Slashdot Mirror
Computer Immune Systems
LL writes "We might soon be seeing commercial delivery of autoimmune security systems. Rather than the surface bit pattern detections of antivirus checkers, these system attempt to provoke virii in a secure area (IBM) or match network packets against signature tags (Forrest). The interesting plug is that the author suggests that large programs such as operating systems should be made in such a way that no two copies are exactly alike. Now guess what favourite beast has this trait?"
As the viable attacks will be the ones which survive, those will be the ones distributed, copied and reused. Within a given timeframe, by creating a "super-defence", you -ALSO- create "super-virii".
The problem with any evolving system is that it will remain, over a long enough time-frame, roughly in balance. Nothing can become super-strong, without in turn strengthening it's opponents, by natural selection.
Only a "truly perfect" defence will work, but no such defence exists, or even theoretically could exist. This leaves you with the "best practical" approach, which is to make things as protected as reasonably practical, and no more.
This kind of approach has the advantage that you don't accelerate (too much) the development of super-bugs (as medical practices have an unfortunate tendancy to do - idiots!) whilst offering a sensible level of protection against more common attackers.
Ideally, though, defences should do more than just defend. The more time you spend defending, the less time you have to do anything else. This, in itself, is a form of DoS attack on your system, via wetware rather than software, making the admins install so much protection that the system becomes unstable and/or unusable, under typical loads.
What you want is a form of defence which actually contributes to the rest of the system in other ways. That way, you are gaining overall by expending the resources, and don't run into the DoS trap.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
If you're talking about linux, why should it have this trait? Most people still use a stock kernel from their distribution. That's a lot of people using the Redhat binary kernel, say, which will be identical for every person using it.
Sure, you can play with the config or use patches or whatever, but a lot of the code will come out the same. It's not like the compiler puts some kind of unique fingerprint on the kernel you build.
axolotl
"Please fasten your seatbelts, as we are presently experiencing turbulence as the result of excessive metaphor shear."
;-) All in all, a nasty situation.
As much as I would absolutely love to fully envision the Net as a living, breathing organism...it isn't. There are aspects of biology that are appropriate, but I think it's fair to say that these researchers are presuming excessive organic/technical equivalence:
Technology is externally changed, quickly, and often within the same generation of machinery. Organics internally evolve, extremely slowly, and even then almost wholly reserve their changes for the next generation.
The fact that technology is externally changed means that there's no evolved internal consistency--the immune system must be explictly modified to support the new transplant. As biology and technology have shown us, spooging the new into the old is difficult work. The speed of modifications too is frightening--while it's obvious that the host systems change much faster in a technological environment, I'd be interested in knowing the genetic variation of attacking bacteria and virii vs. the command variation of attacking trojans and computer viruses.
The generational woes are the killer--it is impossible to establish the biological concept of a "homeostatic self" onto systems that never stay either frozen in the present or predictable in their growth towards any degree of future.
Now, granted: There are assuredly "all quiet" states on the average network, and recognizing such states is a common tactic of network monitoring systems. (Indeed, there's a free app out there that will generate a firewall config that will pass any traffic it noted on your network during a "trusted state" period, then block anything else.) But that's a rather blunt methodology, and denies the inevitable existance of new services. The big problem is: How does one respond to a deviation? The curse of unpredictability is the inability to automate appropriate responses. The curse of being forced to constantly formulate appropriate responses is that it's burdensome and prone to false positives. The curse of not formulating appropriate responses is that you end up not responding at all
I should be fair--I like what I'm hearing from these guys. I've been saying for quite a while that systems that prevent the results of an instability from being necessarily exploitable(essentially, randomizing and shuffling systems so that there is no predictable "skeleton key" to the system that works every time). Their talk about monocultures is perfectly appropriate here. IBMs work with victim labs is beautiful, if not more than a bit macabre if backwards ported to human biology. Even the packet signaturing is interesting. But we should be aware of the limitations of this technology, and I'm interested in just how aware these researchers are of the differences between the evolved and the created.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Vir[ii|uses] are a problem in the Windows world due to a lack of system security, plain and simple. While it is theoretically possible to write a Unix/Linux virus (and has been done), how will it *spread*?
/usr/lib, etc) are not writable by non-root users. If you don't run as root, a virus can't infect the binaries, because it can't write to them. Period.
/bin/sh (or /bin/bash, etc). Infect this, and you can easily infect everything which is executed by /bin/sh, which is most programs. But how can an ordinary user attach the virus to /bin/sh? On the various Linux and commercial Unix boxen here at work, it is always owned by root/root or bin/bin, and mode 755 or 555 - unwritable by ordinary users.
For a classic virus to work, it must attach itself to an executable, and spreads when that executable is run (modern email "virus" programs are often technically worms, not vir[ii|uses]). In Windows, this is easy, because the system directories (c:\Windows) are writable by the regular users.
In Unix/Linux, the system directories where most binaries are (/usr/bin,
If one were to write a Unix/Linux virus, the obvious target program would be
At best, a virus could affect user-owned binaries, say in ~/bin. But except for convenience scripts, who uses that? Anything widely used and standard goes into a directory protected from accidental or deliberate damage. That's just good practice.
If all operating systems followed Unix' wise example, vir[ii|uses] would be merely an interesting theoretical exercise, rather than a serious hazard.
---
120
chars is barely sufficient
Hand me that airplane glue and I'll tell you another story.
The human immune system knows what it should find and anything else is an invader. Computers aren't like this, they change all the time - installing programs, writing files. You can't just, I don't know, look for a different electron on the hard disk?
The only thing I can come up with is that the anti-virus package CRCs every non-data/document file as it hits the hard drive, then if the file is modified I guess it might have a virus on it's hands (or it could just be a valid patch). But in that instance, it would be better for all the base systems in a network to be identical, rather than each one being slightly different - that way you could recognise a difference in one as a potential virus...
The immune system was successful initially because it could very quickly generate new defense mechanisms that pathogens would take some time to adapt to through evolutionary mechanisms.
Even so, after many millions of years of evolution, there are now numerous pathogens that simply aren't touched by the immune system at all; the only reason why those pathogens haven't wiped us out is because natural pathogens don't have malicious intent, and most of them have co-evolved to co-exist with us.
When it comes to computer viruses, the insight to be concerned about is the insight of the virus writer. Unlike the biological world, where pathogens need to spend millions of years of evolution to figure out general mechanisms for avoiding the immune system, a virus writer can come up with a general purpose strategy for evading a "computer immune system" within days.
If you want secure systems, in a world of human adversaries, the only way to build them is so that they are structurally secure or cryptographically secure, and those are engineering problems that are very different from what biological systems have faced until now.
(As an aside, the next step of evolution of biological pathogens may be interesting. The immune system got us quite far, but it is growing old as a defense mechanism as pathogens have found general purpose ways of evading it. Perhaps its successor is our brain, as we design drugs and treatments rationally. It will be interesting to see how the pathogens will respond.)
Perhaps the biggest point of departure is that biological systems are evolutionary, while computer systems are designed by humans, with knowledge of the possible countermeasures. That means that many immune system strategies just won't translate.
But even more important is perhaps the observation that most biological systems (even plants and most animals) don't even have immune systems. They rely on other mechanisms for their defense, mechanisms that many engineers would probably consider "good engineering": make it hard for the viruses to get in, destroy viruses that do get in, minimize the effects of infection if it does occur, stop the spread of infection with various barriers, and have lots of redundancy. The evolutionary pressures for some animals to develop immune systems probably simply don't exist for computer systems.
So, if you want to push the biology analogy, it may well be better to do without an immune system and to simply design good, strong systems.
That's what you're suggesting, right? An anti-virus system which goes after valid code?
Interesting. So if you have one of these AV systems in place, and apply a binary patch to some code (a'la Id DOOM patches), your changes will get clobbered. Makes sense, and I can see why it would - the checksums and size changed after all. But what you're saying is that this AV system could one day decide (or be prodded into) going after stable, unmodified code - having seen it as infected?
As for CyberAIDS, I recall something from circa MS-DOS 5.0/6.0. I'd heard of a virus, aptly named CyberAIDS, which would do nothin more than disable your antivirus software. I don't know specifics, but it was interesting to me that it would trash NortonAV, CentralPoint, whatever, leaving you wide open to conventional bugs. I think (IIRC) that it would leave the TRS running, but disabled. Cold.
-- What you do today will cost you a day of your life.
I know it's OT, but I thought it was cool..
:) Somehow it all ties in to Asimov's Psychohistory too.
A few years ago, Wired (before they lost their edge) ran a pseudo-retrospect issue from the future, in which they reviewed the turn of the millenium from a few decades ahead. It was a prety neat diversion. Anyhoo...
One of the main articles dealt with 'The Plague', a super-flu/AIDS/Ebola mutation that threatened to wipe out humanity. (It's striking how biologically apropos the computer virus analogy is, and how well it tracks with real life problems, solutions and latest computer development) The article was written in retrospect, like the whole issue, and in the form of interview with one of the top researchers involved in stopping the disease.
The truly neat thing about the story, and what keeps me remembering it, was that the disease was cracked not by medically traditional means but by a mathematician who found a way of attacking the geometric form of the virus. I don't know how unconventional this approach is in virology, but the cross-polination of medicine and math really struck me.
I'm a very strong believer in gestalt thinking, and in the fact that laws of nature from one field map remarkably well onto seemingly unrelated fields. Take Newton's Laws of Motion, abstract a bit and apply to sociology. Action-reaction. The Law of Entropy seems to hold true when placed in the context of politics.
This is why the article resonated with me, and why the topic of evolving virii triggered me to go OT about memetic cross-breeding.
-- What you do today will cost you a day of your life.
Might it be more likely for a virus to grow if it focused not on making copies within a system, but if it focused on spreading itself?
Perhaps scan the filesystem for email addresses frequently sent to, and send melissa-style mailings to them? Maybe search for common email programs, and infect them?
While I'm glad to see this "news" hit Slashdot, I have to wonder why it wasn't considered newsworthy back in July. Check out the old news at sciencenews.org.
There is a problem ... It's called evolution.
Yes, but the problem contains within it its own solution. Viruses evolve. So systems must also evolve. There will never be a perfectly secure system... for long. But neither will the most harmful viruses remain viable for long. Tremendous forces (unstoppable forces?) are quickly mobilized against them. The writers of malicious viruses are clever, but I doubt that they're as clever as the combined cleverness of all those who work to stop malicious viruses from doing their damage.
Only a "truly perfect" defence will work, but no such defence exists, or even theoretically could exist. This leaves you with the "best practical" approach, which is to make things as protected as reasonably practical, and no more.
Viruses, as they evolve, can be expected to arrive at the "most practical" approach, rather than the most damaging. Over time, this would lead to the evolution of stealthy viruses that do little or no harm to the systems they infect, use minimal resources, and may even offer some benefit (f'rinstance cool graphics, greater efficiency, protection against other viruses). A "most practical" virus-proofing scheme would not waste its time with these benign viruses, which would drive the evolution of ever more benign viruses.
I expect any time now to hear that someone has introduced a virus that evolves in the sense that a genetic algorithm evolves a solution to a problem. The internet is large enough an e-ecosystem to support millions of copies of a virus, so even if the survival rate of the variants produced by breeding and mutation was very low, there might be enough survivors each generation to evolve into a truly dangerous virus.
--
It's October 6th. Where's W2K? Over the horizon again, eh?
Sheesh, evil *and* a jerk. -- Jade
I haven't read the white papers (yet), just looked through the article. What is there seem interesting, but hardly earthshattering. This is basically a straightforward application of genetic algorithms to computer security. Matching concatenated sender's address, receiver's address, and the port is really only useful for smallish relatively self-contained networks where any non-regular "outside" connection is automatically suspicious. This wouldn't work at all for an e-commerce site, for example.
The suggestion that no two operating systems are to be exactly alike is also an interesting one, but hardly practical. First of all, most security holes occur in applications, not operating systems per se. The dangers of monoculture are real, but purposefully avoiding popular software (1) leads to suboptimal solutions to problems (do you want to avoid Apache just because it is the most popular web server?); and (2) strongly smells of security through obscurity. Besides, think of technical support nightmares: does anybody really want to support hundreds and thousands of "slightly different" operating systems?
I feel that the biological metaphors are somewhat overblown and could be misleading. On the other hand, they journalists like them...
Kaa
Kaa
Kaa's Law: In any sufficiently large group of people most are idiots.
Hm, I do think some kind of fingerprint could be created for each compiled kernel
The question wasn't kernel fingerprinting. Basically, it's the same old argument: if 90% of the world's computers run Windows, then a single flaw in Windows makes 90% of the world's computers vulnerable. As far as I understood, Forrest was arguing for internal differences in operating systems that would confuse a virus, or a root kit. Checksum are irrelevant here.
Kaa
Kaa
Kaa's Law: In any sufficiently large group of people most are idiots.
As someone much wiser than I once said:
"Any significant advance in technology is indistinquishable from magic."
That someone was Arthur Clark, and I belive the correct quote is "Any sufficiently advanced technology is indistinguishable from magic".
If you put a caveman in front of an Imac, he's going to insist it's a deity
Until he finds a heavy blunt object.
Kaa
Kaa
Kaa's Law: In any sufficiently large group of people most are idiots.
So the idea is to increase security in a number of ways including (but not limited to) having each copy of the OS be unique, and having the AV package put the subject in a box and taunt it. (For those of you who haven't seen it, now's a good time to watch that Monty Python "Holy Grail" movie.)
So how strong are the odds that such methods could inadvertently result in some sort of computer auto-immune disorder? Could our anti-virals manage to interpret the kernel as a virulent entity to be removed? Or, are we all just too smart (or lucky) for that to happen?
"Una piccola canzone, un piccolo ballo, poco seltzer giù i vostri pantaloni."
My office has been taken over by iPod people.
However, like our bodily immune systems, these systems could serve as a first line of defense. Their advantage lies not so much in that they are universal proof against infection (they aren't), but in that against "routine" infections they shut the virus down before it has the opportunity to do any real damage, far faster than would be possible if human intervention were required. Inevitably, some infections will slip through (just as with biological immune systems), and when that happens you need outside intervention; i.e., the computer equivalent of a trip to the doctor's office.
-r
I implore you, Mr Penguin, to read this FMTEYEWTK on the matter. Latin just didn't work the way you claim that it did, and neither does English.
Not all nouns that ended in -us became -i in the nominative plural. Only second declension masculine nouns did so. There are several (I can think of three) other flavors of -us nouns, none of which follows that rule.
So virus fails to follow the focus/foci rule for at least three different reasons:
But if you have rough idea what's on the network you're trying to attack, and what hosts are on there, you may well have a good idea of roughly what kind of traffic is going about. If you know what hosts are there and have an idea of what traffic is (probably) there, then why not just bury a false ID somewhere in your packet?
You could attempt to forge an ID from knowledge of the network, and fool the alarm mechanism by effectively masquerading as normal traffic. This is probably preventable by looking at exactly where the ID occurs in the packet and deciding if that's where it should be.
Beyond that, though, what's to stop you quietly trickling a normal-looking flow of do-nothing packets through the network to a given port on a given host? Then when a detector is generated, it'll trigger on your harmless packets an get ditched. Then one day you make your packets do something nefarious, and they get overlooked, something like 'friendly fire'.
"Any significant advance in technology is indistinquishable from magic."
If you are shown a card trick, it's 'AI' until you're shown how it's done. If you put a caveman in front of an Imac, he's going to insist it's a deity. Thus, Any AI system (and I may be going out on a limb here by using the term ANY) is also an AI system, untill you read and understand the source code.
Now understand that automating a mundane decision process is what has made automation (in it's current industrial application) such a productivity booster. Afordabley automating physical processes (robots that weld car frames, robots that paint, ect.) has taken decads to come on-line, and continues to evolve. On this same liniage, Automating a decision process (i.e. automated trading systems) can and will also reap huge productivity rewards.
I would agree with you that it truly is automation at work here, and there's nothing artificial about it. Programers work long and hard to coax the code into doing what they want it to do.
_________________________
IMNSHO, This term is very over used. Any time a system goes live on a network, it's deemed to be somehow "alive" by putting an Artificial in front of it. A good example of this was when IBMs deep blue beat the a grand master at chess (Kasparoff(sp?), it was hyped as a "giant leap forward for Artificial inteligence".
There's nothing artificial about it. It was the result of many of the greatest programs and chess master toiling for years to pull the project off.
Its more acurate name would be Automated Intelegance.
And this 'Artificial Immune System' is also just and automated series of self updating decisions. Taking the human out of the loop doesn't make it artificial, it just makes it more cost effective.
_________________________
I don't think thats what the author means. I think that hes talking about other common components, like web browsers, and email clients, which is what most modern viri exploit.
At the moment a viri author can make huge assumptions like, its a win32 os with Outlook, and winsock, and use small exploits in each of them to spread the virus.
The linux kernal may be mostly the same accross most intalls of a popular disribution, but the differences stack up when you consdier all the other permutations of mail client & server and html renderer/http server, java VM, etc, etc, it becomes very hard to create a virus that will work with them all!
ThadThad
Theoretically it should be possible to create viruses that reproduce sexually. There are two parents involved and the offspring shares traits of both parents. Have data structures similar to chromosomes that hold traits of the virus such as where it is stored, what it does, how it reproduces, its lifetime...
The viruses would then go around looking for other viruses of the same basic type (species), mix together the chromosomes and create varied offspring. You could even have designated virus breeding grounds.
In the programming side of this, someone would create the basic structure (species) of a virus and a way to insert traits. Virus writers would then come around and specify the traits they want, and send it out (either to a "friend" or to a possible designated virus breeding ground).
This would create a new type of virus. One that will eventually become so varied that any in that species can not really be removed easily.
What bothers me with this sort of approach is still not the attack on _my_ box, but what I will recive from the network. This antivirus cluster, how will one know that is not infected in itself? That would be one of the major security holes in this situation. Where to strike best when wanting a major payload cross the net? Yes, there. Make it ship 'antivirus' fixes that strike at some other code, or that are the virus itself. no system is ever secure in a network, and those systems will be the ones with the highest amount of crack attempts around, since the 'price' would be highest if they were cracked. (largest spread of your virus) well, more rambles... boy am I bored at work today. :)
I didn't do this, now did I?