Throttling Computer Viruses

An anonymous reader writes "An article in the Economist that looks at a new way to thwart computer viral epidemics, by focusing on making computers more resilient rather than resistant. The idea is to slow the spread of viral epidemics allowing effective human intervention rather than attempting to make a computer completely resistant to attack."

I have a brilliantly original idea

[ekrout]

Start writing secure software!

I'm not joking. The #1 rule of computer science is that computer scientists are lazy.

We need to stop working just to accomplish the minimal functionality desired and start testing the hell out of our software to ensure that it's secure.

Re:I have a brilliantly original idea

In order to accomplish this, we need to get the corporate fat cats to give us reasonable deadlines.

They're philosophy is "get the product out as quick as possible so I can get my new (insert expensive car/truck/boat/plane here). We can easily put out a service pack afterwards to fix any major problems users report to us." I think M$ lives by this philosophy!

Re:I have a brilliantly original idea

[FortKnox]

There's always a hole that cannot be planned. In complex systems, bugs and leaks are bound to be found, regardless of how much attention you pay.
Plus, you usually have to balance security with user friendliness (putting on flame retardent jacket). Simply adding users vs root is a hassle for your average (home) user. People need to understand security to be willing to put in secure methods. Lets face it, people just want crap to work right now. They turn off security measures (like firewalls) to get something to work (like a game), then don't turn them back on so they don't have to deal with it the next time they try to play that game.

Re:I have a brilliantly original idea

We need to stop working just to accomplish the minimal functionality desired and start testing the hell out of our software to ensure that it's secure.

Such software is already here.

Two words: Open Source.

Re:I have a brilliantly original idea

[El+Neepo]

Being lazy = good.

If you write the simplest code you can that meet the requirements then more than likely its secure. It has no fancy tricks, its easy to see what its doing, therefore has less holes that need to be found.

Re:I have a brilliantly original idea

[janolder]

Hate to rain on your parade, but there is ample evidence to suggest that quality has to be designed in rather than tested into the product later in the process. If your design is flawed, testing won't help a bit. If your implementation is riddled with bugs, testing will find 95% of them, but Murphy will ensure that you get bitten by the rest at the worst possible moment.

In this business, it's a tradeoff between quality and time to market. Up until recently, software purchasing decisions haven't been based on quality very much so the software producers have given the customer what he wants: Buggy product now.

Re:I have a brilliantly original idea

[cyborch]

There's always a hole that cannot be planned.

True, but why do people have to keep writing programs with static buffer sizes? I cannot think of one single acceptable excuse to write a piece of software where a buffer overflow can happen.

If user input is in any way involved - directly or indirectly - then you need to test it before you accept it! There is no exuse!

Buffer overflows is not the only security issue with software, but the principle behind preventing it applies to most of the security issues out there...

So, I have to agree with your parent poster: the people making the software are lazy!

Re:I have a brilliantly original idea

[rossjudson]

Here's a thought. Stop writing programs in languages that HAVE static buffers. Stop writing programs in languages that have memory buffers that the program is free to overwrite. The problem isn't the programmers. What you're saying is that every programmer in the world has to write perfect code every time, and that's never gonna happen. Programs need to run in safe environments. The sandbox concept for running applets has been with us for a while, and it's a good one. You have a single place where you can fix things. It's gotten pretty hard to write an applet that can screw up a machine.

I think that ALL programs should be running in the equivalent of a sandbox at all times. There should be sandboxes inside sandboxes. When you download something off the net, you can go ahead and run it in a relatively safe, walled-off environment. There should be NO need for the program to look outside of that. Later on you might decide to allow the program more access to your system, once you begin to trust it, or some else in your web of trust has trusted it.

The OS needs to be designed to do this from the beginning.

Re:I have a brilliantly original idea

[fshalor]

This really is the best way. Keeping it simple (stupid) would be the best path to follow for secure code. But then there'd be nothing to spurn the market to switch up to the latest Intel Chips and the newer software to run on the latest chips and the latest gizmos which need the newest software and the latest chips to run and...Oh, we were talking about slowing the spread of Virii. Seems this does apply.

Of course, there's my solutions to slowing the spread of virii: (All should help. Any can be done.)

1. switch to GNU/Linux. (Put on flame-retardant suite *now*.)
   
2. Instruct users on the use of the "delete" key.
   
3. Instruct users why it's not a good idea to use a GUI email programs.
   
4. Instruct users into the ease of tracking your behaviors online and that little number called your IP, which is very easy to find.
   
5. Instruct users how to patch their Windows Boxen, to disable services which shouldn't be enabled and patch their Explorer/Outlook/AND Offices. (Oh, never mind... Windows is already more secure than ever. :) )
   
6. Explain why it's not *good* to click on every popup add that you see.
   
7. Educate lusers to make them into users. (BOFH cameo.)
   
8. THEN, reassess the situation and begin implimenting fixes like making the OS and Hardware more impervious to virii.
   

Sorry guys, but alot can be done with the existing stuff. Even though it hasn't been made *simple* or in a lazy manner (read, easiest way), its what we have to work with. One well written piece of paper circulated to 500 people can come a long way in upgrading the user's brainware. Its eaisier than convincing M$ (and others) to rewrite code. Lets see what happens then.

Re:I have a brilliantly original idea

[Tim+C]

Don't assume that static buffers are ALWAYS wrong.

Indeed - generally, there's nothing wrong with static buffers. If you're going to use them, however, there is absolutely no excuse for not bounds checking access to that buffer. That is, if you know that the buffer can contain say 1000 characters, check anything you write to it to make sure it fits!

That's most of what's "wrong" with static buffers - that it's too easy to use them incorrectly. It's not entirely the fault of the buffer, though, that it's easily misused

Re:I have a brilliantly original idea

[Keighvin]

This is a common and flawed belief among developers: write the software so it works. From a QA standpoint, you've accomplished a system requiring a trained and trustworthy user to interact with it as expected.

What happens when it's a technically inept user or one with malicious intent? Immediately, the fact that your program expects certain kinds of information in certain character ranges etc. to be input at point X causes a problem as wrong input is provided, or it's done in an obscene amount (hence buffer overruns) and the like. If you have an extremely simple program, your approach works: if, howerever, it's like *anything* done in an enterprise development environment several programs (or several portions and routines of the same program) nest together and share that information for their own purposes. Simplicity must give way to verbosity, in this case.

There's also expected order of operations, component stressing (memory leaks) and so on. Don't take the shortcut.

Re:I have a brilliantly original idea

[radish]

FUDDY FUDDY FUD FUD :)

Depends what you mean by "performance application". Java is just as fast as C++ for a long-lived server process, running on a decent OS with a new-ish (i.e. 1.3.0 or above) JVM. Hotspot (even more so the newer 1.4 versions) is a fantastically good optimising engine which tunes your compilation as it runs. That's something gcc can never do...I have seen the suggestion put forward by better scientists than myself that something using the same concepts as Hotspot should in most cases be able to beat a traditional compiler, for that reason.

For client side apps Java can "feel" a little slow, but that is often caused by the graphics libraries, Swing is a little sluggish. Look at the Ecplise IDE however if you want to see a client side graphical Java app running just as fast as C.

Technique

[gurnb]

Antivirus software makers are recycling some old tricks to combat computer viruses proliferating over the Internet.
The technique, called "heuristics," checks for suspicious commands within software code to detect potential viruses.

Heuristic techniques can detect new viruses never seen before, so they can keep malicious code from spreading. An older method, called signature-scanning, uses specific pieces of code to identify viruses.

Both methods have down sides. Heuristic techniques can trigger false alarms that flag virus-free code as suspicious. Signature-scanning requires that a user be infected by a virus before an antivirus researcher can create a patch--and the virus can spread in the meantime. Most antivirus vendors use both techniques.

It's time for the industry as a whole to look at different approaches The time-honored method of signature scanning is a little worn and weary given new viruses coming out

Re:Technique

[Tenebrious1]

It's time for the industry as a whole to look at different approaches The time-honored method of signature scanning is a little worn and weary given new viruses coming out

True, but most of the new viruses that come out are produced by script kiddies and their virus construction kits, and heuristics work well for detecting these.

Besides, AV software does not stand alone. AV security includes scanning, monitoring and blocking at the mail servers and firewalls, good communication between av software companies and IT AV staff, desktop security policies, and the most important, user training. Admittedly the last is the hardest, but well informed users are less likely to infect themselves and risk infecting everyone else.

human intervention

[it0]

Doesn't current human interaction show that it only stimulates viral spreading , by opening emails and running stuff because it says "I love you" not to mention the spreading of emails "warning new virus delete file foo.exe?"

NOW we're talking!

[Shoten]

This is an excellent idea. For a long time the fight against computer viruses (as well as many other aspects of computer security) has been focused on winning or losing, period. Try to stop the virus, and that's it. But what about what happens when a virus gets through? Like almost all things in computer security, there hasn't been enough attention given to what happens if security fails. Bruce Schneier has been yelling from the mountain that security is as much about what happens when safeguards don't work as it is about making sure they do. The notion of being able to keep a virus in check to a certain degree is a good example of security that can fail gracefully when a new virus comes around.

One connection per second?

[Malduin]

Could you imagine how slow Slashdot would be at one connection per second? How well could this work on high traffic sites?

It would probably save other sites from being Slashdotted, though.

Not very sophisticated.

[onomatomania]

Article blurb:

The idea, then, is to limit the rate at which a computer can connect to new computers, where "new" means those that are not on a recent history list. Dr Williamson's "throttle" [...] restricts such connections to one a second.

Hrm... well, it might have some benefit for things like Nimda, but it won't do anything for nasties that spread via email. If this becomes a default in a future version of Windows, though, you can bet that any virus meant to propagate by opening outgoing connections will just self-throttle, or disable the feature first. Already there is precedent for this, such as Bugbear that disables software firewalls so it can get out and spread.

I would much rather see effort spent educating people to install security related patches regularly and turn off unused services, and push vendors towards "secure by default."

Now were gonna have

[dethl]

semi-anti-virus programs that "hold" the virus in until Joe Blow computer user comes in, and accidentally releases the virus into his machine.

Issue at Hand

[seangw]

I think the issue at hand is a more global issue faced when writing applications.

Software is expected to behave 100%. How many of the developers here have had some strange bug, that may only appear in 1 out of every million users (not instances, otherwise it would happen in less than a second in most all modern processors). Then we are asked to fix it.

This solution is great, throttle the computer, lose that 2% of all connections being instantaneous, but then it won't be perfect.

I think we have to more realistically analyze the needs of modern software, and accept that it can "fail" to an acceptable degree if we want some superior functionality.

The human brain is great, but it fails (quite too much for myself). IBM is annoucing building a computer that could simulate the human brain, but it won't reap the rewards of our brains, until it's willing to give in to the issues that we face, uncertain failure.

With our "uncertain failure", look how great we are at calculating PI to the 100th digit (well, normal individuals anyway). Our brains certainly couldn't calculate nuclear simulations with the "uncertain failure"

We will probably have to split "computer science" into the "uncertain failure, superb flexibility" and the "perfect, 99.999% of the time" categories.

This sounds great for the "uncertain failure" group.

Problems With Insecurity

[txtger]

A lot of the vulnerabilities of these systems are things that are just downright idiotic, in my opinion. We've made programs that don't really need to talk to the outside world able to do so (Word, Excel), and we've given programs that shouldn't be able to control the filesystem and other aspects of the system that privilege (Outlook, Internet Explorer). During the Summer I managed to have Internet Explorer install software for me (.NET Platform).

Why do we not look at applications and give them a domain before we just open the floodgates? Why not just say, "hey, email comes from the outside world, I don't trust the outside world, so I won't let my email client do anything it wants to". I know that this wouldn't stop all of these problems, but I think the general idea would circumvent many virii.

Good idea!

[Gekke+Eekhoorn]

And it's not that difficult to implement either.

Give your switches enough memory and let them keep a history of 20 IP addresses per host. (this number needs to be tweaked according to usage of course) When you get a IP packet going to a new host, record the address and start a 1-second timer. While the timer runs, drop all IP packets to hosts not on the list.

The packets you drop will be resent, and you get the wanted behaviour.

Another advantage is that you only need to change the switches, not the systems.

Only problem I can see: What about web pages with lots of images from different servers? Those will take forever to load. You could tell everyone to use a proxy, but you wouldn't be able to run this throttling on the proxy...

If education can thwart AIDS�

[registered_user]

How about some Outlook awareness classes?

Unfortunately...

...it is rarely up to the implementors to decide. The project has a budget which is too little, and there is a schedule, which is too tight, and everyone else not in the project expects to see miracles.

This will only work for TCP. What about UDP ?

[Viol8]

Since only TCP has the idea of connections only this protocol can be protected from abuse in this way. Others such as UDP/ICMP etc send their data in descrete packets (as far as the OS is concerned, whether the app client-server system has the idea of connections over UDP is another matter) and if you limit these to 1 packet a second you can kiss goodbye to a whole host of protocols because they simply will not work effeciently or at all any longer. All his idea will do is cause virus writers to use protocols other than TCP. For macro viruses this could be a problem (does vbscript support UDP?) but for exe viruses its no big deal I suspect.

Is this on the individual computers?

[Qzukk]

If this is on individual computers, I can't see "human intervention" being effective. It might certainly slow the progress of a worm, but I can just see someone getting a pop-up box "Your machine appears to be infected with a virus, should I delete it?" and someone sitting there and hitting "No."

It would probably be more effective as some kind of network device/firewall that eats excessive network connection requests, then lets the administrator know that computer X appears to be infected (bonus points for inspecting packet content to determine type of infection).

In fact, that implementation isn't new, I recall seeing a computer setup at a colocation site setup to inspect http traffic and blocked http requests that looked like code-red infection attempts.

Re:How's that again?

[pknoll]

I did read the article. And then I looked beyond it. Keep in mind that no virus/worm has yet been written with throttle-equipped computers in mind.

Hackers/kiddies/whomever are annoyingly clever at times. My assumption is that someone may be able to take advantage of a throttle to compromise legitimate traffic.

Since that's what exploits are all about, I have absolutely no doubt someone will try it if such defenses become commonplace.

virus writers will respond, of course

[djembe2k]

Yes, this will slow down the spread of viruses -- but the article makes a big deal of the fact that a throttled system can detect the attempts to rapidly make many network connections, setting off an alert. Of course, as soon as people come to count on this as their primary form of virus detection, a virus will be written that only attempts one connection a second, and then, very slowly it will spread undetected on those systems that rely on the throttle for detection. And we know there will be people who rely on it exclusively . . . .

Umm, I don't buy it.

[Toodles]

In short, this guy's idea for curbing infection rates of &pluralize("virus"); is to restrict systems network access to one new host per second. Exceptions would be made for high demand, known servers, such as mail server and (I presume, even though it wasn't in the article) HTTP or SOCKS proxies. Interesting idea, and it would help in slowing down the infection of, say, Nimba or Code Red.

I can't help but think that his logic is flawed however. For example, most corporate headaches come from email based virii. If the only connections needed for the virus to spread is the email server it already has access to, there is no delay for the emails to be sent out to the mail server. No one could request for the email server to be throttled and keep their job, so the infected emails would be sent out, with no perceptable delay caused by the throttling.

The only thing this might help with is worms only, no virii in the more common sense such as email based LookOut virii, .exe/.com infectors, or boot sector infectors. The article fails to mention the Hows of this throttling; is it based on the routers (in which case quick infection of the local subnet would take place) or on the switches (which could break most broadcast applications, not to mention mean all systems outside the subnet look the same) or in the OS (in which case the virus could put its own TCP/IP stack in to replace the throttled one, and end up with no throttling affects whatsoever).

How about, instead of throttling network access, we move to more reliable code, better access controls at the kernel level, and a hardware platform that makes buffer overruns and stack smashing a thing of the past. While I am anti-MS, Palladium does actually have some good ideas on the hardware level. Is the DRM level that stinks to high heaven.

Sounds simple

[heikkile]

Many Linux firewalls already do connection tracking. All this needs is another table of recent connections (unless one already exists for routing purposes!), and a few options to tune it with (/proc/sys/net/ip_throttle_memory (how many seconds to count as recent), /proc/sys/net/ip_throttle_delay (how long to delay when throttling))

When do we see this in iptables ??

Are Viruses a real problem?

[toupsie]

If you are not running Microsoft Windows, are viruses a real problem? Running a Mac OS X box as my main desktop, I have never had one virus attack my system nor do I know of any fellow mac users that have had their system damaged by a virus. The only viruses I have seen on a Mac are Office Macro viruses -- no biggie for a Mac user. I am sure Linux desktop users, outside of the annoying XFree86 virus, are in the same situation. This whole article seems to be a complete waste of time because it discusses modifying a network to handle the insecurity of Windows. Why not just get rid of the problem? Spending more money making Windows secure doesn't seem like a bright idea.

This is like banging your head with a hammer and wearing a thick, foam rubber hat so it doesn't hurt as much.

False Positives

[Erasmus+Darwin]

I can think of two false positives off the top of my head where legit traffic would get unfairly throttled:

Web-based message boards -- Several of the message boards that I'm on allow users to include inline images. However, the users are responsible for hosting the images on their own servers. So a given page full of messages could easily add an extra 10 hosts to the "fresh contact" list, causing a 10 second delay. Furthermore, at least one of the message boards has a large enough user population that the "recent contact" list wouldn't help out enough at reducing the delay.

Half-Life -- The first thing Half-Life does after acquiring a list of servers from the master server list is to check each one. For even a new mod (like Natural Selection), this can be hundreds of servers. For something popular (like Counter-Strike), it's thousands.

Intergral tripwire.

[HighTeckRedNeck]

What we need to do is use all the extra cycles of the average computer waiting on its user to press a key to search for things that don't belong just like biological immune systems expend energy looking for invaders. Virus scanners are a start for recognizing intruders but only after they get recognized by antivirus writers and then distributed to the few that will pay and update. This gives the virus a long head start and "sheltered hosts". The operating system should use the spare cycles to do a tripwire style scan of the rest of the system. The faster an intrusion is found the less time it has to create trouble. Areas like user storage will be problematic but such security measures should be integral to the system administration and operation at the operating system code level.

Further it should be (putting on fire suit) a function of the government to finance an independent system to publicize standardized virus recognition fingerprints. Then it should be integral to the operating system to run a scan as part of the executable load function. This would be justified as protecting commerce. This won't solve the problem of "script" viruses that play off the integration features of Microsoft products but that can be dealt will by requiring Microsoft to produce products that actually ask for permissions from the user before doing stupid stuff. Sometimes a parent just has to take control of their offspring. Either that or firewall off anyone using Microsoft products, most of them are so non standard they aren't hard to recognize. Many places don't let Microsoft attachments go through and it has saved them a lot of lost time. XML and other standard formats work just fine and are interoperable with other systems.

Do unto others as you would have done to yourself, don't let America become like Israel. It is un-American to support human rights violations, support justice in Palestine.

Re:Umm, I don't buy it. That's good because ...

[twitter]

... the solution is generally free. You say:
How about, instead of throttling network access, we move to more reliable code, better access controls at the kernel level, and a hardware platform that makes buffer overruns and stack smashing a thing of the past. While I am anti-MS, Palladium does actually have some good ideas on the hardware level. Is the DRM level that stinks to high heaven.

I've got good news for you. The average free *nix already has more reliable code with better access controls at the kernel level. You can check it out for yourself because the software is free, unlike that other silly stuff you mentioned from a particular abusive and convicted vendor, caugh, MicroSoft. Heck, you could even just use a mail client that does not run as root and does not automatically execute commands sent from strangers, like most free software. Way to go!

I've also got bad news for you. Buffer overflows can not be defeated at the hardware level in a general purpose computer. Why is left as an exercise for the reader, but a shortcut is that Microsoft says it will work.

and the next generation of viruses

[painehope]

would probably just look at the IPs commonly in the history file, and put in the entire range of IPs for that subnet, then begin making connections. once you're infected, you're screwed. the same as we have viruses that currently disable firewalls, we also will have viruses that circumvent this as a matter of routine...

If you don't kill it, you may just piss it off...

The only reason a virus doesn't wipe your
hard disk out is because it's making use
of the computer to infect others. If this
idea goes into use, guess how long it'll
take before a virus spreads in a manner
where it doesn't crash machines that let
it spread, but totally destroys those that
don't.

I think you better kill the virus, or
you're only likely to piss it off...

Virsuses

[Fascist+Christ]

How soon we forget that the stronger we make our antibiotics, the stronger our viruses become.