Slashdot Mirror
Computer Immune Systems
LL writes "We might soon be seeing commercial delivery of autoimmune security systems. Rather than the surface bit pattern detections of antivirus checkers, these system attempt to provoke virii in a secure area (IBM) or match network packets against signature tags (Forrest). The interesting plug is that the author suggests that large programs such as operating systems should be made in such a way that no two copies are exactly alike. Now guess what favourite beast has this trait?"
one would hope a good portion of that was spent on training the admins on keeping more secure systems (like having antivirus software and such on the server) and educating the user (no, just cause someone sends you something, doesn't mean you should run it)
Why dont these people just fix the fucking operating systems, or use BSD/Linux? The whole antivirus industry is based on and flourishes on microsofts incompetence.
Picture a kernel module named antibody.
How could this module detect intrusions into a Linux system?
Could this module be keyed into the checksums of the rpm system and keep any modified binary from being executed?
Could the rpm database itself be protected from modification by such a module?
Could this module detect that root access has been gained through an unusual port? Like normally a shell doesn't run through port 80. And kill that access?
What do you think?
How come you managed to get viruses right in your article, but it's misspelt in the title? There is no word virii. The plural of virus is viruses, as you demonstrated in the body but not the title of your posting.
There's that funny nonword again. Tsk.
Well, I don't know whether that was Insightful, but it was certainly Informative and Interesting. I hereby renounce all virii forever. :-)
I wonder why few people consider the ultimate defense against internet virii - unplug the cable. Before you object, let me tell you I have three computers at home (I kept my older "obsolete" machines), and the one that is hooked up to the Internet has NO important files on it. So if it gets trashed, I just wipe the drive and start over. It's like a quarantine. Of course, it is not a perfect solution...but it is one that should be considered.
- Get a dictionary: it's viruses.
- Install Unix.
Voilà! No more problems!I also fail to understand what the Internet has to do with this.
Installing UNIX is no guarantee of protection - it is much better than Windows, but you still gotta know what you're doing. There was an article about Internet viruses recently and how the Internet allows a new breed of viruses. When you are only on a private LAN or intranet, usually (but not always) you have some protection because of trust between coworkers, etc. - but when you're on the Internet, it is much much more likely to download or run into some kind of virus (such as when downloading software, privacy issues, Back Orifice, the numerous Outlook and Netscape security holes that pop up from time-to-time and hopefully(!) have all been fixed). Or your machine could get attacked or hacked into. It is still a fact that the best firewall is air (no connection at all). Thanks for the spelling correction - although I have also seen it the other way, maybe that person was also a bad speller!
There's a huge article a few postings back here about why Unix systems don't lend themselves to viral infection. You should read that. There's also one on the spelling crap. Happy reading.
You are right that UNIX is much much much more secure against viruses. I have two things to respond on that - 1) What happens if UNIX becomes a consumer OS and the dumb consumer does not know what they are doing, and 2) If a hacker is really determined, they will find a way - no security is perfect. For those who are running UNIX, you don't really have to worry much - but the "air" firewall is still the best defense there is. For those running the leaky Windows OS, the "air" firewall becomes much more compelling as a possible solution.
Nightmare Scenario
Somebody nasty (lets call her Ms. Nasty)puts a virus snippet into the binary Netscrape rpm distributed by redhat. Every binary rpm downloaded by that browser has "extra functionality" as provided by Ms. Nasty.
The binary installed by the rpm checks to see if it has superuser privs. If it does, it occasionally tacks "extra functionality" onto other binaries on the system.
For kicks, lets say it specifically starts playing with ssh, rsh, su, and stuff like that -- gathering passwords to other accounts on other systems. When it gains access, it quietly modifies other binaries so that they include the "extra functionality" as well.
The internet worm was dealt with so quickly because it was a resource hog. If this worm was more careful, by keeping its resource usage low, and keeping quiet when root or other su-empowered users were on, it could quietly (quickly?) spread over every networked linux that accepted external logins.
'I' is watakushi. It is also 'watashi'. 'atashi', 'boku', 'ore', and probably many others, depending on how polite you're being at the time.
Man, where is the moderation option for `WRONG'? :-)
The only thing more annoying that someone who actually knows Latin is the people who pretend they do.
Do living organisms not have dead ends also? The same thing happens with DNA, I suppose.
That every operating system could use this technology to _automatically_ detect and analyze the security holes that all systems have.
Security holes are found in Linux distributions all the time.
This would allow early detection of problems like wuftp allowing root access. This early detection and the automatic downloading of the patches would allow system administrators to fix security holes before they became problems.
The problem with this is that at their basest microbes and viruses are flexible biological molecules with no symbolic meanings.
Computer code (computer viruses) are binary characters and commands with specific and important symbolic meanings. To deal with sexual reproduction, one would have to deal with recombination of reproductive data - splicing, crossing over, etc. The problem is that code is too fragile! You have a protein mutation/genetic mutation, chances are it won't really adversely affect an organism (hey, most of our DNA is garbage introns that can afford to be corrupted), get one character or bit wrong in a virus's code and BAM! a non-working virus. IMHO, at this point in research computer code is too fragile/symbolically dependant to be treated like chemical molecules.
I forget which book it was mentioned in (either Richard Dawkins or Stuart Kaufmann), but they mentioned this criticality at which point systems can no longer withstand point changes without catastrophic failure.
Respectfully,
Kevin Christie
kwchri@wm.edu
Er, no. The survival strategy for all living things is to reproduce. (survival of the genes [code] is what governs an evolutionary proccess, not survival of the individual.) The way that biological viruses spread is by taking over cells and telling them "stop what you're doing and make me!" When your cells become to busy making a virus to do those nice cell things like respirating and keeping you alive, you die.
Computer viruses, if exposed to evolutionary pressures rather than being designed, would likely do the same - reproduce. The code would insert itself into a process and say "stop what you're doing and send out lots of copies of me to any other process you can!" When too many processes are busy making virus code instead of doing their job, you get a sick computer, even if the virus is "harmless" in terms of not being intended to make your computer crash.
Interestingly, automated immune systems for computers might have the same effect as our immune system does - making us feel sick. Most of our feeling of illness when we have low grade viruses like colds is not due to anything the virus is doing to us yet but the loss of energy to fighting it and side effects of our immune response, such as fevers. So with one of these systems, you would get a slow down of sorts from the extra processing of the anti-virus software even though the virus might not (at that level) be causing any problems.
Just some thoughts from someone who knows biology.
-Kahuna Burger (can't remember my password at work.)
Oh hush, AC.
I think virii has been pretty much accepted as a word, and as Mark Twain said "I have no respect for a man who can only spell a word one way."
~Chris Carlin
Chris Carlin
As the viable attacks will be the ones which survive, those will be the ones distributed, copied and reused. Within a given timeframe, by creating a "super-defence", you -ALSO- create "super-virii".
The problem with any evolving system is that it will remain, over a long enough time-frame, roughly in balance. Nothing can become super-strong, without in turn strengthening it's opponents, by natural selection.
Only a "truly perfect" defence will work, but no such defence exists, or even theoretically could exist. This leaves you with the "best practical" approach, which is to make things as protected as reasonably practical, and no more.
This kind of approach has the advantage that you don't accelerate (too much) the development of super-bugs (as medical practices have an unfortunate tendancy to do - idiots!) whilst offering a sensible level of protection against more common attackers.
Ideally, though, defences should do more than just defend. The more time you spend defending, the less time you have to do anything else. This, in itself, is a form of DoS attack on your system, via wetware rather than software, making the admins install so much protection that the system becomes unstable and/or unusable, under typical loads.
What you want is a form of defence which actually contributes to the rest of the system in other ways. That way, you are gaining overall by expending the resources, and don't run into the DoS trap.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
If you're talking about linux, why should it have this trait? Most people still use a stock kernel from their distribution. That's a lot of people using the Redhat binary kernel, say, which will be identical for every person using it.
Sure, you can play with the config or use patches or whatever, but a lot of the code will come out the same. It's not like the compiler puts some kind of unique fingerprint on the kernel you build.
axolotl
"Please fasten your seatbelts, as we are presently experiencing turbulence as the result of excessive metaphor shear."
;-) All in all, a nasty situation.
As much as I would absolutely love to fully envision the Net as a living, breathing organism...it isn't. There are aspects of biology that are appropriate, but I think it's fair to say that these researchers are presuming excessive organic/technical equivalence:
Technology is externally changed, quickly, and often within the same generation of machinery. Organics internally evolve, extremely slowly, and even then almost wholly reserve their changes for the next generation.
The fact that technology is externally changed means that there's no evolved internal consistency--the immune system must be explictly modified to support the new transplant. As biology and technology have shown us, spooging the new into the old is difficult work. The speed of modifications too is frightening--while it's obvious that the host systems change much faster in a technological environment, I'd be interested in knowing the genetic variation of attacking bacteria and virii vs. the command variation of attacking trojans and computer viruses.
The generational woes are the killer--it is impossible to establish the biological concept of a "homeostatic self" onto systems that never stay either frozen in the present or predictable in their growth towards any degree of future.
Now, granted: There are assuredly "all quiet" states on the average network, and recognizing such states is a common tactic of network monitoring systems. (Indeed, there's a free app out there that will generate a firewall config that will pass any traffic it noted on your network during a "trusted state" period, then block anything else.) But that's a rather blunt methodology, and denies the inevitable existance of new services. The big problem is: How does one respond to a deviation? The curse of unpredictability is the inability to automate appropriate responses. The curse of being forced to constantly formulate appropriate responses is that it's burdensome and prone to false positives. The curse of not formulating appropriate responses is that you end up not responding at all
I should be fair--I like what I'm hearing from these guys. I've been saying for quite a while that systems that prevent the results of an instability from being necessarily exploitable(essentially, randomizing and shuffling systems so that there is no predictable "skeleton key" to the system that works every time). Their talk about monocultures is perfectly appropriate here. IBMs work with victim labs is beautiful, if not more than a bit macabre if backwards ported to human biology. Even the packet signaturing is interesting. But we should be aware of the limitations of this technology, and I'm interested in just how aware these researchers are of the differences between the evolved and the created.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Vir[ii|uses] are a problem in the Windows world due to a lack of system security, plain and simple. While it is theoretically possible to write a Unix/Linux virus (and has been done), how will it *spread*?
/usr/lib, etc) are not writable by non-root users. If you don't run as root, a virus can't infect the binaries, because it can't write to them. Period.
/bin/sh (or /bin/bash, etc). Infect this, and you can easily infect everything which is executed by /bin/sh, which is most programs. But how can an ordinary user attach the virus to /bin/sh? On the various Linux and commercial Unix boxen here at work, it is always owned by root/root or bin/bin, and mode 755 or 555 - unwritable by ordinary users.
For a classic virus to work, it must attach itself to an executable, and spreads when that executable is run (modern email "virus" programs are often technically worms, not vir[ii|uses]). In Windows, this is easy, because the system directories (c:\Windows) are writable by the regular users.
In Unix/Linux, the system directories where most binaries are (/usr/bin,
If one were to write a Unix/Linux virus, the obvious target program would be
At best, a virus could affect user-owned binaries, say in ~/bin. But except for convenience scripts, who uses that? Anything widely used and standard goes into a directory protected from accidental or deliberate damage. That's just good practice.
If all operating systems followed Unix' wise example, vir[ii|uses] would be merely an interesting theoretical exercise, rather than a serious hazard.
---
120
chars is barely sufficient
Hand me that airplane glue and I'll tell you another story.
I have to disagree. Look around you. Life doesn't reproduce at the expense of all else; it goes until a balance is obtained with other living things. However, sometimes things get out of hand and you get exhaustion of natural resources and the species dies back some or entirely.
:)
I suspect that once computer viruses start exhibiting evolutionary-like behavior they will behave just like their biological cousins; sometimes reproducing at a frenetic pace and crippling and destroying everything in their wake, and lots of dormant viruses stuck on the wrong sort of OS, or small viruses that reproduce at low rates and aren't malicious.
Just like life; variety.
"I'm nobody suspicious... That makes me sound even more suspicious, doesn't it?" - Spike (Cowboy Bebop)
solution to a problem. The internet is large enough an e-ecosystem to support millions of copies of a virus, so even if the survival
rate of the variants produced by breeding and mutation was very low, there might be enough survivors each generation to evolve
into a truly dangerous virus.
Except it wouldn't. What's a good survival strategy for a virus? Not to be detected, of course. What's a good way not to be detected? Don't do any noticable harm.
An evolving virus (if it survived at all, real-world systems are rather brittle for a-life organisms to survive in the wild) would very quickly become very small, very prolific, and completely harmless.
The human immune system knows what it should find and anything else is an invader. Computers aren't like this, they change all the time - installing programs, writing files. You can't just, I don't know, look for a different electron on the hard disk?
The only thing I can come up with is that the anti-virus package CRCs every non-data/document file as it hits the hard drive, then if the file is modified I guess it might have a virus on it's hands (or it could just be a valid patch). But in that instance, it would be better for all the base systems in a network to be identical, rather than each one being slightly different - that way you could recognise a difference in one as a potential virus...
These things always remind me of a unusual consequense of the Godel Incompleteness theorem
(which is a proof that you can't prove everything).
The consequence is essentially that any sufficiently powerful computer system cannot be made virus/cracker proof. No matter how good your
AV software and how tight your security procedures, unless you limit the power of your machine (not how fast it runs, but what sorts of things can it do) you cannot ensure your security.
I've decided that it's really not worth the bother to run a totally secure system, and I don't even run a virus scanner anymore.
Before everybody jumps on my back, I'd better clarify "sufficiently powerful". You could say that a machine that is stored in a locked room w/out any connection to any external network that requires a swipecard and 128=byte password to access has perfect security. But, such a machine is not "sufficiently powerful" to be crackable. It is less powerful than my pokey 'ol 486, because my 486 can connect to the internet. If I wanted, I could set it up as a web server. But a machine in a locked room can't do this, and therefore is less powerful.
Even if you have an internet connection, if it refuses all external connections and is behind a good firewall, it may be impossible to break into. But again, it is less powerful than any web-server, even one that just displays static pages. It is once you cross a certain threshold of useability that it becomes "sufficiently powerful". If you have an open telnet port and 1 user account, it is probably "sufficiently powerful". That's not a very high threshold.
The threshold for virii is even lower than cracking. If I want to run outside software, I have to expose myself to virii. If I have good AV software installed and running, I may be able to detect all virii. But, then I can't run any programs that appear sufficiently virus-like because the AV software will flag it, and Godel's Incompleteness theorem shows that if my software catches all virii, it MUST catch some non-virii.
So, security is an impossible goal.
It's still pretty cool to have AV software that automatically looks for 'new' virii though.
The immune system was successful initially because it could very quickly generate new defense mechanisms that pathogens would take some time to adapt to through evolutionary mechanisms.
Even so, after many millions of years of evolution, there are now numerous pathogens that simply aren't touched by the immune system at all; the only reason why those pathogens haven't wiped us out is because natural pathogens don't have malicious intent, and most of them have co-evolved to co-exist with us.
When it comes to computer viruses, the insight to be concerned about is the insight of the virus writer. Unlike the biological world, where pathogens need to spend millions of years of evolution to figure out general mechanisms for avoiding the immune system, a virus writer can come up with a general purpose strategy for evading a "computer immune system" within days.
If you want secure systems, in a world of human adversaries, the only way to build them is so that they are structurally secure or cryptographically secure, and those are engineering problems that are very different from what biological systems have faced until now.
(As an aside, the next step of evolution of biological pathogens may be interesting. The immune system got us quite far, but it is growing old as a defense mechanism as pathogens have found general purpose ways of evading it. Perhaps its successor is our brain, as we design drugs and treatments rationally. It will be interesting to see how the pathogens will respond.)
Perhaps the biggest point of departure is that biological systems are evolutionary, while computer systems are designed by humans, with knowledge of the possible countermeasures. That means that many immune system strategies just won't translate.
But even more important is perhaps the observation that most biological systems (even plants and most animals) don't even have immune systems. They rely on other mechanisms for their defense, mechanisms that many engineers would probably consider "good engineering": make it hard for the viruses to get in, destroy viruses that do get in, minimize the effects of infection if it does occur, stop the spread of infection with various barriers, and have lots of redundancy. The evolutionary pressures for some animals to develop immune systems probably simply don't exist for computer systems.
So, if you want to push the biology analogy, it may well be better to do without an immune system and to simply design good, strong systems.
That's what you're suggesting, right? An anti-virus system which goes after valid code?
Interesting. So if you have one of these AV systems in place, and apply a binary patch to some code (a'la Id DOOM patches), your changes will get clobbered. Makes sense, and I can see why it would - the checksums and size changed after all. But what you're saying is that this AV system could one day decide (or be prodded into) going after stable, unmodified code - having seen it as infected?
As for CyberAIDS, I recall something from circa MS-DOS 5.0/6.0. I'd heard of a virus, aptly named CyberAIDS, which would do nothin more than disable your antivirus software. I don't know specifics, but it was interesting to me that it would trash NortonAV, CentralPoint, whatever, leaving you wide open to conventional bugs. I think (IIRC) that it would leave the TRS running, but disabled. Cold.
-- What you do today will cost you a day of your life.
I know it's OT, but I thought it was cool..
:) Somehow it all ties in to Asimov's Psychohistory too.
A few years ago, Wired (before they lost their edge) ran a pseudo-retrospect issue from the future, in which they reviewed the turn of the millenium from a few decades ahead. It was a prety neat diversion. Anyhoo...
One of the main articles dealt with 'The Plague', a super-flu/AIDS/Ebola mutation that threatened to wipe out humanity. (It's striking how biologically apropos the computer virus analogy is, and how well it tracks with real life problems, solutions and latest computer development) The article was written in retrospect, like the whole issue, and in the form of interview with one of the top researchers involved in stopping the disease.
The truly neat thing about the story, and what keeps me remembering it, was that the disease was cracked not by medically traditional means but by a mathematician who found a way of attacking the geometric form of the virus. I don't know how unconventional this approach is in virology, but the cross-polination of medicine and math really struck me.
I'm a very strong believer in gestalt thinking, and in the fact that laws of nature from one field map remarkably well onto seemingly unrelated fields. Take Newton's Laws of Motion, abstract a bit and apply to sociology. Action-reaction. The Law of Entropy seems to hold true when placed in the context of politics.
This is why the article resonated with me, and why the topic of evolving virii triggered me to go OT about memetic cross-breeding.
-- What you do today will cost you a day of your life.
Might it be more likely for a virus to grow if it focused not on making copies within a system, but if it focused on spreading itself?
Perhaps scan the filesystem for email addresses frequently sent to, and send melissa-style mailings to them? Maybe search for common email programs, and infect them?
Sort of...
Your right about people using the same binarys.
But it will optomise diffrently if optomised for a 486 vs a P2.. Thats not very wide varation.
Also some people (like myself) recompile to pick what will be drivers what will be in kernel and what won't be supported at all.. That being.. conformed to needs prefrences and hardware.
Also it dosn't stop with the kernel. Diffrent libarys may be used, even the core libary can be compiled diffrently. The system configuration.. etc.. it changes the defects in the system. A virus might be made to infect Linux but the defect used by the virus can be swapped out or may never have been installed.
I don't actually exist.
While I'm glad to see this "news" hit Slashdot, I have to wonder why it wasn't considered newsworthy back in July. Check out the old news at sciencenews.org.
There is a problem ... It's called evolution.
Yes, but the problem contains within it its own solution. Viruses evolve. So systems must also evolve. There will never be a perfectly secure system... for long. But neither will the most harmful viruses remain viable for long. Tremendous forces (unstoppable forces?) are quickly mobilized against them. The writers of malicious viruses are clever, but I doubt that they're as clever as the combined cleverness of all those who work to stop malicious viruses from doing their damage.
Only a "truly perfect" defence will work, but no such defence exists, or even theoretically could exist. This leaves you with the "best practical" approach, which is to make things as protected as reasonably practical, and no more.
Viruses, as they evolve, can be expected to arrive at the "most practical" approach, rather than the most damaging. Over time, this would lead to the evolution of stealthy viruses that do little or no harm to the systems they infect, use minimal resources, and may even offer some benefit (f'rinstance cool graphics, greater efficiency, protection against other viruses). A "most practical" virus-proofing scheme would not waste its time with these benign viruses, which would drive the evolution of ever more benign viruses.
I expect any time now to hear that someone has introduced a virus that evolves in the sense that a genetic algorithm evolves a solution to a problem. The internet is large enough an e-ecosystem to support millions of copies of a virus, so even if the survival rate of the variants produced by breeding and mutation was very low, there might be enough survivors each generation to evolve into a truly dangerous virus.
--
It's October 6th. Where's W2K? Over the horizon again, eh?
Sheesh, evil *and* a jerk. -- Jade
I haven't read the white papers (yet), just looked through the article. What is there seem interesting, but hardly earthshattering. This is basically a straightforward application of genetic algorithms to computer security. Matching concatenated sender's address, receiver's address, and the port is really only useful for smallish relatively self-contained networks where any non-regular "outside" connection is automatically suspicious. This wouldn't work at all for an e-commerce site, for example.
The suggestion that no two operating systems are to be exactly alike is also an interesting one, but hardly practical. First of all, most security holes occur in applications, not operating systems per se. The dangers of monoculture are real, but purposefully avoiding popular software (1) leads to suboptimal solutions to problems (do you want to avoid Apache just because it is the most popular web server?); and (2) strongly smells of security through obscurity. Besides, think of technical support nightmares: does anybody really want to support hundreds and thousands of "slightly different" operating systems?
I feel that the biological metaphors are somewhat overblown and could be misleading. On the other hand, they journalists like them...
Kaa
Kaa
Kaa's Law: In any sufficiently large group of people most are idiots.
Hm, I do think some kind of fingerprint could be created for each compiled kernel
The question wasn't kernel fingerprinting. Basically, it's the same old argument: if 90% of the world's computers run Windows, then a single flaw in Windows makes 90% of the world's computers vulnerable. As far as I understood, Forrest was arguing for internal differences in operating systems that would confuse a virus, or a root kit. Checksum are irrelevant here.
Kaa
Kaa
Kaa's Law: In any sufficiently large group of people most are idiots.
As someone much wiser than I once said:
"Any significant advance in technology is indistinquishable from magic."
That someone was Arthur Clark, and I belive the correct quote is "Any sufficiently advanced technology is indistinguishable from magic".
If you put a caveman in front of an Imac, he's going to insist it's a deity
Until he finds a heavy blunt object.
Kaa
Kaa
Kaa's Law: In any sufficiently large group of people most are idiots.
but can or will it actually work when but to the
test ?
So the idea is to increase security in a number of ways including (but not limited to) having each copy of the OS be unique, and having the AV package put the subject in a box and taunt it. (For those of you who haven't seen it, now's a good time to watch that Monty Python "Holy Grail" movie.)
So how strong are the odds that such methods could inadvertently result in some sort of computer auto-immune disorder? Could our anti-virals manage to interpret the kernel as a virulent entity to be removed? Or, are we all just too smart (or lucky) for that to happen?
"Una piccola canzone, un piccolo ballo, poco seltzer giù i vostri pantaloni."
My office has been taken over by iPod people.
Artificial means 'made by human hands'; it is cognate to artifice. It has aquired a negative connotation over the years as artificial flavours and products have been created, but it still retains some of its old splendour.
You make a good point, though: is an AI an intelligence? If it is, then 'artificial intelligence' is the appropriate term. OTOH, if it is not, if it is merely a program which aids a human (even in the absence of said human), then it is more properly called an 'automated intelligence,' as you point out.
The one is the strong AI position, the other the weak AI position. Having just spent a semester working on AI, I must say that I consider the strong AI position bollocks, for all sorts of philosophical, mathematical and practical reasons.
Perhaps I will start calling it 'automated intelligence.'
However, like our bodily immune systems, these systems could serve as a first line of defense. Their advantage lies not so much in that they are universal proof against infection (they aren't), but in that against "routine" infections they shut the virus down before it has the opportunity to do any real damage, far faster than would be possible if human intervention were required. Inevitably, some infections will slip through (just as with biological immune systems), and when that happens you need outside intervention; i.e., the computer equivalent of a trip to the doctor's office.
-r
homonym n : two words are homonyms if they are pronounced or spelled the same way but have different meanings.
dictionary.com
Now, IANALS (I am not a linguistics scholar), but isn't virus(the computer term) a homonym for virus(the biology term) in the same way that bark(the tree skin) is a homonym for bark(the sound a dog makes)?
If this is true, Virus(computer) is most likely an English word, and no official linguistic rules have been made for it.
The beauty of the English language is that we are free to modify it to suit our needs. It's adaptable, and if we feel like spelling the plural of virus, virii, viruses or vira, it should be accepted.
The way I see it, in biology, it's unlikely to see one viral cell. Virus seems like it would be plural already. I'm probably totally wrong in this paragraph.
I've read the articles you point to, and understand them. This is definately not meant as a flame, but aren't there more important things to worry about than how we spell the plural of virus?
The suggestion that no two operating systems are to be exactly alike is also an interesting one, but hardly practical. First of all, most security holes occur in applications, not operating systems per se
:)
:) world but look at who is most likely to get a virus/trojan. People on windows (most likely using AOL).
*AHEM* Windows?
Maybe not in the *nix (or bsd
I implore you, Mr Penguin, to read this FMTEYEWTK on the matter. Latin just didn't work the way you claim that it did, and neither does English.
Not all nouns that ended in -us became -i in the nominative plural. Only second declension masculine nouns did so. There are several (I can think of three) other flavors of -us nouns, none of which follows that rule.
So virus fails to follow the focus/foci rule for at least three different reasons:
But if you have rough idea what's on the network you're trying to attack, and what hosts are on there, you may well have a good idea of roughly what kind of traffic is going about. If you know what hosts are there and have an idea of what traffic is (probably) there, then why not just bury a false ID somewhere in your packet?
You could attempt to forge an ID from knowledge of the network, and fool the alarm mechanism by effectively masquerading as normal traffic. This is probably preventable by looking at exactly where the ID occurs in the packet and deciding if that's where it should be.
Beyond that, though, what's to stop you quietly trickling a normal-looking flow of do-nothing packets through the network to a given port on a given host? Then when a detector is generated, it'll trigger on your harmless packets an get ditched. Then one day you make your packets do something nefarious, and they get overlooked, something like 'friendly fire'.
After reading the article I would say that I much perfer Dr. Forrest's approach. It is an internal defense and does not rely on outside resources. I definitely do not like the idea of my system automatically sending and receiving files without my knowledge. It puts the integrity of my system into the hands of this "central" virus authority.
Having different binaries doesn't do much good when the API is the same. i.e. buffer overruns, Denial of Service attacks, etc.
Dr. Dobbs Dec/99 has an article by Bruce Schneier on Attack Trees. For those interested, it discusses one methodology of breaking security.
Cheers
That's what I thought of first as well... The individual linux build came second.
The big difference I notice between humans and linux is the extent of the differences in individuality. Yes, I can set up a linux machine with a different configuration, but that is a far cry from the extent to which my DNA differs from your DNA. We're not able to (yet) reconfigure ourselves, we are a fixed individual with an individual blueprint. We only can add to deffensive (autoimune) network, gain experience fighting disease if you will...
Linux configurations (of the same distrabution) all have the *ability* to be identical. Linux machines all stem from one set configuration and only begin to act differently based on external stimulus. There is a finite extent to the changes that can be made.
As far as evolving operating systems, I will agree that Linux is the closest to that - with the user getting the ability to choose what patches, updates and fixes they wish to rebuild their kernel with. But it is still driven by a person.
There was an earlier thread about your OS getting updates on its own. This too would only be a limited representation of DNA. The true extent of AI required for a software autoimune system would be one that sees what you use, checks to see where your system is vulnerable or not satisfying your needs, looks to see what patches/fixes/upgrades exist and considers what other problems those cause and performs some limited impact study to see how badly it would affect you and then based on that, grabs the patches and "mutates" itself for your benefit.
Woah, that's kinda neat when you (or I at least) think about it...
Anybody got the foggiest idea of how to even start coding that... (well other than #include stdio.h)
You say you want a revolution?
From the article:
49 bits would hold a single IP address (32 bits), a single TCP or UDP port number (16 bits), and one additional bit. They claim that it's holding two IP addresses and one port. (80 bits). I don't even know what to say about the fact that it's holding only one, and not both port numbers. The article says "stringing together", so they're not generating a hash. I could do a lot of speculation as to what they're really putting in those 49 bits, since the article is obviously not correct, but I won't bother. For all I know, the 49 bits figure could be wrong as well.
So then, they compare these packets with a pool of random 49-bit numbers ("detectors"). 12 contiguous bits in common, and they throw the detector away. A detector must last for two days against this to be actually used. Let's look for ways to prevent any new detectors from ever being used. First, random chance. If there's enough traffic to make such "advanced" software necessary, every sequence of 12 bits will probably occur over the course of two days. Different port numbers (whether they save source or destination doesn't matter, because there will be traffic in both directions). Different IP addresses on either the remote or local network. An attacker purposely causing this to happen. 4096 consecutive legitimate connections from a machine that allocates its ports sequentially and isn't connecting to any other machines in that time. (SMTP, FTP, and HTTP could easily cause this. IRC could with an auto-reconnecting client that keeps getting disconnected.)
Let's say a detector manages to get by (maybe their network connection is down for a couple days). Let's see what happens next:
They don't say what a match is. A full match? That's worthless. They're probably using the same threshold, which leaves the same problems with false alarms.
Oh well. It's a really cute idea, as long as you don't throw any facts at it.
"Any significant advance in technology is indistinquishable from magic."
If you are shown a card trick, it's 'AI' until you're shown how it's done. If you put a caveman in front of an Imac, he's going to insist it's a deity. Thus, Any AI system (and I may be going out on a limb here by using the term ANY) is also an AI system, untill you read and understand the source code.
Now understand that automating a mundane decision process is what has made automation (in it's current industrial application) such a productivity booster. Afordabley automating physical processes (robots that weld car frames, robots that paint, ect.) has taken decads to come on-line, and continues to evolve. On this same liniage, Automating a decision process (i.e. automated trading systems) can and will also reap huge productivity rewards.
I would agree with you that it truly is automation at work here, and there's nothing artificial about it. Programers work long and hard to coax the code into doing what they want it to do.
_________________________
IMNSHO, This term is very over used. Any time a system goes live on a network, it's deemed to be somehow "alive" by putting an Artificial in front of it. A good example of this was when IBMs deep blue beat the a grand master at chess (Kasparoff(sp?), it was hyped as a "giant leap forward for Artificial inteligence".
There's nothing artificial about it. It was the result of many of the greatest programs and chess master toiling for years to pull the project off.
Its more acurate name would be Automated Intelegance.
And this 'Artificial Immune System' is also just and automated series of self updating decisions. Taking the human out of the loop doesn't make it artificial, it just makes it more cost effective.
_________________________
Barring polymorphic computer virii, this metaphor of "ecology" is overextended, an artistic exaggeration.
Put simply, a computer virus is not a living organism in the usual sense. It does not "mutate". (The statisical liklihood of a computer virus evolving from pure chance is far greater than the lifetime of the universe.) It does not reproduce sexually or asexually.
Moreover, computer operating systems and their virii have not even scratched the surface of the incredible variety and complexity of the immune system of human beings.
You could probably compare the state of computer virii and AV software today to bacteria methylating their own DNA to protect its own DNA from restriction enzymes that instead attack foreign DNA (read, virus material).
The best that these AV programs can do today is look for signatures or activity of *known* viruses.
"Taunting" a virus to trigger in a protected space only works if you know the virus phenotype in the first place.
Scanning network packets seems to be an expensive and legally tricky proposition, since most virii will be inside binary files, which means you not only have to look for MIME data inside packets, but decode them too, which involves a whole other security issue altogether. And then you will only catch the virus that you have information on, that you already know about.
I don't think thats what the author means. I think that hes talking about other common components, like web browsers, and email clients, which is what most modern viri exploit.
At the moment a viri author can make huge assumptions like, its a win32 os with Outlook, and winsock, and use small exploits in each of them to spread the virus.
The linux kernal may be mostly the same accross most intalls of a popular disribution, but the differences stack up when you consdier all the other permutations of mail client & server and html renderer/http server, java VM, etc, etc, it becomes very hard to create a virus that will work with them all!
ThadThad
Check out: http://www.cs.unm.edu/~immsec/ and there is some work being done in the UK on different lines but to the same ends called "Host Defence System".
Furthermore, your Japanese seems as odd as your English. "Watakushi" doesn't mean "I" in the Japanese I learned. It's "watashi", and the plural is "watashitachi" - Watashi no namae wa "RFC959" desu; watashitachi wa kohii nominagara - unless you speak some dialect unlike the Tokyo Japanese I learned.
Both plurals are used, viruses is more common, but in scientific circles virii is used.
It is one of those things like formulas formulae.
If you want to be proper, this also holds true with Japanese words. I am learning Japanese and one of the interesting things is that for most words there is no plural form, so for kimono, kimonos is incorrect. There is a plural for I (I = watakushi, We = Watakushitachi) and you (you = anata, You [plural] = anatagate). Doing it otherwise is like saying yous
PS: Did anyone know that the singular form of data is datum?
According to the book "Mastering Japanese", I is watakushi. I suppose it is one of those regional things or something. Just like I heard that Japan can be called either Nihon or Nipon.
Watakushi wa nihongo ga wakarimasu yo, keredomo takusan wakarimasen ne.
Arigato gozaimasu
Theoretically it should be possible to create viruses that reproduce sexually. There are two parents involved and the offspring shares traits of both parents. Have data structures similar to chromosomes that hold traits of the virus such as where it is stored, what it does, how it reproduces, its lifetime...
The viruses would then go around looking for other viruses of the same basic type (species), mix together the chromosomes and create varied offspring. You could even have designated virus breeding grounds.
In the programming side of this, someone would create the basic structure (species) of a virus and a way to insert traits. Virus writers would then come around and specify the traits they want, and send it out (either to a "friend" or to a possible designated virus breeding ground).
This would create a new type of virus. One that will eventually become so varied that any in that species can not really be removed easily.
...or software problems like Chrone's disease where the immune subsystem goes wild and attacks everything on your machine.
I can hardly wait.
Chaeron Corporation
What bothers me with this sort of approach is still not the attack on _my_ box, but what I will recive from the network. This antivirus cluster, how will one know that is not infected in itself? That would be one of the major security holes in this situation. Where to strike best when wanting a major payload cross the net? Yes, there. Make it ship 'antivirus' fixes that strike at some other code, or that are the virus itself. no system is ever secure in a network, and those systems will be the ones with the highest amount of crack attempts around, since the 'price' would be highest if they were cracked. (largest spread of your virus) well, more rambles... boy am I bored at work today. :)
I didn't do this, now did I?
Well, people, for one. Elephants, for another. Even penguins. No two penguins are exactly alike.
Wow. Now there's a good springboard for an extended metaphor. "No two penguins are exactly alike. Run Linux for evolutionary viability."
Seriously, though, what about evolving operating systems? Wouldn't that make some sense? Software DNA?
should have used the preview button. i always ignore the best advice.