Formalization of malware through process calculi

Considering malware, a recent article underlines the fact that interactions with the execution environment, concurrency and also non-termination prove to be important computation functionalities [3]. In effect, malware, being resilient and adaptive by nature, intensively use these functionalities to survive and infect new systems. Looking at the theoretical models existing in abstract virology, they mainly focus on the selfreplication capacity which is defined in a purely functional way [4],[5, Chpt.2-3],[6]. Unfortunately, these models rely on Turing-equivalent formalisms which can hardly support interactive computations. With the apparition of interaction-based viral techniques, new models have thus been introduced to cope with this drawback, but loosing the unified approach in the way. The apparition of k-ary malware is an obvious example. In effect, these malware heavily rely on concurrency by a distribution of the malicious code over several executing parts. A new model based on Boolean functions has been provided to model their evolving interdependence over time [7]. A second relevant example is the apparition of reactive nonterminating techniques such as stealth currently deployed in rootkits. Different models have been provided to cover stealth based either on steganography [8] or graph theory [9]. According to [3], by evolving towards interactiondedicated formalisms such as process calculi, a unified, reference model for malware could be defined to suparXiv:0902.0469v