Slashdot Mirror
Internet Immunization
xav_jones writes "Nature.com reports on computer experts from Israel who are proposing a different strategy for combating fast-spreading worms and viruses -- one in which the fix can, theoretically, keep up with or stay ahead of the malicious code. They 'propose a system in which a few honeypot computers lie in wait for viruses. These computers run automated software that first identifies the virus, and then sends out its signature across the Internet. This enables a sentinel program on all the other computers in the network to identify the virus and bar it before it can attack them.' The honeypot computers would reside in a secure, dedicated network. For 'roughly 200 million computers ... [with] just 800,000 [(0.004%)] of them acting as honeypots [it] would restrict a viral outbreak to 2,000 machines.'"
Except that no system is prefectly secure.
And once someone finds a hole in this magic system, it will become the most effective means of distributing viruses ever invented.
The honeypot computers would reside in a secure, dedicated network Wouldn't that make it just a little difficult for the honeypots to contract a virus? Or is this some new definition of the word "secure" that I'm not familiar with?
I've abandoned my search for truth; now I'm just looking for some useful delusions.
...for the ~1 million honey-pots, their connectivity, and their management?
Be who you are and say what you feel, because those who mind don't matter and those who matter don't mind. - Dr. Seuss
Great.. until of course:
1) Worm writers figure out a way to avoid them or
2) Someone decides to use the "honeypots" to attack the network itself by flooding it with slightly different worms, making the signal to noise ratio patently obscene.
So now, instead of getting spam for viagra, I get spam for v1agra, vi4gra, vyagra, viegra, etc.
Virus writers will just add mutational code to their virius, so each instance of infection will have a unique signature.
...or is this not so different from the way anti-virus packages distribute updated signature lists? The TFA uses a lot of biological metaphors, but if you s/honeypot/anti-virus research lab/ this is pretty much the same thing everybody does already. The bit about creating faster-than-virus "wormholes" is mentioned kind of as an afterthought, when, really, it's the most important (and problematic) aspect of the whole plan.
I make it 0.4% ...
Ok, I think i figured it out!
If I find out a way to infect the singal the honeypots are sending out, then I can infect even more people, because the people relying on the honeypot machines won't be running anti-virus programs themselves.
Hmm, that would be fun!
I like the magic part where this incredibly advanced piece of software figures out that the machine has been infected. It's so smart, in fact, it can figure out what viral signature can uniquely identify it.
Ya know, if ya had some code that could reliably identify virii without signatures, wouldn't we all be running *that* on all our desktops?
- The Kessel run is for nerf herders. I can circumnavigate the entire Central Finite Curve in a lot less than 12 parse
You want to a create a network of machines that are vulnerable to viruses/worms/other baddies, provide a full index of these computers and their addresses on a huge number of central servers, and then you want to deliberately expose those central servers to malacious code?
Is that what I'm reading? If that's so, then count me out. I can't take care of my own, thankyouverymuch.
if(!toilet_paper) roll.replace(new roll);
...we could just not use operating systems which have abysmal security. You know, the one that attracts malware in the same way a magnet attracts iron ore. Yeah, you're right, that's crazy talk.
Working in a DevOps shop is like playing in a band made up entirely of keytarists.
All the training in the world doesn't completely stop the problem. Keep in mind, many of the vulnerabilities out there today aren't just a simple gets() flaw; they result when two otherwise secure modules interact in an unforeseen, and nigh unforeseeable, way. Some security training will prevent most of the problems, but nothing you do will completely eliminate them. And no, going with a Virtual Machine approach still isn't 100%. Heard about the recently discovered Limewire flaw?
And as for teaching average joe, we've been trying that for years. I've known people my age (college age that is) who were raised around computers and know *how* to play it safe, but they skip the firewall, virus scanner, etc. because it slows their computer a bit. They *know* not to click on Britney's image, but the self-propagating worms don't need you to click sometimes.
Standards like you envision for computer software only work in extremely well defined environments; a general purpose desktop/laptop has too many variables to algorithmically weed out all problems.
Why do they need dedicated honeypots? Why not just include software in SMTP servers that lets them notify each other when they identify a virus locally? An SMTP operator could subscribe to several dozen peers, in a network of trust. When their own threshold of peers reporting the same virus is reached, they've got a hit.
Maybe this is a good application for the Usenet tech, to flood the trust networks with info rapidly, reliably, and without a centralized authority that itself can be attacked or otherwise compromised. Most of this tech already exists. We don't need 800K new servers that do nothing else, when we've got even more that also serve mail. Maybe the researchers are setting up a spinoff security network. But their research actually points to a better system than relying on them for more than the starting point.
--
make install -not war
There are already appliance makers that do this very thing: identify malware and viruses, and signal the others, usually in the guise of spam control appliances.
Webs of early notifiers is also not a new idea; look at the honeypot networks that are on the web, the honeypot project, and so on.
The containment cited is theoretical, subject to the ability to correctly identify behavior, and doesn't prevent users from clicking on URLs that have malware, or filter signatures that have fast breakout behavior.
And so, the merit of the Nature article is in question. It's just a PR release in disguise.
---- Teach Peace. It's Cheaper Than War.
I'm sure this system would work if the honeypots were evenly distributed among IP blocks but they simply can't be (huge chunks of the IPv4 address space are already taken). A worm might infect hundreds of thousands of computers before ever hitting one of the honeypots. Even if the honeypot gets it and sends it to an AV company, and they issue an immediate update, it takes hours for everyone to get updated. History's most damaging worms were able to infect millions of computers within this kind of timeframe.
Also, what if someone manages to find one of these honeypots and sends an exploit with a payload containing a competitors software signature? Would the AV company start issuing immediate updates? What kinds of systems are in place for preventing this?
With an automatic response like that, I wonder if virus writers would learn to craft a virus that caused the sentinal program to generate a signature that removed/damaged important files (or otherwise wreak havoc) on the computers they were supposed to protect. Cause an autoimmune response if you will.
Only if you don't know the difference between a percent and a ratio.
It seems to me that it would be possible for a virus writer to: 1) Identify one of the honeypot machines - there's probably a couple of ways to do that... 2) Target this honeypot machines by sending it an endless array of viruses with different signatures, thereby keeping all the systems using it for security darn busy updating their definitions -- DoS... 3) ...
4) Profit!
--
Lord Kelvin, president, Royal Society, 1895 "Heavier-than-air flying machines are impossible."
The difference here is that Lord Kelvin said it before it had been done.
The problem, boiled down to its smallest, is to find inputs to the computer which cause it to emit bad outputs (e.g. cause it to try to spread the worm). We control the honeypot, so we can strictly classify what good outputs are (generally nothing, or some small set of fixed responses)--everything else is therefore bad. Any message to the honeypot, therefore, can be easily classified into causing a bad output or not.
If our signatures are composed of the inputs (in their entirety) which cause bad outputs, there can be no false positives--if that input is fed into the same system, it will spread the worm. Hosts recieving the signature can verify this by testing the signature in a virtual machine. "Gee, I fed it into my machine, and it started spewing traffic all over the place! Guess that really is a worm."
This is less than ideal for polymorphic worms (because you only get one signature), but polymorphic worms are slower than non-polymorphic ones, so they aren't as much of a threat (there are techniques for detecting polymorphic worms but they have non-zero (but quite small) false-positive rates). Also, worms which don't cause the honeypot to output anything for a long time can also slip by with false negatives. But if the worm takes a long time to spread itself, then it is, by definition, NOT a fast-spreading worm, and NOT the target of an automatic immune system.
Most work makes a trade off between a small false positive rate to faster/more powerful detection--here, false positives are measured in the 1 to a billion, or even lower. They also shortcut the detection some--you just need to be running code that wasn't on the machine to start with. Unless your web server is in the habit of accepting code from strangers to run, this is a surefire indication of a bad input.
Of course, these improvements aren't necessary to show that it is possible to have zero-false-positive detection; the scheme I describe above will work. Everything else is tradeoffs to make it faster, more sensitive, etc.
If you don't want to "wade" through lots of work, try just one: Vigilante, Unlike the paper from the story, Vigilante is actually implemented, and has been tested on simulated worm outbreaks using real worms. It also covers the current art of the field.