Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sandia Studies Botnets In 1M OS Digital Petri Dish

Posted by kdawson on from the million-bottles-of-wine-on-the-wall dept.

Ponca City, We love you writes "The NY Times has the story of researchers at Sandia National Laboratories creating what is in effect a vast digital petri dish able to hold one million operating systems at once in an effort to study the behavior of botnets. Sandia scientist Ron Minnich, the inventor of LinuxBIOS, and his colleague Don Rudish have converted a Dell supercomputer to simulate a mini-Internet of one million computers. The researchers say they hope to be able to infect their digital petri dish with a botnet and then gather data on how the system behaves. 'When a forest is on fire you can fly over it, but with a cyber-attack you have no clear idea of what it looks like,' says Minnich. 'It's an extremely difficult task to get a global picture.' The Dell Thunderbird supercomputer, named MegaTux, has 4,480 Intel microprocessors running Linux virtual machines with Wine, making it possible to run 1 million copies of a Windows environment without paying licensing fees to Microsoft. MegaTux is an example of a new kind of computational science, in which computers are used to simulate scientific instruments that were once used in physical world laboratories. In the past, the researchers said, no one has tried to program a computer to simulate more than tens of thousands of operating systems."

11 of 161 comments (clear)

  1. Life imitates XKCD by Tackhead · · Score: 5, Interesting

    Once again, life imitates XKCD: Network.

  2. Is that really a windows environment? by damn_registrars · · Score: 5, Interesting

    I understand not wanting to buy 1M windows licenses; I am of the persuasion that is not inclined to buy 1 license.

    However, the summary seems to claim that Wine == Windows environment. I don't see how they are analogous in this sense. In particular, if you are trying to understand botnet behavior, you need infected botnet systems. Is there a way to make Wine vulnerable to the infections that frequently hit Windows systems?

    --
    Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
    1. Re:Is that really a windows environment? by mcrbids · · Score: 5, Insightful

      I don't see how they are analogous in this sense. In particular, if you are trying to understand botnet behavior, you need infected botnet systems. Is there a way to make Wine vulnerable to the infections that frequently hit Windows systems?

      WINE is an implementation of the Win32 API. Since the *target* of WINE is to emulate Windows, then in order to be successful, it must implement the bugs as well. So the better WINE is, the better it runs *ALL* Windows software - including the viruses and malware!

      I would assume (ass + u + me) that they've done enough unit testing on the particular botnet software in question to determine its compatibility with WINE, and so long as this compatibility is sufficient, then this could be a very useful test environment. It's the botnet being studied, not Windows itself!

      Another example: Windows 2000. I build data management software. I test with Windows 2000. Not because Win2000 is an example of the latest greatest from MS, but because it costs me nothing extra and runs nicely in a VM. Since the only O/S features I care about are those that are already present in Win2000, it creates a very useful test environment despite lacking many pieces present in later OS versions.

      --
      I have no problem with your religion until you decide it's reason to deprive others of the truth.
  3. A few notes from Ron Minnich by coreboot · · Score: 5, Informative

    Hi, Ron here. Just thought I would mention a few things.
    I love the "life imitates xkcd" aspect. :-)
    We're well aware that Wine is not quite enough to run many windows bots. Until a year or so ago, however, there was a researcher in North Carolina running Storm under Wine, but he told me that that effort ended when Storm added a kernel driver. We've got some ideas in that area. We expect that implementing them will cost less than 1 million Vista licenses.
    I was surprised to find I have become a cybersecurity expert! What I really am is an HPC expert who is using HPC tools and resources to build a system for studying cybersecurity phenomena on a millions-of-nodes scale.
    Doing anything with a million of something gets interesting fast. There's a lot of interesting challenges.
    Thanks
    ron

    1. Re:A few notes from Ron Minnich by coreboot · · Score: 5, Informative

      We will probably approach MS at some point, if it appears to be necessary, and see if they are interested. I do have friends there who might be interested in what we're doing.
      The biggest limit we've found on the VM side is memory footprint of the VM guests, and it's very easy to control that with Linux; harder with Windows. We have some ideas in that area too, but it's way too early to speculate on them.
      But from my point of view, it is a lot easier to do this kind of work in Linux than in Windows (I have done NT drivers in a past life), not least because of the openness of the environment. Hence, I'd rather try to find a way to make it all work on Linux.
      Consider this work the beginning of the story; it's not even chapter 1, maybe it's the preface. There's a lot of work left to do. There's a lot we still don't know.
      thanks
      ron

  4. Re:WINE by monopole · · Score: 5, Funny

    I hope Microsoft issues a statement that only Genuine Windows software can fully support viruses and malware in an effective fashion.

  5. I would guess it wouldnt' be a problem at all by Sycraft-fu · · Score: 5, Interesting

    I work for a university and MS is extremely generous with academic licensing. When it is for academics, like education or research, it is actually no cost. For infrastructure it does cost, but not very much. I bet if they asked MS, MS would give them all the licenses they needed for little or no cost.

    For that matter, they might be eligible for volume licensing. That is where you pay a fixed yearly fee and get an unlimited use of the software it is for. Often that is based on total academic headcount, which might not be very much.

    Regardless, if they asked I'd give good odds MS would figure out a way to offer them a good deal.

    I'm also with you that if you want to study something, you need to run it on the actual environment. Wine is a neat idea and a neat goal, but anyone who has made use of it for more than simple testing well tell you that it has some serious issues. Not only do things not run, worse is that they'll run but not completely correct. For a user this might be fine, something works in a bit of an unexpected way, you just work around it. For research though, it could mean your conclusion is invalid.

  6. Re:WINE by Eighty7 · · Score: 5, Funny

    In other news, Miguel de Icaza said that he believes botnet support is a good idea. Linux should support malware because Microsoft is going to win anyway, so linux would better be prepared if it doesn't want to be locked out of the future markets, and presented a beta version of the software. Members of the Mono project are participating in the standarization.

  7. What about Norton Antivirus? by node+3 · · Score: 5, Interesting

    What about Norton Antivirus? Specifically they should run a second experiment with a simulation of 1 million systems running Norton Antivirus, and compare the results of the first test to see which has the greatest adverse effect...

  8. Re:I've got an easier way by caramelcarrot · · Score: 5, Insightful

    Simple rules can give rise to complex behaviour. Who knows what the botnet might do? It could have harmonic resonances, it could have phase changes at critical infection rates, it could do all sorts of interesting and complex behaviour. Looking at the source code won't tell you any of this.

  9. Old News... by davevr · · Score: 5, Funny

    There is already a system running somewhere around 420 million windows machines in a semi-private walled-off version of the internet, with no license fees paid to Microsoft, hosting several botnets and just about every virus under the sun.

    It is called "China".