Slashdot Mirror
The Biology of Network Security
Bob Brown writes "A University of New Mexico researcher is taking lessons from biology and using them to try to stymie hackers and viruses. Projects such as RISE attempt to secure computers and networks by promoting application diversity." From the article: "Diversity of systems and applications can play a key role in safeguarding computers and networks from malicious attacks, Forrest said. Her team published a paper last year on a system dubbed RISE (Randomized Instruction Set Emulation) (PDF) that randomizes an application's machine code to stymie would-be attacks, such as those launched via binary code injection."
Gee, ya think?
Forrest's team got around this issue by building its technology atop virtual machine software dubbed Valgrind that she said provided flexibility because it is open source but that is not as efficient as she would have liked.
Gee, ya think?
Forrest acknowledged that the RISE system is unwieldy in some ways and still has kinks to work out...
Gee, ya think?
What I'm listening to now on Pandora...
Would that include extinction of species with inadequate immune systems?
"We are all geniuses when we dream"
- E.M. Cioran
"We already have malicious code that can replicate and spread itself. The only thing we're missing in terms of real Darwinian evolution is mutation,"
Nope. Polymorph viruses are not really unknown. Right now as we speak, they make a comeback.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Although a good article, I'm sorry but I don't see the new angle on system diversity. Although it is true that it improves security, this has been going on for years in most mid to large size IT departments.
ajam at Hackbuzz.com
The key point in network security is diversity and multiple layers of security. When there is a fault (due to whatever cause) in one of the layers only that layer will be comprimised but no real severe damage done.
Ofcourse it is important that those layers are created and maintained by several entity's.
A simple example:
- Have your network guys maintain your firewalls
- Have all traffic go through a application gateway which is maintained by a third party.
- Have system administrators to secure the system
Ofcourse adding layers increases costs and security.
200GB/2TB $7.95 Coupon: SAVE90DOLLAR
As for mutation aka polymorphism (she talks about this at the end of TFA), doesn't she know about virii having built-in mutators? And metamorphic code does almost the exact same thing she's talking about in RISE.
[Fuck Beta]
o0t!
"This is a little tricky because we don't want to make everyone write their own operating system or e-mail reader from scratch or even learn a new interface," Forrest said.
Speak for yourself, this is a lifelong obsession.
A wise man once said - 'Never connect to the internet and your troubles will be few.'
He who knows best knows how little he knows. - Thomas Jefferson
So, what happens when someone finds a way to either a) run code right on the hardware and bypass the virtualization, or b) finds some small snippety of code (a binary prion, perhaps?) that plays hell with this RISE? I mean.... Mad Cow Disease is a prion.... Mad Computer Disease next?
-- "It's tough to run with both feet stuck in your mouth" - Zoe's evil side
Sure, in biology, differences help make the species stronger. Not true in IT. Which is harder to maintain, a shop full of [InsertOSHere] standard PCs, or a mixed environment with different hardware, different OSs, and different applications. Sure, it might lesson the potential vulnerability to various virus and other automated tasks, but at what cost? Suddenly instead of needing one or two specialized skill sets, you need lots. Not to mention the fact that the more environments you support, the more likely you are to have a security hardened environment.
The biology of network security... is that when the lead batteries in UPSes goes bad, spring a leak, and make the surrounding area smell like an open sewer for a few days before people realized it's not a sewer problem from a nearby restroom?
Or would that be when the air conditioning guys pump coolant fluid through a garden hose in the false ceiling space until the hose exploded and sent all this green goo crashing down on the sys admin's brand 19" monitor and nearly nailing the sys admin?
Does that make me a biologist since I witnessed these events first hand at one of the companys I worked for? Cool! I'll put that on my resume.
How about this lesson from biology: animals need to reproduce.
So the solution to stop having crackers breaking in to things?
Mandatory sexy girls for all geeks!
Would you kindly mod me +1 insightful?
But this is exactly the kind of thing large companies are trying to get away from. FTA:
Making each computer unique would make life a lot tougher on attackers, she said.
This is costly for companies with large networks as it requires too much overhead to manage this kind of a diverse network.
"This is a little tricky because we don't want to make everyone write their own operating system or e-mail reader from scratch or even learn a new interface," Forrest said. "The look and feel of the program and underlying functionality when it computes needs to somehow be constant."
The solution to these problems used was VM software. The problem is that running this on each machine is going to consume valuable resources. Having said all that, I think this could lead to a valuable security solution but it sounds more useful for large networks/companies than it does for the everyday user. Thus, it needs to pass the Executive smell test (which is always dollars). IMHO, practicing a layered approach to security using several hardware and software layers is the closest and best currently available alternative.
Do what is right and let the consequence follow
Wouldn't allowing each app to have its own instruction set create yet another kind of programming bugs, and make debugging really hard?
My Windows machine already performs plenty of "Random Instructions", thank you very much.
Marcus Ranum's opinion
d itorials/monoculture-hype/index.html
-----------------------
Monoculture Hype Alert!
NSF Grants Two Universities $750,000 to Study Computer Monocultures (25 November 2003)
With the help of a $750,000 National Science Foundation grant, Carnegie Mellon University and the University of New Mexico will study computer "monocultures" and the benefits of diverse computing environments. "The researchers intend to create an application that could generate diversity in key aspects of software programs, thus making the same vulnerability less effective as a means of attack against the population as a whole."
$750,000 to sit around and whine about Microsoft? How do I get a gig like that?!
The Myth of Monoculture
Recently, my friends Dan Geer and Bruce Schneier (along with other smart people) published a paper postulating that our computing environments are at risk of security disasters because of a "Microsoft Monoculture." This paper has gotten a tremendous amount of attention lately. Unfortunately, I think that many of the papers' proponents have forgotten that the paper is an analogy and not real science. Arguing by analogy is illuminating but also distracting.
See link below for the full opinion on "The Myth of Monoculture".
http://www.ranum.com/security/computer_security/e
1 1/2 teaspoons chopped anchovy fillet
1 teaspoon capers (preferably salt-packed), rinsed, chopped
1 garlic clove, minced
1 teaspoon finely grated lemon peel
1/2 teaspoon finely grated orange peel
1 1/4 cups Niçoise olives, pitted, divided
1/4 cup extra-virgin olive oil plus additional for brushing and drizzling
1 tablespoon (packed) chopped fresh basil plus 24 whole leaves for garnish
2 teaspoons fresh lemon juice
6 6-inch-long pieces ficelle or narrow baguette, split horizontally in half
6 thin prosciutto slices
2 8-ounce balls fresh mozzarella cheese, drained, cut into 1/3-inch-thick slices
Combine first 5 ingredients in mortar; mash with pestle to paste. Add 1 cup olives and mash to coarse paste. Chop remaining 1/4 cup olives and stir into mixture. Mix in 1/4 cup olive oil, chopped basil, and lemon juice. Season tapenade with pepper. (Can be made 2 weeks ahead. Cover and refrigerate.)
Brush cut sides of ficelle with additional olive oil. Place 1 prosciutto slice on bottom half of each ficelle, then top with mozzarella slices, dividing equally. Spoon tapenade over each. Sprinkle with pepper; drizzle lightly with olive oil. Garnish with basil leaves. Cover with top halves of ficelle.
It's a novel concept, but I can't picture how it would work outside of Open Source software.
To run a program on such a chipset, it must be specifically compiled for that chipset. So for commercial applications, you either require a separate version for every possible chipset, or a method for the user to compile it for their computer. The latter isn't rational - all it takes is a single unscrupulous user to leak the code, the program gets out of your control. As for the former, I can picture going to a store and being told, "Oh, sorry. We're all out of Office for Chipset 0xDEADBEEF. Is Chipset 0xDEADBEEE ok instead?"
How are companies supposed to distribute copies of their closed, binary only applications. I cannot see Microsoft willing to let users compile their own copies of windows, office, exchange, visual studio, etc to match their architecture. I cannot see Microsoft compiling binaries to match a user's given architecture. I even more cannot see the average person being able to successfully do this on their own. Imagine introducing the nearest lay person you know to Gentoo and telling them to get a system operating, they'd be dumbfounded even with instructions. "Compile from source? What does that even mean?"
The only solution possible is if there's a compatibility layer that will run binaries on any machine... A VM perhaps... and this would just allow viruses to run anyway and defeat the entire purpose of such an architecture to begin with.
This is truly wishful thinking at its finest
This would appear to be an attempt to increase security by hiding the instruction set. Security through obscurity is not effective for long and anyone interested in hardening their system would be much better advised to use defence in depth.
In the tradition of Slashdot, I have not RTFM but I imagine that this technique would not help with non-binary code injection (e.g. SQL).
However, increasing the diversity is a valid weapon against scripted attacks (including those real-world, RNA scripted viruses). Perhaps we should encourage the proliferation of incompatible GNU/Linux distros? Or encourage Bill to come up with even more versions of Windows Vista?
Unfortunately, Internet protocols work best when everyone uses the same rules. So the most important vectors for intrusion have to remain standard. Come to think of it, it's those pesky protocols that are causing all the trouble!
Wow, what a boring article. Is it just me or is this the old concept of address space layout randomization (first implemented in 2000 in PaX, then subsequently stolen for BSD), which has nothing to do with biology, except for the obvious tie-in with the monoculture argument?
Here's a real application of biology to computer security: automatic classification of malware. Know what family a new piece of malware belongs to without any human being having to analyze it manually. Fascinating paper.
Essentially the final instruction sets are weak encryption on one base instruction set. If a virus were to attempt to inject itself as running code, it would be bypassing the encryption process.
That depends on whether the weakest creature happens to have a monopoly stranglehold on the PC desktop market, and a prooven interest in manipulating the political system to keep it that way.
Tech support for large companies is tough enough as it is - throw deliberate diversity into the mix and support would become a nightmare.
that randomizes an application's machine code
I think they got ahold of your pc! Either that or you just can't type.
Cockroaches don't fight off infections. Their systems are designed/evolved to work in spite of infection. This makes them dangerous for creatures that do fight off infections. This also seems to be the direction Microsoft Security is headed. And no, Paladium doesn't stop infection via security flaws. It only stops infection via idiot users.
....sorry.
Slashdot Burying Stories About Slashdot Media Owned
Our programmers already use "random instructions" in a lot of applications. As in, try this and see if it works.
In theory this might work to provide slower spreading infections, in practice it will cause more problems than it solves .
As a security practitioner for more than ten years, I can tell you that this type of diversity makes security management more difficult. Can you imagine trying to troubleshoot a problem when you don't know what the code is supposed to look like this time, or where it loads this time or how it interacts with other components this time.
I can also say that pretty much without exception, from a security perspective I recommend all of my clients create a standard base from which to build their enterprise systems. Standardization makes patching, maintenance and forensics much easier. This does not mean that I recommend all systems are deployed on the same platform, just that for each platform, application, system, the configuration and versions are the same.
While it is true that diversity can be helpful and a totally homogenous environment is bad for security - dynamic, morphing applications just smells like trouble to me.
Where oh where has my Underdog gone?
We already have malicious code that can replicate and spread itself. The only thing we're missing in terms of real Darwinian evolution is mutation
Actually there is code that does just that, but as far as I am aware genetic programming hasn't been used to make viruses.
how is this different from code obfuscators?
A computer virus that followed Darwinian evolution (as I understand it) would make copies of itself, each with a small change, and execute it. Eventually, (infinite monkeys at infinite typewriters) it will create a better virus. Repeat infinite times.
Get your own free personal location tracker
I came up with an idea like this many years ago - my company wasn't interested in patenting it, apparently because they already had their own pet virus-fix idea under development.
Implementing it would have been pretty trivial, with no run-time performance penalty and only a tiny hardware addition.
If everyone is sharing code from everybody else, how much code will be unique enough to really achieve diveristy?
The attacks will just be target to stuff that is used by more people. In order to do this you must use a bunch of proprietery stuff! Think about it.
Not being a Linux person, I ask - how much of the kernel is really diffrent between all the flavors?
Now granted, you can do some stuff to break exact binary injections, but what about the basic exploit?
Seems to me Gentoo is the ideal candidate for this type of thinking. With the variety of hardware out there, the combinations of assembly boggle the mind.
A 2005 paper by David Evans, "Where's the FEEB? The Effectiveness of Instruction Set Randomization", demonstrates how to remotely determine the key for this protection scheme in under 6 minutes. The paper goes on to examines diversity defenses more broadly to examine schemes that might be resistant to such attacks. The author also gave an interesting talk at USENIX Security Symposium on What Biology Can (and Can't) Teach Us About Security, which is probably a better paper for this article to point to.
So, isn't RISE (Randomized Instruction Set Emulation) similar in concept to PIC (Position Independent Code)?
.
If you want to secure computers via the Linux route then with Hardened Gentoo is a good way (Follow the Resources links in sections 6).
PaX is a hardened Linux kernel using ASLR (Address Space Layout Randomization) to support applications built as a PIE (Position Independent Executable) and to provide non-executable memory (NX).
PaX home.
PIE/SSP (Position Independent Executable)/(Stack Smashing Protector) (follow PaX link)
When an application is built as a PIE (Position Independent Executable) the code is able to be randomize on load up and NX bit set on certain parts of the application. At run time, when a buffer is created, SSP adds a secret random value called the 'canary' to the end of the buffer.
MAC (Mandatory Access Control) (follow Hardened Gentoo link)
Hardened Gentoo supports 3 access control solutions, SELinux , grsecurity , and RSBAC
PIC Introduction and Internals.
Other references:
Hardened Gentoo Primer
SeLinux is supported by the NSA (National Security Agency) of the USA.
" The following Federal Bureau of Investigation job was just posted at https://jobs1.quickhire.com/scripts/fbi.exe "
Job # HO-2006-0045 (0080 Security Specialist) $108,145.00
Is this really just a test of whether a real IT person would:
1. Click a link from inside an Outlook variant?
2. Navigate to a folder called "scripts" using a Microsoft product?
3. Start an immediate download of a Windows EXEcuteable?
Submitted for your approval -- I am not making this up(TM)
Its easy to make a binary that is less subject to unknown attacks than the factory versions. I've been doing this for years and its not too hard. Start by building everything from source. Find the link order and change that around. Look at the build options since you may not need that -O2. There are programs that will rearrange the order of the variables which changes the stack order and some will even rearrange the calling order. You can even add filler as well. If your going to rebuild an entire os, you could go far as to reorder the constants in /usr/include before you rebuild it. If a program expects syscall 4 to be open() and you've changed it to select(), their code is going to break real quick.
This idea is an implementation of Automated Diversity, presented in 1977 (!!!), furthermore the RISE method is described here in a paper from 1995.
DALMOZIAN if you don't have anything to say, type it
How about just fixing the Memory Management Unit so as it don't get buffer overflows etc. And don't say it ain't possible.
As for the above I recall reading something similar about scrambling the microcode table and the opcodes in the actual program residing on disk. Since each processor would have its own unique instruction set viruses/trojans would be stopped in their tracks. And what's more you don't have to learn Calculus
davecb5620@gmail.com
I have already produced a truly marvelous implementation of this proposition which this text box is too narrow to contain.
Don't believe the nonsense, unless you hear it from me directly.