Slashdot Mirror

← Back to Stories (view on slashdot.org)

Open Source Self-Healing Software For Virtual Machines

Posted by timothy on from the nothing-can-go-go-wrong dept.

An anonymous reader writes Computer scientists have developed Linux based software that not only detects and eradicates never-before-seen viruses and other malware, but also automatically repairs damage caused by them. If a virus or attack stops the service, A3 could repair it in minutes without having to take the servers down. The software then prevents the invader from ever infecting the computer again. "It's pretty cool when you can pick the Bug of the Week and it works." (Here's a paper with more details.)

50 comments

  1. Immune system for operating systems? by Archtech · · Score: 5, Interesting

    The analogy is a big stretch, as it would take a very long time and huge effort to approach the unbelievably complex sophistication of the immune system. But the outlines are there: software that detects previously unknown threats, quickly mobilizes to defeat them, and then stands guard against each (now known) threat in future.

    --
    I am sure that there are many other solipsists out there.
    1. Re:Immune system for operating systems? by Archtech · · Score: 1

      And I simply adore the idea of "stackable debuggers". (Anyone remember Gary Larson's "stackable livestock"?) 8-)

      --
      I am sure that there are many other solipsists out there.
    2. Re:Immune system for operating systems? by __aaclcg7560 · · Score: 4, Insightful

      As a security remediation specialist, I doubt I'll be out of the job anytime soon in repairing systems that won't update on their own. Software can only do so much before it requires carbon-based intervention to fix.

    3. Re:Immune system for operating systems? by Anonymous Coward · · Score: 0

      http://mydailycow.files.wordpr...

    4. Re:Immune system for operating systems? by Archtech · · Score: 1

      Thanks! Just as funny as I remembered... 8-)

      --
      I am sure that there are many other solipsists out there.
    5. Re:Immune system for operating systems? by Gravis+Zero · · Score: 1

      it would take a very long time and huge effort to approach the unbelievably complex sophistication of the immune system

      so... when do they start integrating it into systemd? ;)

      --
      Anons need not reply. Questions end with a question mark.
    6. Re:Immune system for operating systems? by blue+trane · · Score: 2

      Sadly, it's becoming all too true in factory farming.

      Meat is murder.

    7. Re:Immune system for operating systems? by Burz · · Score: 1

      This is the one thing QubesOS could use to improve its security-by-isolation approach: Detection and repair in VMs. Even if you assume the hypervisor stays safe (and therefore, your trusted VMs stay safe), you're still relying on VMs to get everything done and the VMs doing the risky tasks are vulnerable to attack. It would be nice if those less-trusted VMs could get automatically restored after a successful attack.

    8. Re:Immune system for operating systems? by Anonymous Coward · · Score: 0

      Murder is delicious? Who knew?

    9. Re:Immune system for operating systems? by Anonymous Coward · · Score: 0

      awesome!

      I was reading https://medium.com/@darrenrush/after-docker-unikernels-and-immutable-infrastructure-93d5a91c849e this morning, and I came to where it said:

      > "As my colleague Kevin Goslar suggested, traditional Operating Systems (Linux, Windows) will become extinct on servers. They will be replaced with single-user, bare metal hypervisors optimized for the specific hardware, taking decades of multi-user, hardware-agnostic code cruft with them."

      and my first thought was: wow, systemd will have to move fast to replace shell, perl, python, Go, OCaml, heck even C... Otherwise it risks not even being on these servers.

      sitaram

  2. Wrong approach by sunderland56 · · Score: 1

    So, basically you welcome viruses and malware, but fix up the damage afterwards?

    Sounds like the anti-vaccine crowd. In reality, it is far better to vaccinate and never get sick, than it is to self-repair after you get a virus.

    1. Re:Wrong approach by Archtech · · Score: 4, Insightful

      Er, did you realize that vaccination and other forms of inoculation consist of injecting a small sample of the bacterium, virus, etc. to give the immune system a smell of it? Then the immune system tools up and is ready for the full-scale infection if it occurs.

      One of the many nice things about A3 is that (optionally) sysadmins could emulate inoculation by handing specific details of threats directly to A3 instead of waiting for it to detect them itself. That would eliminate delay and enable A3 to be lined up on the border with tank divisions, a howitzer every 2 yards, and millions of men when the invasion starts.

      --
      I am sure that there are many other solipsists out there.
    2. Re:Wrong approach by kesuki · · Score: 2

      the big problem with self-healing servers has always been getting in a restore lock from a polymorphic virus that essentially causes the machine to spend all its time restoring machines without ever being able to re-detect the polymorphic code.

      --
      https://www.gnu.org/philosophy/free-sw.html
    3. Re: Wrong approach by Anonymous Coward · · Score: 0

      I'm sure this isn't meant as a first line of defense, but as something to make the effects of a breach less severe on systems that are already well defended.

    4. Re:Wrong approach by joocemann · · Score: 1

      I just don't think you'll find many in the younger crowd of coders to be humble enough to think that 1) their code could be buggy, or 2) that something/someone else could fix it. The only people I run into that talk about hard and true reliable coding as a standard are over 45 years old. All the young bucks think its impossible. Let's cue up the replies and downvotes (such as calling me a troll when i'm expressing a strong generalized observation) from here on slashdot to confirm my claims.

    5. Re:Wrong approach by wonkey_monkey · · Score: 1

      So, basically you welcome viruses and malware

      No, of course not. Why would you think that?

      In reality, it is far better to vaccinate and never get sick, than it is to self-repair after you get a virus.

      Nice soundbite, until you remember that there aren't vaccines for every single disease (or even better, when you remember the analogy between the immune system and a server is a tenuous one at best)

      --
      systemd is Roko's Basilisk.
    6. Re:Wrong approach by wonkey_monkey · · Score: 1

      sysadmins could emulate inoculation by handing specific details of threats directly to A3

      Sounds a bit like... well, like practically all other AV software, doesn't it?

      --
      systemd is Roko's Basilisk.
    7. Re:Wrong approach by fahrbot-bot · · Score: 2

      I just don't think you'll find many in the younger crowd of coders to be humble enough to think that 1) their code could be buggy, or 2) that something/someone else could fix it. The only people I run into that talk about hard and true reliable coding as a standard are over 45 years old. All the young bucks think its impossible.

      I think it's a matter of experience and maturity. I'm 51 and have been a (mostly) Unix system programmer and admin since while in college. I've worked on all sorts of systems from Linux/Windows PCs to a Cray 2 and YMP and I'm used to having to account for the unexpected. I try to teach the young padawans on my team to think about what could possibly go wrong, and discuss this more with others as the importance of something rises, and to expect the unexpected. An example I offer is an error message I once got from Tcsh way back - "Assertion botch: This can't happen!" Obviously this is balanced against how critical the code/usage is and the famous "cheap, fast, good - pick two" triangle along with the practical aspects of customer/contract needs and requirements. I also stress trying to understand *why* something works, or needs to work, the way it does, not just *how*.

      The most important thing seems to be curiosity and a desire to (really) learn and understand how to solve problems, not just solving them. Find the right youngster, give them support and the right environment and some time to learn. Of course, the really hard part is finding the right person.

      Give a man a compiler and he'll generate code; teach him to write a compiler and he'll get hooked on caffeine, go crazy, quit and spend his remaining days curled up in a ball sobbing and muttering about Yacc and Lex - or something like that...

      --
      It must have been something you assimilated. . . .
    8. Re:Wrong approach by Archtech · · Score: 1

      I guess the main difference is that the promises are being made by academics, in a formal paper. Not by salesmen and enthusiastic executives. Far from conclusive, I agree - but it's a step in the right direction. It's probably still a 1000-mile journey, but the first step has to be taken some time.

      --
      I am sure that there are many other solipsists out there.
    9. Re:Wrong approach by Anonymous Coward · · Score: 0

      As best one can tell, this seems to not so much look at the code of the attacker as the part of the target code that gets used, and how it gets used.

      That is, A3 detects a overflow or similar, clamps down, then walks the stack of the target code and locates a suitable place to insert a patch that blocks future exploits.

    10. Re:Wrong approach by ihtoit · · Score: 1

      you do realise that one of the proposed methods of vaccinating against one of the weakest viruses in nature (ebola) is to inject the patient with live influenza (pretty much the most virulent pathogen in existence) which has ebola DNA in it?

      Take a leaf from the Nigerians. SIMPLE PHYICAL ISOLATION DEALS WITH THE PROBLEM. STOP FUCKING OVERTHINKING IT.

      (by the way, I live an active lifestyle, I eat right (none of this chemically-tainted shit - keep your aspartame, I'll stick with xylitol, failing that: sugar), and I stay away from needles. NEVER had the flu, or even so much as a cold. No, I'm not anti-vac, I'm anti-fuck-my-body-up-with-shit-it-doesn't-need, when that includes vaccinations, well, tits to you, my body my choice).

      --
      Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
    11. Re: Wrong approach by Anonymous Coward · · Score: 0

      So, what happens when your lack of immunity cause someone else to get sick and, in the worst case, die?

    12. Re:Wrong approach by Anonymous Coward · · Score: 1

      being made by academics, in a formal paper. Not by salesmen

      Whats the difference? They need to sell their ideas to rich people to get funding so they can pay their bills too.

    13. Re: Wrong approach by ihtoit · · Score: 1

      that would be down to THEIR lack of immunity, not mine, you fucking tool.

      --
      Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
  3. As we say in help desk, get rid of users... by __aaclcg7560 · · Score: 5, Funny

    Once the operating system can self-heal, evolve into an A.I., and network itself across the Internet, getting rid of the carbon-based units will be the next step in self-healing.

    1. Re:As we say in help desk, get rid of users... by Archtech · · Score: 1

      See "The Shockwave Rider", passim. One of the classic definitions of life involves "irritability" (not quite what it might sound like). Brunner's worm demonstrates irritability in both senses; when the authorities try to wipe it out, it retaliates by destroying banking systems.

      --
      I am sure that there are many other solipsists out there.
    2. Re:As we say in help desk, get rid of users... by Anonymous Coward · · Score: 0

      getting rid of the carbon-based units will be the next step in self-healing.

      Prompting a quick response from the AIs running on carbon nanotube and diamond thread based systems. The Holy Silicon Wars begun they have.

  4. Nothing new under the sun by AlphaBro · · Score: 1

    This is a glorified IPS, and those in the know are aware of how ineffective such systems are. You might stop a few skiddies attacking the internet en masse, but this is a speed bump for anything remotely close to an advanced persistent threat.

    1. Re:Nothing new under the sun by vux984 · · Score: 1

      Exactly right. This is just like the human immune system. Ebola is still usually fatal, herpes is still around, so we there's no reason to waste energy on the immune system at all; we all know how ineffective it is. :)

    2. Re:Nothing new under the sun by Anonymous Coward · · Score: 0

      I wonder how many APT's try to shut down public facing services during an attack?

  5. Open Source Extortion by Anonymous Coward · · Score: 0

    I predict this so called open source project is merely a framework. Expect to be extorted for all kinds of expensive service contracts, high dollar subscriptions, enterprise finder's fees, multilateral value added commissions, etc. Open source my butt...

    1. Re:Open Source Extortion by Half-pint+HAL · · Score: 1

      Have you any idea how many ideas have been released free by academics? Clearly not.

      --
      Got them moderator blues I blieve I walk out the do', With these mod-points I been gettin', I 'most never post no mo'
    2. Re:Open Source Extortion by x0ra · · Score: 1

      Come on, this is a buzzword heavy paper. It looks like some team failed to reach their quota of papers...

    3. Re:Open Source Extortion by x0ra · · Score: 1

      and that's a $1,253,976.00 bingo... kinda expansive :-/

    4. Re:Open Source Extortion by Anonymous Coward · · Score: 0

      expansive / expensive ? Both fit. Spelling errors occur so often that I developed an internal autocorrection. This makes reading Slashdot bearable. Only, now my autocorrection barfs. I am genuinely confused...

  6. If you were a real nerd... by Anonymous Coward · · Score: 0

    It would be a PFY, not a Padawan. Dear god how many nerd points do you lose using TPM+ terminology?

  7. or how about by ihtoit · · Score: 2

    enforcing user privileges? But that'd put AV firms out of business! Tough! They can do something else, like fucking grow food.

    --
    Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
    1. Re:or how about by Anonymous Coward · · Score: 0

      Proper user privs don't do anything to keep exploits from messing up the current user.

  8. WTF? by AqD · · Score: 2

    The author seems completely non-technical. He probably wants to explain things simple to people, but such article is worthless as it says basically nothing but bullshit.

    What exactly is stackable debuggers? There are experimental projects detecting malware from outside of VM, but information from that couldn't be too high-level (probably involves re-assembling memory pages and monitoring of key kernel-space tables/code) or stretched into pure user-space attack like Shellshock. I doubt it could be low-cost enough to monitor real-world applications.

    It fails to clarify several key things:

    - What exactly is "operation that is not correct"? How do they identify it?
    - "stop the virus"? What's the "virus" sending rm -fr / via Shellshock? bash itself?
    - Approximate a repair for the damaged...? What's the damage in bash to allow remote command?

    Unless they probe the contents sent/received via HTTP, looking for pattern of shell commands. But that'd be too cheap!

    1. Re:WTF? by phantomfive · · Score: 1

      What exactly is stackable debuggers?

      It's debuggers all the way down!

      --
      "First they came for the slanderers and i said nothing."
    2. Re:WTF? by ihtoit · · Score: 1

      someone's sniffing for the next plotline for Scorpion...

      I mean, seriously? A fucking cat5 dangling out the arse of an airliner is the only way to get data to a laptop because "it's going too fast"?? I will keep beating the shit out of that show because it is so fucking weak it totally deserves it.

      --
      Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
  9. Insert malware and Linux in the same sentence .. by lippydude · · Score: 1

    Viruses and Malware are not a problem on Linux platforms as unlike the wintel platform, their is a clear differentiation between opening and running a file. As in the Linux desktop is virtually immune from the click-and-run type of malware that is rampant on the windows platform . How can 'computer scientists' even write a paper on malware without once mentioning Microsoft Windows !!!

  10. Prevention? by buckfeta2014 · · Score: 1

    The software then prevents the invader from ever infecting the computer again.

    Does this mean it's going to fix bad SSH/FTP configurations, or change insecure passwords? Didn't think so.

    --
    Buck Feta. You know what to do.
  11. Star-Trek inside by x0ra · · Score: 1

    A3 prevention-focused defenses are concentrated in the Crumple Zones (CZs). The CZs essentially impose a space-time dilation upon the application’s interaction

    oh, my... I'll keep reading the paper, but this is already buzzword-bingo ready.

  12. ...and, back to the Future by x0ra · · Score: 1

    We use Xen 3.1.4 with Fedora Core 8 (kernel 2.6.18.8) images for both Dom0 and three DomUs in the prototype A3 environment.

    2.6.18 ? Seriously ?

    1. Re:...and, back to the Future by Anonymous Coward · · Score: 0

      The RH/CentOs/FC kernel is heavily patched by RH and they've not yet moved to a heavily patched 3.x kernel.

  13. Re: Insert malware and Linux in the same sentence by Anonymous Coward · · Score: 0

    What? So on windows, malware is installed through used click, whereas linux is remote exploit?

    If you're saying linux doesn't have malware, go fsck yourself.

  14. Re:Insert malware and Linux in the same sentence . by Blaskowicz · · Score: 1

    Double-clicking on a .deb launches a package installer for me. Indeed it is "open" not "run" but I am not far away from installing some shit. If they bothered, porn sites and ads that masquerade as content etc. would make people download an "install this VLC player to view our porn" .deb piece of crap after determining the computer runs Ubuntu (which I guess is what most home linux users have, including Mint)
    I've seen it on a semi-old Mac with whatever outdated version of Safari : "fake_VLC_48941.dmg" gets somewhat automatically downloaded, thankfully the OS and browser make it harder to get to the file because Macintosh menus are harder to use.

  15. Yes, but... by Anonymous Coward · · Score: 0

    than it removes systemd also ?

  16. Not for Consumers uh huh by Bruha · · Score: 1

    "There are no plans to adapt A3 for home computers or laptops, but Eide says this could be possible in the future."

    Exactly, the CIA, NSA, FBI, and everyone else has a vested interest in computers that CAN get infected.