The Biology of Network Security 85
Bob Brown writes "A University of New Mexico researcher is taking lessons from biology and using them to try to stymie hackers and viruses. Projects such as RISE attempt to secure computers and networks by promoting application diversity." From the article: "Diversity of systems and applications can play a key role in safeguarding computers and networks from malicious attacks, Forrest said. Her team published a paper last year on a system dubbed RISE (Randomized Instruction Set Emulation) (PDF) that randomizes an application's machine code to stymie would-be attacks, such as those launched via binary code injection."
Re:herro (Score:1)
I think they got ahold of your pc! Either that or you just can't type.
Gee, ya think? (Score:2, Insightful)
Gee, ya think?
Forrest's team got around this issue by building its technology atop virtual machine software dubbed Valgrind that she said provided flexibility because it is open source but that is not as efficient as she would have liked.
Gee, ya think?
Forrest acknowledged that the RISE system is unwieldy
Re:Gee, ya think? (Score:1)
Re:Gee, ya think? (Score:1)
Re:Gee, ya think? (Score:2)
Unless there was a coincidence in naming, I think valgrind [valgrind.org] refers to the (really quite awesome) open source debugging tool for Linux. Valgrind's primary purpose is to let you run your x86 Linux executables in an emulation environment where any memory-access errors can be detected and reported; it makes debugging much easier than in the "real world", where an error might only cause a crash or other visible symptom 1% of the
Re:Gee, ya think? (Score:2)
That's what struck me as funny -- she bothered to talk to someone at Intel about her scheme to implement the hardware counterpart to Gentoo. And the more realistic fallback plan was to run everything in a debugger!
Re:Gee, ya think? (Score:1)
Since not every university has their own chip fabrication facility, the next most logical choice is to run things in an emulation or binary translation environment. Valgrind itself isn't a debugger, although its most popular tools (Memchec
RISE... isn't that similar to PIC? (Score:1)
If you want to secure computers via the Linux route then with Hardened Gentoo [gentoo.org] is a good way (Follow the Resources links in sections 6).
PaX [gentoo.org] is a hardened Linux kernel using ASLR (Address Space Layout Randomization) to support applications built as a PIE (Position Independent Executable) and to provide non-executable memory (NX).
PaX home [grsecurity.net].
PIE/SSP (Position Independent Executable)/(Stack Smas
Extinction? (Score:3, Insightful)
Re:Extinction? (Score:4, Insightful)
Re:Extinction? (Score:3, Informative)
Re:Extinction? (Score:2, Funny)
Yeah, just like end-users.
<g>
Re:Extinction? (Score:1)
Interesting ideas, but I don't know how well the biological maps to the commercial. After all, in biology, you have a population of genetically different individuals. The idea being that, among this population, some will have the functional capacity to avoid/survive whatever impending disaster/predation/disease/parasitism comes up. That's all well and good. What doesn't work so well for commerce is the corrolary tha
Re:Extinction? (Score:2)
In an immune system, once you catch a virus, your body will produce antibodies to fight it off, and then remember the virus so it'll be easily taken care of if it re-appears (hence we innoculate ourselves with a harmless attack).
In security system, once an attack is noticed, the system is fixed/patched/configured to prevent the attack, and what you (as a sysadmin) remembers what you did so next time th
Re:Extinction? (Score:2)
To ride the biologic analogy a bit further, computers are essentially "clones" of each other. Yes, they may have different makeup, they may have different graphics cards and so on, but then again, drivers nullify that difference again. The task of drivers is essentially to make "clones" out of d
Re:Extinction? (Score:1)
That depends... (Score:2)
That depends on whether the weakest creature happens to have a monopoly stranglehold on the PC desktop market, and a prooven interest in manipulating the political system to keep it that way.
Microsoft and Cockroaches (Score:2)
Re:Microsoft and Cockroaches (Score:2, Informative)
No, B. germanica, like other arthropods, has two primary active immunocytes, namely the granulocytes and the plasmatocytes. The former are particularly cool in the cockroach -- their granulocytes (GRs) discover, encapsulate, and phagocytize foreign substances. In fact, unlike in other arthropods, cockroach GRs are particularly active in terms of encapsulation; they flatten and increase the number of m
Ok, then we have evolution (Score:3, Insightful)
Nope. Polymorph viruses are not really unknown. Right now as we speak, they make a comeback.
Re:Ok, then we have evolution (Score:1)
Re:Ok, then we have evolution (Score:2)
If you want to compare it, it might be closer to "selective breeding". Usual polys don't have a lot of "offspring" that's not viable, mutated out of the ability to function. At least if the coder is good.
Why do I see a discussion about religion coming my way..?
Re:Ok, then we have evolution (Score:2)
Also, the environment that the viruses live in is changing. It's possible that a security "fix
Diversity is the key (Score:3, Informative)
Ofcourse it is important that those layers are created and maintained by several entity's.
A simple example:
- Have your network guys maintain your firewalls
- Have all traffic go through a application gateway which is maintained by a third party.
- Have system administrators to secure the system
Ofcourse adding layers increases costs and security.
Re:Diversity is the key (Score:2)
If you took the Biological diversity to the nth degree, what you are talking about is designing systems with the goal that SOME systems will survive a given threat being realised. Hence the species survives.
Biological Diversity in IT Security people are stating that we should use all flavour of Operating Systems, application systems etc...
The problem is we (humans) are not really interested in "some systems surviving."
We are interested in "ALL systems b
Intel not so happy (Score:4, Interesting)
As for mutation aka polymorphism (she talks about this at the end of TFA), doesn't she know about virii having built-in mutators? And metamorphic code does almost the exact same thing she's talking about in RISE.
Write your own (Score:4, Funny)
Speak for yourself, this is a lifelong obsession.
A wise man once said - 'Never connect to the internet and your troubles will be few.'
So.... Computer CJD? (Score:3, Insightful)
Re:So.... Computer CJD? (Score:1)
Infrastructure doesn't work like biology (Score:1)
Re:Infrastructure doesn't work like biology (Score:5, Insightful)
Depends how big the difference are.
Take for example address space randomization [redhat.com] (part of execshield). I'll quote redhat's explanation of it (as it's quite good): Protects against many buffer overflow attacks (regardless of the hardware), with no cost to your 'standardized environment'.
Pity windows & macOS don't have something similar.
Re:Infrastructure doesn't work like biology (Score:1)
Are you talking from experience here? Because I don't see why this strategy would necessarily cause bounds errors to become unreproducible, as long as the randomness in the addresses was in units of memory pages. I'm talking about the bounds errors where you access my_array[end_index + something_reasonably_small], not the ones where you access my_array[completely_trashed_index].
Even in the trashed index case (in my experience, usually caused by a negative number somewhere being interpreted as unsigned) I
Re:Infrastructure doesn't work like biology (Score:2)
What does this mean... (Score:2)
Or would that be when the air conditioning guys pump coolant fluid through a garden hose in the false ceiling space until the hose exploded and sent all this green goo crashing down on the sys admin's brand 19" monitor and nearly nailing the sys admin?
Does that ma
Lessons from Biology eh? (Score:2)
So the solution to stop having crackers breaking in to things?
Mandatory sexy girls for all geeks!
Great Solution For Small Networks.... (Score:1)
Making each computer unique would make life a lot tougher on attackers, she said.
This is costly for companies with large networks as it requires too much overhead to manage this kind of a diverse network.
"This is a little tricky because we don't want to make everyone write their own operating system or e-mail reader from scratch or even learn a new interface," Forrest said. "The look and feel of the program and
What about bugs? (Score:1)
Re:What about bugs? (Score:1)
A similar paper is here: http://www1.cs.columbia.edu/~angelos/Papers/instru ctionrandomization.pdf [columbia.edu] (in fact, they both appeared at CCS a couple of years ago) and the basic idea is that the use of the 'new' instruction set is completely transparent to a well-behaved application.
An application that has code injected into it will behave differently, becuase the execution environment (i.e., Valgrind in RISE's case) will try to de-randomize the binary (including the injected code). Presumably, de
Random? (Score:1)
My Windows machine already performs plenty of "Random Instructions", thank you very much.
Marcus Ranum had an opion on this (Score:2, Interesting)
-----------------------
Monoculture Hype Alert!
NSF Grants Two Universities $750,000 to Study Computer Monocultures (25 November 2003)
With the help of a $750,000 National Science Foundation grant, Carnegie Mellon University and the University of New Mexico will study computer "monocultures" and the benefits of diverse computing environments. "The researchers intend to create an application that could generate diversity in key aspects of software programs, thus making the same vulnerabili
Re:Marcus Ranum had an opion on this (Score:2)
It does convince the clueless review board doling out the money. I wish I had this 1-2-3 profit! talent for making up distracting analogies.
Wouldn't work outside of Open Source (Score:2, Insightful)
To run a program on such a chipset, it must be specifically compiled for that chipset. So for commercial applications, you either require a separate version for every possible chipset, or a method for the user to compile it for their computer. The latter isn't rational - all it takes is a single unscrupulous user to leak the code, the program gets out of your control. As for the former, I can picture going to a st
Intermediate compiliation state (Score:1)
Re:Wouldn't work outside of Open Source (Score:3, Interesting)
If each computer is unique... (Score:1)
Re:If each computer is unique... (Score:2)
I'd say, the same way they do now, except that the executable would contain enough information so that the installer process can swizzle the code around in a random fashion. To the user there would be no visible difference, but to a virus that was relying on the code or data being laid out in memory in a certain way, it would be completely different from what the virus was "expecting".
Re:If each computer is unique... (Score:1)
One of the major benefits of instruction set randomization is that you *don't* need the source code or to recompile to get the security benefits.
The only *real* downside is the performance hit (and the fact that it doesn
Re:If each computer is unique... (Score:1)
Re:If each computer is unique... (Score:1)
Security through obscurity? (Score:1)
In the tradition of Slashdot, I have not RTFM but I imagine that this technique would not help with non-binary code injection (e.g. SQL).
However, increasing the diversity is a valid weapon against scripted attacks (including those real-world, RNA scripted viruses). Perha
Re:Security through obscurity? (Score:2)
The idea is to protect against automated attacks that currently rely on undefined behaviour that is the same for all targets. Example: Currently, if you can figure out how to fool Internet Explorer into munging memory at the right spot, you can use that knowledge to in
Re:Security through obscurity? (Score:2)
Sort of a microcosm of the world at large, don't you think?
Re:Security through obscurity? (Score:1)
http://www1.cs.columbia.edu/~angelos/Papers/sqlran d.pdf [columbia.edu]
and this paper also looks at instruction set randomization, and randomizing Perl:
http://www1.cs.columbia.edu/~angelos/Papers/instru ctionrandomization.pdf [columbia.edu]
Re:Security through obscurity? (Score:2)
Isn't that like saying an immune system is no good to you because it doesn't stop your neighbor from running you down with his car?
Or staying closer to the original analogy, it would be like saying you shouldn't get a booster shot, because someone can always create a virus hand-tailored to exploit your genetic makeup.
Re:Security through obscurity? (Score:1)
Re:Security through obscurity? (Score:2)
While the plaintext of the executable may be known (sometimes you get custom compile jobs),
Re:Security through obscurity? (Score:1)
However, once on a machine using a non-binary exploit, I can use the executables on it to transfer a sample of known programs to my machine, where I can crack the code using standard techniques (in effect, i
But it would be hell to support (Score:1)
ObCondom joke. (Score:2)
....sorry.
Too much diversity is bad for management (Score:1)
In theory this might work to provide slower spreading infections, in practice it will cause more problems than it solves .
As a security practitioner for more than ten years, I can tell you that this type of diversity makes security management more difficult. Can you imagine trying to troubleshoot a problem when you don't know what the code is supposed to look like this time, or where it loads this time or how it interacts with other components this time.
I can also say that pretty muc
Re:Too much diversity is bad for management (Score:2)
Genetic Programming (Score:1)
We already have malicious code that can replicate and spread itself. The only thing we're missing in terms of real Darwinian evolution is mutation
Actually there is code that does just that [wikipedia.org], but as far as I am aware genetic programming hasn't been used to make viruses.
Obfuscators (Score:1)
Proper Dawinian virus. (Score:2)
... just like Fermat (Score:1)
Gentoo? (Score:1)
Effectiveness of Instruction Set Randomization (Score:2)
Have we isolated the "stupid gene" yet? (Score:1)
" The following Federal Bureau of Investigation job was just posted at https://jobs1.quickhire.com/scripts/fbi.exe [quickhire.com] "
Job # HO-2006-0045 (0080 Security Specialist) $108,145.00
Is this really just a test of whether a real IT person would:
1. Click a link from inside an Outlook variant?
2. Navigate to a folder called "scripts" using a Microsoft product?
3. Start an immediate download of a Windows EXEcuteable?
Submitted f
simpler binary diversity is good (Score:2)
Nothing new... (Score:1)
how about just fixing the Memory Management Unit (Score:1)
As for the above I recall reading something similar about scrambling the microcode table and the opcodes in the actual program residing on disk. Since each processor would have its own unique instruction set viruses/trojans would be stopped in their tracks. And what's more you don't have to learn Calculus [unm.edu]