DETECTION OF BACKDOOR SECURITY ATTACKS USING ............ M. F.

Al_badwi & RaviKumar

JOURNAL OF NATURAL AND APPLIED SCIENCES, Vol. 8 No.2 Dec 2004

Detection of Backdoor Security Attacks using
Time Fingerprints In a Novel Signature Scheme


Mohammed Fadle A. al_badwi
Computer Sci. & Engg. Department
University of Aden, Yemen

C. P. Ravikumar
Texas Instruments India
Wind Tunnel Rd, Bangalore, India



Abstract
Sharing and distribution of intellectual property over the Internet is a common
phenomenon today. However, a serious threat to this form of collaboration is
coming from backdoor attacks from hackers, who can modify the information
content to distort it. A backdoor attack may replace common operating system
functions with malicious ones. A possible precaution against such an attack is to
generate a signature database and compare the signature of system functionality
with its golden signature before using the functionality. We present an alternate and
novel method to detect Trojan activity. Called time fingerprinting, the method
relies on observing a finite number of fingerprints during signature generation and
tracing the Trojan fingerprints in system files. We have verified the desired
properties using common semi trusted operating system files.

Keywords: Internet Security, Signature, Fingerprint, Trojan, and Testing.

1. INTRODUCTION
Trust is of vital importance in collaboration. Internet provides a number of means
to collaborate on projects, such as e-mail groups and users share files frequently through
these means. A serious threat to this form of collaborative computing comes from Trojan
attacks, where a seemingly harmless file contains malicious content [3]. For example,
attackers are known to replace system-related files that rarely undergo change, such as
the kernel image or system daemons. Trojans can result in annoying pop-up messages at
the minimum and corruption or deletion of data at the other end of the spectrum. Trojan
code in the login system functionality can intercept the users password and forward it
to a hacker. Object reconciliation, which compares an object with an earlier version of
the same object, has been used as a solution. Checking for properties such as size, date or
time of modification is not a foolproof technique since a hacker can manipulate these. In
fact, a hacker can, through a trial-and-error procedure, insert malicious code and yet
DETECTION OF BACKDOOR SECURITY ATTACKS USING ............ M. F. Al_badwi & RaviKumar

JOURNAL OF NATURAL AND APPLIED SCIENCES, Vol. 8 No.2 Dec 2004

generate a binary executable file, which matches the original file in these properties that
are easy to test.

A checksum or another signature can be added to the file to authenticate the file
[1,4]. A database of the golden signatures is maintained on a separate server to minimize
the possibility of modifying both the golden and the file signatures. After downloading a
file, a user can check if the signature of the file matches the published signature and
discard the file if the signatures do not match. Signature checking is also well suited to
provide security to the mobile objects technology [6]. Software is divided into individual
code blocks. Legal code blocks of application are installed on the client beforehand.
When the client application starts, it is first connected to the designated server through
the network and additional code blocks are downloaded. Java Applets [5] and ActiveX
[2] are examples of mobile objects [5]. For security, each mobile object is associated
with a signature. The client must authenticate itself to the server at the starting of the
application by transmitting the signature, which, in turn, is compared against the golden
signature by the server.

In this paper, a security measure is proposed that is faster in detecting the infected
illegal files and more efficient in terms of storage used. The signatures of the files are
generated using a technique known as Concurrent Intermediate Signature Comparison
(CIC). Signature comparisons are done at predefined time instants called legal time
fingerprints, which have the property that the original signature becomes equal to a
function of the message to be tested. This technique is applicable for all file types.

2. BASIC IDEA
A file is an ordered sequence of bytes, and for the purpose of signature
computation, we split the file into n blocks of b-bits each. We may have to pad the file
with at most b-1 zeros. We refer to the file as the message under test (MUT) and write

MUT = C
1
, C
2
, C
3
, , C
n
,

Where C
i
is the i
th
code block of the MUT. The notation C(i,k) is used to denote the k-th
bit of block C
i
. Let C
*
1
, C
*
2
, C
*
3
, ... C
*
n
be the blocks of the original Trojan-free
message. The MUT is compacted into a b-bit signature using a scheme such as the
DETECTION OF BACKDOOR SECURITY ATTACKS USING ............ M. F. Al_badwi & RaviKumar

JOURNAL OF NATURAL AND APPLIED SCIENCES, Vol. 8 No.2 Dec 2004

multiple-input signature register or MISR [7]. Such a method uses a register S called
signature register and initializes it to a seed value. For block j in the MUT the following
computation is repeated. Let S(k) denote the k-th bit of the signature register.

Let P = [P(0), P(1), , P(b-1)] be a b-bit 0/1 sequence chosen a prior. The
polynomial (1+P(1).x + P(2). x
2
+ + P(b-1). x
b-1
) is known as the characteristic
polynomial of the signature register.

S(k) = S(k-1) C(i,k) for k = 1, 2, , b-1
S(0) = E [S(k).P(k) C(i,k)]

Let S
j
be the content of the signature register after the input code blocks C
1
, C
2
,
C
3
... C
j
have been applied. We refer to S
n
as the signature of MUT. Conventionally, S
n
is
compared with the golden signature G
n
of the original message and the MUT is
declared infected if S
n
is different from the golden signature. We shall refer to S
j
, 1 s j <
n , as partial signatures of MUT; we can also talk of a golden partial signature Gj, 1 s j
< n in the same spirit, which can be obtained by compacting C*
1
, C*
2
, C*
3
... C*
j
into
the signature register. When the original message is altered, one or more code blocks C
j

will be different from that of the original block C*
j
, and one or more partial signatures of
the MUT is likely to be different from the corresponding golden signatures. Unlike
conventional schemes, where only the final signature S
n
is compared with G
n
, comparing
multiple intermediate signatures with the respective partial golden signatures will
improve the confidence of the testing scheme. Conventional signature schemes suffer
from aliasing, which occurs when the signature of the infected message matches the
golden signature. The concept of partial signature matching reduces the probability of
aliasing.

Storing the golden partial signatures G
j
in the database is expensive. We present a
solution to this problem, based on the notion of time fingerprints of the file. A legal time
fingerprint (LTFP) is a time instant i at which the golden partial signature G
i
can be
indirectly derived from the blocks of the MUT. For example, consider the time instants
where G
i
=C*
i+1
i.e. the (i+1)
th
data block can be used in place of G
i
in comparing the
signature S
i
with G
i
, eliminating the need for storing G
i
. The reader may wonder
whether such time fingerprints will always exist for a message; our experiments indicate
that they do, and in fact, the existence of such fingerprints can be proved (Lemma 2).
DETECTION OF BACKDOOR SECURITY ATTACKS USING ............ M. F. Al_badwi & RaviKumar

JOURNAL OF NATURAL AND APPLIED SCIENCES, Vol. 8 No.2 Dec 2004

A generalization of the above scheme is to define a legal time fingerprint as an
instant i where G
i
=g(C*
i+1
) where g is a one-to-one function. The choice of this
function is made such that the signature register procedure can be trivially modified to
perform the additional function of comparing the current signature with g(C*
i+1
) .






Figure 1 illustrates the idea behind a legal time fingerprint. The error bit Y at the time
instant i is defined as

=
=

otherwise
S C g if
Y
i i
i
1
) ( 0
1



The database consists of the indicator bits X at the time instant i, defined as

DETECTION OF BACKDOOR SECURITY ATTACKS USING ............ M. F. Al_badwi & RaviKumar

JOURNAL OF NATURAL AND APPLIED SCIENCES, Vol. 8 No.2 Dec 2004

=
otherwise
if
X
i
0
instant t fingerprin legal a is i 1


The MUT is infected if the logical AND of bits X and Y is 1 at any time. A
fingerprint at instant i becomes illegal if S
i-1
= g(C
i
) . We now present arguments about
the effectiveness of our scheme in reducing aliasing. If a time fingerprint falls between
two modified code blocks, it is bound to reveal the infection of the message, which may
otherwise go undetected. This result is stated as the following lemma.


LEMMA 1: If, at time instant i, the partial signature S
i
= G
i
and C
h
is the next
modified data code block, then time fingerprint LTFPj, is j<i+h must
be illegal..


PROOF: Assume that a legal time fingerprint LTFP
i+j
exists at time instant i+j
0 s j<h. This implies S
i+j-1
= g(C
i+j
) . Further C
i+j

assumption. Therefore, the partial signature S
i+j-1
= G
i+j-1
, for all i s j<i+h. However,
we have a contradiction for i+j.

The legal time fingerprints may also be viewed as time instances to observe the generated
error bit Y and declare the message under test as infected if the error bit Z is 1. An
efficient way to generate the Trojan-free error bit X is to store only the instances of the
legal fingerprints.


3. CODE BLOCKS FUNCTIONS
We define an auxiliary Boolean function that maps a b-bit input to a b-bit output
by flipping j bits of the input, 0 s j< b. There can be 2
b
such functions and we refer to
them as H
0
, H
1
,, H
2
b
-1.
The function H
i
flips the j
th
bit position of the input if and
only if the binary representation of i contains a 1 in the j
th
position. The function H
0
is the
identity function and leaves the input unchanged. Given a binary string B, let the function
ROTATE(B) refer to the rotation of B by 1 bit to the left. For reasons that will become
clear later, the signature function g is selected as

g(C
*
i+1
)= ROTATE(H
x
(C
*
i+1
) )
DETECTION OF BACKDOOR SECURITY ATTACKS USING ............ M. F. Al_badwi & RaviKumar

JOURNAL OF NATURAL AND APPLIED SCIENCES, Vol. 8 No.2 Dec 2004


Where x is determined as explained later. The legal fingerprint LTFP
i+1
will thus refer
to a time instant 1+i where G
i
=g(C*
i+1
). We denote by D
M
the set of all legal time
fingerprints of a message under test MUT.

DM = { LTFP
i+1
/ G
i
= ROTATE(C
*
i+1
) 1 s }

The pseudocode for generating the Legal Time fingerprints LTFPs of a give file
is shown in Figure 2. It illustrates the process of generating the error status Y for the
message under test. An MISR procedure is used to compact the blocks, as explained
earlier. At the same time, The blocks C
b-1
i
, C
b-2
i
, ... C
1
i
are compared with the signature
bits S
b-2
, S
b3
,, S
0
. S
b-1
is EXOR with C
0
i
. The values C
b-1
i
S
b-j-1
, 1s j< b and
C
0
i
S
b-1
, are OR-ed together to generate the bit Y. (Replacing the OR process by NAND
one will implement the function H
2
m
-1
).

/* Given the file msg to be tested for possible infection, the block size b, the
file contents are segmented into n blocks. The characteristic polynomial of
the LFSR is fixed.*/
Algorithm ERROR_STATUS (msg, b, g)
begin
Initialize the signature register with seed;
Set Y to False;
Pad msg with zeros if necessary and compute n;
for j = 1 to n do begin
Y = Y OR ( S[ i ] g(C
0
1
)) ;
for i = 1 to b -1 do begin
FeedBackSignal = S(0).P(0) -1).P(b-1)
;
S[i -1] = S[ i ] C
i-1
j
;
Y = Y OR ( S[ i ] g(C
i-1
j
)) ;
// Y is the error status signal at time instance j.
// This signal is sampled at the time instances of the legal time fingerprints.
endfor
S[0] = FeedBackSignal C
0
j
;
endfor
end
Figure 2: Pseudo code for computing ERROR_STATUS



DETECTION OF BACKDOOR SECURITY ATTACKS USING ............ M. F. Al_badwi & RaviKumar

JOURNAL OF NATURAL AND APPLIED SCIENCES, Vol. 8 No.2 Dec 2004


3.1 Legal Time Fingerprint Space Set
For a given seed, a file can have up to 2
b
different sets of legal time fingerprints.
Since there are 2
b
possible seeds for compacting a b-bit code blocks, each file can have
also up to 2
b
legal time fingerprints for a given function H
x
. Therefore, each file can have
up to 2
2b
different sets of the legal time fingerprints. The following lemma gives the
minimum number of LTFPs, which can be obtained by implementing any function H
x
in
our tester application.


LEMMA 2: For a file segmented into n b-bit code blocks, there exists a function H
x

that leads to at least
(
(
(

b
n
2
legal time fingerprints, irrespective of the
characteristic polynomial and the initial seed of the LFSR routine.


PROOF: Let e be the b-bit vector obtained by comparing g(C
i
) with the golden partial
signature Gi-1. A vector required to generate the time fingerprint for the file can assume
one of the 2
b
possible values of e. In the worst case, 2
b
successive vectors, corresponding
to 2
b
successive code blocks of the file, are all distinct. Extending this argument, when
the file has N.2
b
code blocks, a specified vector must repeat at least N times. Since any
vector can be implemented in the program as a legal time fingerprint LTFP for the file
with a suitable choice of function H
x
, it is clear that when the size of the file has n code
blocks, the least number of legal time fingerprints is
(
(
(

b
n
2
.

Table 1 shows the number of LTFPs given by Lemma2 and the simulated number of
LTFPs for some system files. Based on similar arguments as above, we can prove the
following lemma.


LEMMA 3: For a file segmented into n b-bit code blocks, there exists an initial seed
for the LFSR buffer, which leads to at least
(
(
(

b
n
2
legal time fingerprints
irrespective of the characteristic polynomial and the function.




DETECTION OF BACKDOOR SECURITY ATTACKS USING ............ M. F. Al_badwi & RaviKumar

JOURNAL OF NATURAL AND APPLIED SCIENCES, Vol. 8 No.2 Dec 2004




Table 1: Number of LTFPs for some system files
Files Types
Size
KiloBytes
Number of LTFPs
(b=8, function H
0
)
Number of LTFPs
(b=10, function H
32
)
Bound LTFPs Bound LTFPs
WINSOCK.DLL 22 88 25 18 20
OLE2.DLL 39 156 39 32 18
TCPTSAT.DLL 16 64 12 13 6
COMMON.COM 91 364 35 73 20
FORMAT.COM 49 196 18 40 35
CDPLAYER.EXE 32 128 31 26 12
TELNET.EXE 76 304 9 61 23
NETSTAT.EXE 32 128 54 26 18
PING.EXE 24 96 30 20 22
REXPROXY.EXE 58 232 37 47 35


3.2 Trojan Time Fingerprints TTFPs
The traditional signature-based antivirus programs protect systems from known
Trojans. This approach is vulnerable, as malicious code is becoming more complex to
detect. We have observed that the compaction of the infected files yields many instants
similar to that of the legal fingerprints of the original file but occur at different time
instants. These instants belong only to the malicious code. We call these instances as
Trojan time fingerprints (TTFPs). A TTFP occurs at time instant i if


g(C*
i
) = G
i-1
and g(C
i
) =S
i-1


While the set of the LTFPs for a particular file can be determined by simulating the
original file, no simulations are required to determine the Trojan Time fingerprints
TTFPs. Testing of infected files has shown that even a single malicious instruction added
to the document will generate an adequate number of TTFPs. We show that Trojan time
DETECTION OF BACKDOOR SECURITY ATTACKS USING ............ M. F. Al_badwi & RaviKumar

JOURNAL OF NATURAL AND APPLIED SCIENCES, Vol. 8 No.2 Dec 2004

fingerprints have many superior properties over legal time fingerprints. A single Trojan
time fingerprint is sufficient to declare an infected file.

To see how the TTFPs enhance the detection technique, let us consider an infected file C
with two Legal Time fingerprints occur at the time instances C[1,1] and C[7,6], as
shown in Figure 3. Regions A and B in this figure show the range of the erroneous partial
signatures for the infected file. Considering the second region (region B), the Trojan can
be detected by checking the legal time fingerprints of the file at the time instance
C[7,6] which come to be faulty fingerprint. While for the first region, the Trojan
cannot be detected since there are no LTFPs in this erroneous region. However, this
Trojan can be detected if it can generate a Trojan Time fingerprint for itself as shown by
the TTFP at the time instant C[3,5].











Trojan time fingerprint can be easily detected by a simple modification to the
procedure for detecting LTFP, namely, summing up each bit of the database indicator,
(say matrix X) with the corresponding bits of the error output matrix of the MUT, (say
matrix Y). The analysis of the output result of such operation is given as;

= +
int , det 2
int 1
int , det 0
, ,
fingerpr time Illegal ected fault
fingerpr time Legal free Fault
fingerpr time Trojan ected fault
Y X
j i j i


Figure 4 illustrates this concept. Data in matrix X correspond to the database
indicator bits, with two LTFPs at time instances X[1,1] and X[5,4]. In case 1, the
sum X[5,4]+A[5,4] is 1 which indicate that file A is fault free. In case 2, the Trojan
C
0 1 2 3 4 5 6 7 8 9
0 1 1 1 1 1 1 1 1 1 1
1 1 0 1 1 1 1 1 1 1 1
2 1 1 1 1
1 1 1 1 1 1
3
1
1 1 1 1
0
1 1 1 1
4 1 1 1 1 1 1 1 1
1 1
5 1 1 1 1 1 1 1 1 1 1
6 1 1 1
1 1 1 1 1 1 1
7
1
1 1 1 1 1
1
1 1 1
8 1 1 1 1
1 1 1 1 1 1
9 1 1 1 1 1 1 1 1 1 1


Figure 3: Detection through LTFP & TTFP.
Region A
Region B
DETECTION OF BACKDOOR SECURITY ATTACKS USING ............ M. F. Al_badwi & RaviKumar

JOURNAL OF NATURAL AND APPLIED SCIENCES, Vol. 8 No.2 Dec 2004

Figure 4: Concept of the Time Fingerprints. Data in matrix X correspond to the
database indicator bits, with two LTFPs at time instances X[1,1] and X[5,4].
Matrix A corresponds to a fault free file. Matrices B and C correspond to two
infected files detected by an ITFP and by an TTFP instances, respectively..
in the infected file B is detectable by an illegal time fingerprint ITFP at time instance
corresponds to the entry B[5,4], where the sum X[5,4]+B[5,4] become 2. In the
case 3, the Trojan in the infected file C is detected by a Trojan time fingerprint TTFP at
time instance corresponds to the C[3,3], where the sum X[3,3]+C[3,3] become 0.














The merits of the Trojan time fingerprint concept are high. Any single TTFP represents a
signature of some Trojan. Looking for a single TTFP is similar to running signature-
based antivirus program, without the need to actually know all the actual Trojans
signatures. The total number of the TTFPs and their time instances can be used for the
diagnosis of the actual type of the Trojan that targeted the file.

Table 2: No. LTFPs, Faulty LTFPs (ITFP), and TTFPs.
File under test LTFPs
Faulty
LTFPs
TTFPs
Original File Common.com 9 0 0
Infected File
Com1* 9 9 17
Com2* 9 5 8
X
0 1 2 3 4 5
0
0 0 0 0 0 0
1
0 1 0 0 0 0
2
0 0 0 0 0 0
3
0 0 0 0 0 0
4
0 0 0 0 0 0
5
0 0 0 0 1 0
A 0 1 2 3 4 5

B 0 1 2 3 4 5

C 0 1 2 3 4 5
0
1 1 1 1 1 1
0
1 1 1 1 1 1
0
1 1 1 1 1 1
1
1 0 1 1 1 1
1
1 0 1 1 1 1
1
1 0 1 1 1 1
2
1 1 1 1 1 1
2
1 1 1 1 1 1
2
1 1 1 1 1 1
3
1 1 1 1 1 1
3
1 1 1 1 1 1
3
1 1 1 0 1 1
4
1 1 1 1 1 1
4
1 1 1 1 1 1
4
1 1 1 1 1 1
5
1 1 1 1 0 1
5
1 1 1 1 1 1
5
1 1 1 1 0 1
DETECTION OF BACKDOOR SECURITY ATTACKS USING ............ M. F. Al_badwi & RaviKumar

JOURNAL OF NATURAL AND APPLIED SCIENCES, Vol. 8 No.2 Dec 2004

End of testing
Start test Segs 2 and 3
Segment 1 Segment 2 Seg 3 Segment 4 Seg 5
Figure 5: Selective testing: to test segments 2 and 3.
Com3* 9 2 3
* I nfected Common.com files.
Table 2 shows the number of the legal and faulty (illegal) time fingerprint as well as the
Trojan time fingerprints for the DOS Common.comfile. The original file Common.com
was modified at its beginning (com1), at the middle (com2), and at the last portion of the
file (com3). The infection of the file at the initial portion of its content will be easily
detected with large number of illegal time fingerprints and Trojan time fingerprints.
However, if the infection occurs only at the end of the file, the chance of detection will
be less since only the last LTFP will be affected and the number of TTFPs is small.


4. SELECTIVE CODES TESTING
This section presents a technique to improve the efficiency of the test scheme for
large files. This method relies on partial checking of the file based on the following
observation. At the LTFP time instances, the partial signature stored in the signature
register is all zeros. Therefore, by selecting an initial seed of all zeros, the entire contents
of the MUT is divided into a number of segments equal to the number of the LTFPs for
that message (see Figure 5). Each segment in the document is associated with two
LTFPs, the first at the beginning of the segment and the other at its end. The number of
the blocks of each segment is equal to the total number of blocks included between these
two fingerprints. Based on this observation, we can run the test process on any individual
segment alone, or on a selected number of segments, or on the whole contents of the file.
Figure 6 illustrates the process of a selective file testing in which only the second and the
third segments of the file are tested for Trojan infection.

4.1 Files Test Planning
DETECTION OF BACKDOOR SECURITY ATTACKS USING ............ M. F. Al_badwi & RaviKumar

JOURNAL OF NATURAL AND APPLIED SCIENCES, Vol. 8 No.2 Dec 2004

It is too time consuming to test a large number of system files periodically (say
upon every login). Scheduling of the test planning for each individual file in the system
can be done in two separate sessions:

(1) Selective testing, where only a few segments are tested more frequently,
says daily. The number of the segments to be tested can bee predefined by
the user, and the segments themselves can be selected randomly.

(2) Complete testing, where all the files are tested thoroughly, says on a
weekly basis. The pseudocode for the selective test planning using both
LTFPs and TTFPs is shown in Figure 6. The user can select the segments
to be tested by identifying the first LTFP and the last LTFP instances of the
selected segments, referred here by LTFP
start
, and LTFP
end
, respectively.


Algorithm Selective_Test (FileArray)
// FileArray: set of files to be tested for Trojan infection

begin
for each file FileArray do
begin
Initialize the signature buffer;
Select_segment(LTFP
start
, LTFP
end
); // Select specific segments
Start with the first block after LTFP
start
instant;
while time = LTFP
END
do
Generate the error bit Y; // Check for both illegal or Trojan fingerprints
if (LTFP instant and Y=False) OR (TTFP instant) then
begin
Declare file to be infected;
Go to next file;
end
end
Declare file to be Trojan-free;
end; // testing next file
end .
Figure 6: Pseudo code for Selective Test algorithm.

DETECTION OF BACKDOOR SECURITY ATTACKS USING ............ M. F. Al_badwi & RaviKumar

JOURNAL OF NATURAL AND APPLIED SCIENCES, Vol. 8 No.2 Dec 2004




4.2 Optimising the Database Storage
Our simulation results indicate that each file can have a wide range of LTFP sets,
including the empty set (one that has zero LTFP). Figure 7 shows an example of LTFP
sets for different functions in the simulation of RexProxy.exe file. Different functions
yield different LTFP sets, (see dashed circles). The appropriate fingerprints set for a file
is determined according to the following considerations:

A large number of LTFPs allows early detection of the Trojan, but
increases the space for the database required to store such a set. The file
is segmented into a large number of small segments.
With a small number of LTFPs, the size of the database storage is
reduced and the Trojan detection will depend on the existence of faulty
LTFPs and TTFPs.
With an empty set of LTFPs, we eliminate the need of the database
storage. The number of segments in the file is this case is one. The
testing of the file depends completely on the existence of at least one
TTFP.


Figure 7: Sets of LTFPs for the RexProxy.exe file for different functions.

5. CONCLUSION
DETECTION OF BACKDOOR SECURITY ATTACKS USING ............ M. F. Al_badwi & RaviKumar

JOURNAL OF NATURAL AND APPLIED SCIENCES, Vol. 8 No.2 Dec 2004

In this work an alternate and robust method has been described for the detection
of Trojan code in system files based on the notion of time fingerprints. This approach
relies on (1) observing a finite number of fingerprints, which get generated during the
course of computing the file signature and (2) tracing the Trojan time fingerprints in the
infected files. A benefit to our approach is that because of these two techniques, the
detection of the Trojan code in the file becomes more reliable, faster, and requires less
space. The desired properties have been verified using common semi-trusted system files
for UNIX and DOS operating systems. The paper also has provided a technique to
reduce, or even eliminate, the storage of the signature database. The presented algorithm
however is relatively new, and further analysis is of course justified, as is the case with
any new proposal of this sort. A test plan mechanism that can support both partial and the
complete testing of the file has also been presented in this work.

References:

[1] Black J, Halevi S, Krawczyk H, Krovetz T, and Rogaway P, 1999, UMAC: Fast and
Secure Message Authentication, In Advances in Cryptology-CRYPTO99, Lecture
Notes in Computer Science, Springer-Verlag, pp. 216233.
[2] Ernst A, 1996, Knowing ActiveX, New York, Prentice Hall.
[3] Harold T., Stuart A. and Paul C., 1999, A framework for modeling Trojans and
Computer Virus Infection, Computer Journal, 41(7), pp. 444-458.
[4] Necula G., January 1997, Proof-carrying code., In Proceedings of the 24th ACM
Symposium on Principles of Programming Languages (POPL), pp 106-119, Paris,
France.
[5] Orfali S, and Harkey M, 1997, Client/Java Programming with Java and CORBA,
New York, John Wiley and Sons.
[6] Satoru T., Ryoichi S., and Masanori K., 2000, Seamless Object Authentication in
Different Security Policy Domains, Proceedings of the 33rd Hawaii International
Conference on System Sciences, pp 129-136.
[7] Yarmolik V.N., and Demidenko S. N., 1988, Generation and Application of
Pseudorandom Sequences for Random Testing, New York, John Wiley and Sons.