Raymond W. Lo

Refereed paper: MCF: a malicious code filter

The goal of this research is to develop a method to detect malicious code (e.g. computer viruses, worms, Trojan horses, and time/logic bombs) and security-related vulnerabilities in system programs. The Malicious Code Filter (MCF) is a programmable static analysis tool developed for this purpose. It allows the examination of a program before installation, thereby avoiding damage a malicious program might inflict. This paper summarizes our work over the last few years that led us to develop MCF.

A probabilistic limit on the virtual size of replicated disk systems

Recently, there has been considerable interest in parallel disk drive systems, in which full or partial replication of the stored data is used for both fault tolerance and enhanced performance. The performance-enhancement derives both from the ability to do parallel reads, and from the reduction of seek time which results from being able to assign a read to whichever drive will produce the shortest seek. Although earlier work implied that for a k-drive system, mean seek distance for read converges to 0 as k to alpha , a refined analysis is presented which shows that this limit is actually nonzero. It is further shown that the system behaves probabilistically as if k were small, no matter how large the physical value of k is. >

Towards a testbed for malicious code detection

An environment for detecting many types of malicious code, including computer viruses, Trojan horses, and time/logic bombs, is proposed. The malicious code testbed (MCT) is based upon both static and dynamic analysis tools developed at the University of California, Davis, which have been shown to be effective against certain types of malicious code. The testbed extends the usefulness of these tools by using them in a complementary fashion to detect more general cases of malicious code. Perhaps more importantly, the MCT allows administrators and security analysts to check a program before installation, thereby avoiding any damage a malicious program might inflict.<<ETX>>

A 'greedy' approach to the write problem in shadowed disk systems

There has been considerable interest in parallel disk drive systems, in which replication of the stored data is used for both fault tolerance and enhanced performance. It has been discovered that performance gains are limited by the fact that no matter how large the number of disk drives, the system still behaves probabilistically like a small system. These findings are summarized, and a greedy, that is, anticipatory, approach is proposed to deal with the problem. In this approach idle read/write heads are moved to positions which will minimize the expected seek time of the next disk access request. Substantial performance gains are found to accrue.<<ETX>>

Validation of array accesses: integration of flow analysis and program verification techniques

A program that accesses an out‐of‐bound array element can cause unexpected behaviour that is unacceptable to safety‐critical or security‐critical systems. Two traditional compile‐time approaches to array bound checking are flow analysis and program verification. This paper presents a new approach, IFV, that integrates flow analysis and program verification techniques. IFV is generally about as effective as program verification yet runs in about the same time as flow analysis. Its typical runtime is proportional to the product of the program size and the number of declared variables. IFV matches loops to templates, which represent commonly occurring loop patterns, to discover loop invariants automatically, which it then uses to strengthen flow analysis. With only seven templates, it handles many common array‐access patterns. Patterns not verified by flow analysis are processed with verification techniques entirely automatically. This paper also describes a prototype IFV system that performs compile‐time array bound checking for programs in a subset of C.