Absolute protection system. An attempt at definition.
The article attempts to define an absolute protection system, relative to which any other, including software, AIS protection systems can be assessed.
Before synthesizing an absolute protection system, we will try to briefly characterize the main methods of protection implemented in wildlife.
The results of the analysis of known methods of protection can be schematically presented in Fig. 1.
Fig. 1. Methods of protection.
Method 1.
Passive protection means completely block all possible channels of external threats. This is the main requirement of method No. 1. The downside of this method of protection is the overhead costs of maintaining the «armor».
Since the «armor» is part of the entire system, its strength already has a significant impact on the weight of the system and its vital functions.
Method 2.
The second method involves abandoning strong «armor», giving preference to changing the location in space and time.
Reproduction (creating a copy of oneself) also refers to the second method of protection with an orientation to the time coordinate, representing a kind of passing of the baton in time.
Method 3.
The motto of this method is that the best defense is an attack.
Method 4.
This method is based on the ability to change yourself. These are techniques such as; merge with the landscape, become like a tree leaf, etc. This method allows you to become another object, uninteresting to the attacker.
It is also important that one's own change inevitably affects the environment, thereby changing it. You can avoid using method #3 if you are smart enough to change the aggressor so that he turns into a slave or engages in self-destruction.
It is on this path that infections act as the main weapon, the analogue of which in cyberspace are, in my opinion, computer viruses.
This topic is discussed in more detail in the work [2], where the algorithmic community of biological, social, mental and computer infections is shown.
All of the listed methods have undergone thousands of years of experimental operation and actually exist in nature.
The hare, realizing that it was unable to escape from the fox (change its location in space relative to the attacking object), tries to destroy the attacker. The lizard freezes in immobility, merging with the landscape (changing itself), etc.
We see the same thing in the social world. Bulletproof vests and bunkers acting as armor implement the first method of protection. Fast legs and powerful engines — the second. Firearms — the third. Applying makeup or changing your worldview — the fourth.
Of course, ideally, we would like to determine the impact of each of the methods on the level of protection or on the quality of the functioning of the defense mechanism. It is clear that for each set of input data there is an optimal defense strategy.
The problem is to find out — what exactly this input data set will be.
Therefore, in order to survive, it is not enough for a defending subject to master all four methods. He must be able to competently combine all the named methods with those input events that fall upon him or are capable of falling upon him.
Thus, we come to the formulation of the problem of organizing defense with the following input data:
1) defense methods,
2) forecasting methods;
3) a decision-making mechanism using the results of forecasting and the available defense methods.
Having defined the initial data, we can define an absolute protection system.
We will call an absolute protection system a system that has all possible methods of protection and is capable of predicting the occurrence of a threatening event at any moment of its existence in a time sufficient to activate adequate protection methods.
Let's return to the definition of a protection system and try to formalize it by defining a protection system in the form of a trio
(Z,P,F)………………….. (1)
where Z = (Z1.Z2.Z3.Z4) — protection methods, P — forecasting mechanism. The result of the forecasting mechanism is a dangerous event that should occur at time t1 (t1>t), and an estimate of the probability that it will occur, i.e.
P = (Sob, t1),
t — current time. F — is a function of Z and P that takes a value greater than 0 if during time t1 the system is able to apply its existing defense method adequate to the threat.
Then, if F(Z,P)>0 for any t. the defense system (Z,P,F) is an absolute defense system.
An absolute defense system lies at the intersection of forecasting methods and defense methods; the worse the forecasting mechanism works, the more developed the defense methods should be and vice versa.
A schematic algorithm for the functioning of an absolute defense system can be presented in Fig. 2.
According to the algorithm of the scheme in Fig. 2, any system is protected: an individual, a state, a mafia structure, a bank, etc.
At the same time, of course, the completeness of the implementation of blocks and the content of databases for each system are different.
Fig. 2. Algorithm of the absolute protection system.
It is not difficult to project the given scheme into practical systems of state and/or individual protection, the analogies suggest themselves.
In particular, for the state:
forecasting external events — intelligence:
forecasting internal events — the Ministry of Internal Affairs;
methods of protection:
the first method (armor) — border (border troops);
the second way (change of location) — exodus of people to another land;
the third way (destruction) — army;
the fourth (making changes) — propaganda, sabotage, terror (Ministry of Foreign Affairs, Council of Ministers, etc.);
the decision-making unit — government;
the unit for entering information into the database — analytical services.
More interesting, since no one has tried this yet, is to try to transfer the basic principles of building an absolute protection system to the area of software protection and propose a functional structure for software systems for protecting AIS.
In application to the design of software systems for protecting AIS, the above means that this system should consist of the following blocks:
1) control of the environment and the protection system itself. In this case, control should not be aimed at controlling the current state of the system, such as calculating checksums, etc. Commands that are expected to be executed in the near future should be controlled (control should be carried out in the emulation mode of commands to which control is supposed to be transferred) [1];
2) password protection of the entire system and its individual elements, cryptographic protection methods (method 1), including integrity control;
3) periodic change of location of elements of the protective mechanism in the AIS (method 2). It is assumed that the main executable files responsible for the implementation of the forecasting mechanism and all protection methods should independently migrate in the computing environment (change disks, directories, computers) and change their names;
4) destruction of «unknown» software objects. This restores the specified environment (method 3 — «kill the stranger»). A degenerate version of this method is the well-known mechanisms of forced restoration of the integrity of the environment;
5) self-modification of the executable algorithm and code (for more details, see [1]).
This block implements a periodic change of algorithm by selecting an algorithm from a set of equivalent algorithms (method 4). In addition, this method involves the use of software bookmarks and viruses to influence the «hostile» external environment.
Distributed (maybe intentionally) software bookmarks and viruses gradually prepare the computing environment for new software and hardware platforms.
As an example, we can look at the Microsoft software bookmark in WINDOWS 3.1, described in detail by E. Shulman in Dr. Dobb's journal ('Investigating the AARD code of the Windows system', N 3-4, 1994), the purpose of which is to discredit the software products of competing companies.
At the same time, the 'bug' uses all possible means of its own protection: XOR coding, dynamic self-modification, special methods of protection against debuggers.
It must be admitted that the emergence of this bookmark is as inevitable as the emergence of biological viruses in nature. It would be surprising if something like this did not arise at the very moment when the «battle of software products for their place under the processor» is in full swing.
Having thus defined the structure of the protective mechanism, we can move on to its quantitative assessment according to (1) and determining the place of a specific protection system relative to the absolute one.
In my opinion, the proposed approach allows for some comparison of protection systems with each other by comparing them with the absolute protection system, which in this case is an unattainable ideal.
But that's another topic.
S.P.Rastorguev
Literature
1. S.P.Rastorguev. «Software Methods for Protecting Information in Computers and Networks». M.: Yachtsman Agency. 1993.
2. S.P. Rastorguev. «Infection as a way to protect life». M.: Yachtsman Agency. 1996 (Tel.: 150-09-72).