states that for the antivirus system setting. Important antivirus settings and operations are displayed with seven states. Based on the system setting, the final security status of the system will be evaluated as safe or unsafe. Transitions represent choices or the antivirus setting options which determine the final security status of the system. In other words, these connections organize the procedure of the system security. In the following, we specify the states and transitions of each connection:

1. Update = (True, False)

2. The system Protection = (PC protection, Internet Protection)

3. Real-time Protection = ( Deactivate, Activate)

4. Web Protection = ( Deactivate, Activate )

5. File = ( Local drives, Windows system directory)

6. URL = ( Interactive, Automatic)

7. Scan = (Remove, Ignore)

When the antivirus software has installed on a system, after installation the software update it immediately. So, we consider the Update state as the root of the tree and initial state of the system. At first, update state of the antivirus system is determined. Two choices are true and false. If the antivirus is not updated, we can assume that its state is unsafe. In this condition the antivirus cannot protect the system against the new malwares. After updating the antivirus, system protection state can be set by two values: PC protection and Internet protection. System protection can be set by both of the values PC protection and Internet protection. This means that both of these protections can be activated simultaneously.

The real-time protection can be set by two values: activate and deactivate. If real-time protection of the antivirus is set on deactivated, it makes the system be in the unsafe state. In this setting, the antivirus cannot protect the system against the malwares that operates on the system by some events such as reading a flash memory.

The web protection can be set by two values: activate and deactivate. If web protection of the antivirus is set on deactivated, it makes the system be in the unsafe state. In this setting, the antivirus cannot protect the system against accessing to the dangerous web pages.

If real-time protection will be active, then files of windows system directory (WSD) and contents of the local drives will be scanned. If web protection will be active, when a user wants to get access to a web page, the antivirus scans it by using interactive mode or automatic mode. If we ignore the scanning of files or web pages, then vulnerability of system infection grows and the system states may fall to the unsafe state. If suspicious web page is closed or infected files are removed, then the overall system state will be safe.

In the following, we describe how the model of the antivirus system is formulated. Then by using formulated model, we present a Kripke structure for the antivirus model [22].

Definition 1. A state structure is a 4-tuple St = (S, E, R, L) where S is a finite set of states, E is finite set of events, R is set of transition relation and L is the state-labelling function [23].

In the antivirus system, status and system protection sections are sub systems of the main system. In definition 1, the state structure includes:

S = {Update, system Protection, Real-time Protection, Web Protection, File, URL, Scan, Safe, Unsafe}. E = {(True, False), (PC Protection, Internet Protection), (Deactivate, Activate), (Deactivate, Activate),

(Local Drives, WSD), (Interactive, Automatic), (Remove, Ignore)}. R = {(Update, system Protection, True), (Real-time Protection, File, Activate), (Scan, Safe, Remove) ...}.

Now, we define the temporal rules for verifying the specification of the system by using Computation Tree Logic [22]. In a state structure, a state-labelling function l e L includes three components (state s £ S, event e £ E, and transition relation r £ R) which is depicted by s[e]/r.

By using verification techniques and labelling function definitions we can recognise that the specifications of the model are satisfied or not. Since protection service is very important to show in the antivirus system, the following properties are defined:

• AG (AF (update-false) or AF (web-deactivate) or AF (realtime-deactivate) -> AX (system-unsafe).

• AG ((EF (url-automatic) -> (scan-remove)) & (EF (file-wsd) -> scan-remove))).

• AG (file-local & scan-remove) -> AX (system-safe).

• EF ((url-automatic) or (url-interactive)) -> EF (system-safe).

• AG ((realtime-deactivate) or (web-deactivate)) -> EF (system-unsafe).

• EF ((realtime-deactivate) & (web-activate)) -> EX (system-unsafe).

• EF ((realtime-activate) & (web-deactivate)) -> EX (system-unsafe).

• AG ((realtime-activate) & (web-activate)) -> AX (system-safe).

Finally, after showing some CTL formulas in the antivirus model, we show how the expected specifications of the antivirus system are verified. In the next section, the implementation of the proposed model is shown.

4. Implementation

In this section, to check the properties which are illustrated in section 4, the following command is used in NuSMV model checker. First, we have to read the SMV program by name PS.smv, then flatten the hierarchy, encode the model variables and build our model. Figure 2 shows the results of the model checking of CTL properties by using NuSMV model checker. In the implementation, our proposed model detected successfully some critical properties (shown by Green colour).

Using check_fsm command, we can check the deadlock problem in the finite state machine of our proposed model as a performance evaluation. In Figure 3, these results show that our proposed protection service model is reachable, fair and deadlock free. Table 1 shows the evaluation results to check the proposed model which are obtained by NuSMV model checker tool. Also verification of the 29 model to enumerate all the state-space clearly ('Enumerative'), the number of BDD variables is 9, the number of sifted variables is 1000, the number of the swapped variables is 1800000 and the total number of the states is 838860.

Vi NuSMV Interactive

uSMU > read_model —i PS.smv uSMU > flatten„hierarchy NuSMU > encode_variables uSMU > buildjnodel uSMU > check_ctlspec

— specification AG <<<AF state-state = update—false ! AF state-state = ueb-deactivate) ! F state.state = realtime-deactivate) —> AX state.state = system-unsafe> is true

|— specification AG <EF <state.state = url-automatic —> state.state = scan-reflJ5US) & EF <s tate.state = file-wsd —> state.state = scan-remove)) is ^Mg

— specification <AG <state.state = file-local & state.state = scan-renowe) —> AX state.st ate = system-safe) is «LfiUfi

— specification <EF <state.state = url-autonatic ! state.state = url-interactive) —> EF s tate.state = system-safe) is

— specification <AG (state.state = realtime-deactivate ! state.state = web-deactivate) —> EF state.state = system-unsafe) is true

— specification <EF (state.state = rEl^^ime-deact ivate & state.state = web-activate) —> E state.state = system-unsafe) is true

I— specification <EF (state.state =T55ltime-act ivate & state.state = web-deactivate) —> E "j state.state = system-unsafe) is true

— specification <AG (state.state =T53ltime-activate & state.state = web-activate) -> AX tate.state = system-safe) is true

Fig. 2. Verification of the CTL properties by using NuSMV model checker.

NuSMV Interactive

o || B [fcSfr

NuSMU > print_reachahle_states

BBflflBBBBBBBflflBBBttBBflBflflBBBBBflflBBBttBBBflflflflBttBBBflflflflBttBBBflflBB

system diameter: 6

reachable states: 15 <2"3.90689> out of 16 <2A4) BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB NuSMU > print_fair_states

BBBBBBHBBBBBBBBttflBBBBBBBttttBBBBBBBBBBBBBBBBBHBBBBBBBttBBBBBBB

fair states: 15 <2^3.90689) out of 16 (2A4) BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBMBBBBBBBBBBBBBBBBBMBBBBBB NuSMU > print_fair_transitions

Jttttltttttltlttttttttttttttttttttttttttttttttttttttttttttttttttttntttttttttttttttttttttttttttltttttltltttttttttttttt

fair states: 15 <2^3.90689) out of 16 <2A4>

BBBBBBttttBBBBBBBttttBBBBBBBBttBBBBBBBttttBBBBBBBttttBBBBBBBttttBBBBBB NuSMU > print_fsm_stats tatistics on BDD FSM machine. DD nodes representing init set of states: 5 BDD nodes representing state constraints: 1 BDD nodes representing input constraints: 1 Foruard Partitioning Schedule BDD cluster size (ttnodes): cluster 1 : size 39

Backuard Partitioning Schedule BDD cluster size <ttnodes>: cluster 1 : size 39

NuSMU > check_fsm

tttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttt The transition relation is total: No deadlock state exists tttttttttttttttttttttttt«tttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttt«tttttttttt

Fig. 3. Checking reachability and fairness of the proposed model.

Moreover, Table 1 shows the verification results which are achieved by NuSMV 2.4.3 model checker tool where the system is Laptop Intel Core 2 Duo 8400, 2.4 GHz, 4GB RAM and Windows 7.

Table 1. Verification result of all properties in the Antivirus model.

Property Result Time (s) Memory (KB)

AG(AF(state.state = update-false)|AF(state.state = web-deactivate)| AF(state.state = realtime-deactivate) -> AX state.state = system-unsafe) Satisfiable 85.332 46,236

AG ((EF (state.state = url-automatic -> state.state = scan-remove)) & (EF (state.state = file-wsd -> state.state = scan-remove))) Satisfiable 11.778 12,952

AG (state.state = file-local & state.state = scan-remove ) -> AX (state.state = system-safe); Satisfiable 26.785 37,792

EF ((state.state = url-automatic) | (state.state = url-interactive)) -> EF (state.state = system-safe); Satisfiable 19.935 17,792

AG ((state.state = realtime-deactivate)| (state.state = web-deactivate))-> EF (state.state = system-unsafe); Satisfiable 16.597 46,956

EF ((state.state = realtime-deactivate)& (state.state = web-activate)) -> EX (state.state = system-unsafe); Satisfiable 65.332 89,136

EF ((state.state = realtime-activate)& (state.state = web-deactivate)) -> EX (state.state = system-unsafe); Satisfiable 20,021 56,880

AG ((state.state = realtime-activate)& (state.state = web-activate)) -> AX (state.state = system-safe); Satisfiable 34,098 75,231

5. Conclusion

In this paper, a model for an idle antivirus system is presented. We showed how the antivirus system model has formulated by using formal verification techniques. A specification relation between system model and the Kripke structure which enables the conditions for verifying specifications of the system is presented. We illustrated the expected properties of the system which can be verified and specified by using formal methods techniques. Also we could find the suitable relations between the system specifications and the CTL rules. Finally, we verified some properties of the proposed model in NuSMV model checker. The experimental results show that our model satisfies all of the specification rules and also detects some logical problems such as reachability, fairness and deadlock free. In the future work, we will analyze verifications results on behavioral modeling of the antivirus systems and find the correct relations between formal verifications and CTL logic in an extended and real antivirus system.

References

1. Szor, P., The Art of Computer Virus Research and Defense. 2005: Addison-Wesley Professional.

2. Wang, W., et al., Animmune local concentration based virus detection approach. Journal of Zhejiang University SCIENCE C, 2011. 12(6): p. 443-454.

3. Zhang, X.-s., et al., Proactive worm propagation modeling and analysis in unstructured peer-to-peer networks. Journal of Zhejiang University SCIENCE C, 2010. 11(2): p. 119-129.

4. Dube, T., et al., Malware target recognition via static heuristics. Computers & Security, 2012. 31(1): p. 137-147.

5. Ryan, J.J.C.H., et al., Quantifying information security risks using expert judgment elicitation. Computers & Operations Research, 2012. 39(4): p. 774-784.

6. Norouzi, M., S. Parsa, and A. Mahjur, A new approach for formal behavioral modeling ofprotection services in antivirus systems. International Journal in Foundations of Computer Science & Technology, 2014. 4(5): p. 57-67.

7. Schneider, F.B., Enforceable security policies. ACM Trans. Inf. Syst. Secur., 2000. 3(1): p. 30-50.

8. Singh, P.K. and A. Lakhotia, Analysis and detection of computer viruses and worms: an annotated bibliography. SIGPLAN Not., 2002. 37(2): p. 29-35.

9. Filiol, E., Viruses and Malware, in Handbook of Information and Communication Security, P. Stavroulakis and M. Stamp, Editors. 2010, Springer Berlin Heidelberg. p. 747-769.

10. Sellke, S.H., N.B. Shroff, and S. Bagchi, Modeling and Automated Containment of Worms. Dependable and Secure Computing, IEEE Transactions on, 2008. 5(2): p. 71-86.

11. Zhiqiao, W., et al., Integrated model for software component selection with simultaneous consideration of implementation and verification. Computers & Operations Research, 2012. 39(12): p. 3376-3393.

12. Edmund M. Clarke, J., O. Grumberg, and D.A. Peled, Model checking. 1999: MIT Press. 314.

13. Schlipf, T., et al., Formal verification made easy. IBM Journal of Research and Development, 1997. 41(4.5): p. 567-576.

14. Clarke, E. and E.A. Emerson, Design and synthesis of synchronization skeletons using branching time temporal logic, in Logics of Programs, D. Kozen, Editor. 1982, Springer Berlin Heidelberg. p. 52-71.

15. Gritzalis, S., D. Spinellis, and P. Georgiadis, Security protocols over open networks and distributed systems: formal methods for their analysis, design, and verification. Computer Communications, 1999. 22(8): p. 697-709.

16. Livadas, C. and N. Lynch, Formal verification of safety-critical hybrid systems, in Hybrid Systems: Computation and Control, T. Henzinger and S. Sastry, Editors. 1998, Springer Berlin Heidelberg. p. 253-272.

17. Qianchuan, Z. and B.H. Krogh. Formal verification of Statecharts using finite-state model checkers. in American Control Conference, 2001. Proceedings of the 2001. 2001.

18. Flores, S., S. Lucas, and A. Villanueva, Formal Verification of Websites. Electronic Notes in Theoretical Computer Science, 2008. 200(3): p. 103-118.

19. Bentahar, J., et al., Symbolic model checking composite Web services using operational and control behaviors. Expert Systems with Applications, 2013. 40(2): p. 508-522.

20. Souri, A. and N. Jafari Navimipour, Behavioral modeling and formal verification of a resource discovery approach in Grid computing. Expert Systems with Applications, 2014. 41(8): p. 3831-3849.

21. Park, Y., D.S. Reeves, and M. Stamp, Deriving common malware behavior through graph clustering. Computers & Security, 2013. 39, Part B(0): p. 419-430.

22. Clarke, E.M., O. Grumberg, and D.A. Peled, Model checking. 1999: MIT press.

23. Schneider, K., Verification of Reactive Systems: Formal Methods and Algorithms. 2004: SpringerVerlag.