BugTraq
Back to list
|
Post reply
To diversify and survive: the application of population biology concept into computer
Jan 31 2003 05:06AM
Peter Huang (yinrong rogers com)
(1 replies)
Abstract:
On January 25, 2003, the SQL Slammer worm (w2.SQLSlammer.worm), also known
as Sapphire (F-Secure), w32.SQLexp.worm (Symantec), and Helkern
(Kaspersky) fully exploited known vulnerabilities in Microsoft SQL 2000
servers and caused tremendous network jam around the world. In this
article, the concept of population biology is proposed to apply to the
computer programming. The concept is to diversify the same software
functionality with a population of executables to avoid being eliminated
or exploited by a virus or worm like SQL Slammer.
------------------------------------------------------------------------
---
-
In biology, it is a known fact that a species with a diverse population is
less likely to be extinct than a species with a "cloned" population under
selection pressure. It is one of important reasons why we want to keep the
biodiversity, I believe.
What the SQL Slammer has exploited during the last weekend exposed not
only the vulnerabilities in Microsoft SQL 2000 but also the
vulnerabilities in the normal delivery methods of software package. A
normal software package contains the same documents, the same executable
files. In other words, the package is just copied or "cloned" without
diversity. What just had happened taught us a lesson about the importance
of diversity in computing world as well, I think.
If we study the SQL Slammer worm in assembly language
(http://www.eeye.com/html/Research/Flash/sapphire.txt) carefully, we will
realize how selective or "laser-guided" this worm is. If the population of
the SQL 2000 server executable had been diversified, then the impact of
the SQL Slammer would have been much less noticeable.
So, I propose the concept of installation time linking to diversify the
same software functionality with a population of executables. In other
worlds, different executables have the same functions.
Installation Time Linking Of Object Files Into An Executable
The concept of the installation time linking is that it enables the
executable to be randomly laid out (including the Import Address Table
abused by the SQL Slammer). Functionally speaking, the executable image #1
and image #2 listed above in Figure 1 are the same even though the layouts
are different. Therefore, if a program like the SQL Slammer is targeting a
special executable program, it will lose its effectiveness on another
executable because of different image layout or addresses, (unfortunately
it might crash the application).
The disadvantage of this technique is that it requires more customers'
support if the software has problems. It might become more difficult for
the vendors to patch or provide so-called service packages, (well a
service package just simply overwrites existing files or adds new ones
currently, right?).
If this concept goes further, then the operating system does the dynamic
linking of libraries or object files in a randomized order as well to
diversify further.
Whether this concept is practical or not remains to be seen.
------------------------------------------------------------------------
---
-
For the article with the figure 1, please visit
http://members.rogers.com/yinrong/articles/PopulationComputing.pdf
Thank you and have a nice day.
Peter Huang
http://members.rogers.com/yinrong
[ reply ]
Re: To diversify and survive: the application of population biology concept into computer
Feb 03 2003 09:49PM
Crispin Cowan (crispin wirex com)
Privacy Statement
Copyright 2010, SecurityFocus
Abstract:
On January 25, 2003, the SQL Slammer worm (w2.SQLSlammer.worm), also known
as Sapphire (F-Secure), w32.SQLexp.worm (Symantec), and Helkern
(Kaspersky) fully exploited known vulnerabilities in Microsoft SQL 2000
servers and caused tremendous network jam around the world. In this
article, the concept of population biology is proposed to apply to the
computer programming. The concept is to diversify the same software
functionality with a population of executables to avoid being eliminated
or exploited by a virus or worm like SQL Slammer.
------------------------------------------------------------------------
---
-
In biology, it is a known fact that a species with a diverse population is
less likely to be extinct than a species with a "cloned" population under
selection pressure. It is one of important reasons why we want to keep the
biodiversity, I believe.
What the SQL Slammer has exploited during the last weekend exposed not
only the vulnerabilities in Microsoft SQL 2000 but also the
vulnerabilities in the normal delivery methods of software package. A
normal software package contains the same documents, the same executable
files. In other words, the package is just copied or "cloned" without
diversity. What just had happened taught us a lesson about the importance
of diversity in computing world as well, I think.
If we study the SQL Slammer worm in assembly language
(http://www.eeye.com/html/Research/Flash/sapphire.txt) carefully, we will
realize how selective or "laser-guided" this worm is. If the population of
the SQL 2000 server executable had been diversified, then the impact of
the SQL Slammer would have been much less noticeable.
So, I propose the concept of installation time linking to diversify the
same software functionality with a population of executables. In other
worlds, different executables have the same functions.
Installation Time Linking Of Object Files Into An Executable
The concept of the installation time linking is that it enables the
executable to be randomly laid out (including the Import Address Table
abused by the SQL Slammer). Functionally speaking, the executable image #1
and image #2 listed above in Figure 1 are the same even though the layouts
are different. Therefore, if a program like the SQL Slammer is targeting a
special executable program, it will lose its effectiveness on another
executable because of different image layout or addresses, (unfortunately
it might crash the application).
The disadvantage of this technique is that it requires more customers'
support if the software has problems. It might become more difficult for
the vendors to patch or provide so-called service packages, (well a
service package just simply overwrites existing files or adds new ones
currently, right?).
If this concept goes further, then the operating system does the dynamic
linking of libraries or object files in a randomized order as well to
diversify further.
Whether this concept is practical or not remains to be seen.
------------------------------------------------------------------------
---
-
For the article with the figure 1, please visit
http://members.rogers.com/yinrong/articles/PopulationComputing.pdf
Thank you and have a nice day.
Peter Huang
http://members.rogers.com/yinrong
[ reply ]