Witty
Worm. Code-Red. Nimda. Sapphire/Slammer SQL.
Their names are curious, engaging, almost comical, but
computer worms and other viruses are no laughing matter.
Viruses and other malicious software cost businesses billions
each year, and cause users hours of frustration.
Part of the problem is that modern
viruses spread so quickly, the old ways of
combating them are no longer effective. Machines
are highly connected, and the Internet is open to
everyone, so malicious code can spread remarkably
quickly.
In 2003, the Cooperative Association for
Internet Data Analysis reported that the
Sapphire/Slammer SQL worm spread worldwide in
only 10 minutes, and at its peak - three minutes
after its release - scanned the Internet at more
than 55 million addresses per second.
Researchers have speculated that a well-designed
worm could infect all vulnerable machines on the
Internet within a few hours of its launch.
When an attack spreads that quickly,
traditional anti-virus defenses fail.
The problem with our current methods of
fighting computer virus attacks is that we cannot
cope with unfamiliar enemies. Computer anti-virus
software recognizes the signatures of known
viruses, and gets rid of them. But it can't get
rid of a virus that it hasn't seen before. Human
intervention is needed to identify and analyze
the attack code, create a signature for detecting
it, and update anti-virus software to recognize
and prevent the new attack.
Truly effective defenses must be able to
defend systems from attacks that do not yet
exist.
One promising approach takes its
inspiration from biology. Organisms have no way
of knowing what attacks they might face from
parasites before they are born, since the
parasites are continually evolving. Yet, species
manage to survive.
Consider the way in which the human
immune system works. Viruses and bacteria attack
their human hosts. The human immune system
responds by isolating and attacking the foreign
bodies. It does this, responding to unfamiliar
things, by recognizing what is familiar and
concluding that what is not familiar is foreign
and must be eliminated. Unlike computer
anti-virus software that recognizes the
signatures of known viruses, the human immune
system is able to recognize and destroy
previously unknown viruses.
Diversity also plays a vital role in
natural survival. Species survive because
individual organisms are diverse - a parasite
that attacks one organism will not necessarily be
able to successfully attack other organisms in
the same species.
Computer systems, however, suffer from a
lack of diversity. Nearly all computers on the
Internet run the same operating systems and
applications. Without diversity, systems all are
vulnerable to the same attacks. A monoculture
enables people to share programs and data, but
means attacks can be shared in the same way.
Researchers are beginning to develop ways
to build systems that are diverse as far as
attackers are concerned, but still appear the
same for legitimate users. DARPA, the Defense
Advanced Research Project Agency, is funding
research to develop technologies for computer
systems that provide critical functions even
while under attack. The projects funded under
this new initiative include a $1 million contract
to John Knight, Jack Davidson, David Evans and
Anh Nguyen-Tuong at the University of Virginia and
Chenxi Wang at Carnegie Mellon University to explore
the idea of biologically inspired diversity as an
approach to computer security. The project goal
is to add an element of diversity throughout the
system without changing the way users interact
with it.
Researchers are still grappling with the
problem of how to automatically create enough
diversity to foil attacks, while preserving the
program behavior and performance users expect.
Unlike nature, where attacks evolve,
computer attacks are engineered, and
sophisticated attackers can design malicious code
intended to circumvent or fool defenses. As in
natural selection, there is a continual arms race
between those attempting to build secure computer
systems, and those attempting to compromise them.
For now, computer professionals are
racing to keep pace with the attackers and
struggling to develop specific defenses for every
new attack. With diversity-based approaches,
however, we may be able to protect systems from both
known and unknown attacks.
David Evans is an Assistant Professor in the Computer Science
Department. He recently gave an invited talk at the USENIX
Security Symposium on biology and computer security. For
more information, see http://www.cs.virginia.edu/evans/usenix04/
