Big Bad Beowulfs Again

Jakob Østergaard jakob at ostenfeld.dk
Sat May 13 19:56:05 PDT 2000


On Sat, 13 May 2000, Eugene Leitl wrote:

> jok707s at mail.smsu.edu writes:
>  > All this talk of genetic engineering has been very interesting, but I'd like 
>  > to get back to the subject of pure cyber-war.
> 
> I'm surprised that no one has so far suggested the usage of a Beowulf
> as a distributed engine for exploit detection, and development of
> machine instruction mutation engine (to achieve full code polymorphism
> plus robust self-modification).

Today it's probably more the macro-language way you want to go.

> A worm which is capable to mutate its opcodes robustly, can obviously
> find new exploits (judging from bugtraq blips, the exploit space is by
> no means exhaustively sampled, and coding standards do seem to be
> declining, especially in the application layer), and mutate itself to
> be indetectable by simple pattern-driven countermeasures.

A script which can send on mutated copies of itself would be a very
powerful worm too I guess.  It probably wouldn't find new holes, but there's
one large hole which is going to be open for some time to come, the fact
that scripts can be easily executed (on purpose or by accident) by users,
and that those scripts are capable of reading/writing information on the
user systems and send itself on via. e-mail.

The way the hole is plugged today is (for those who don't like the idea
of software that is safe by-design, which is obviously the majority of
internet e-mail users) to use anti-virus software.   This software will
scan for _known_ patterns in the text, and warn the user if a _known_ worm
turns up.  That's why ILOVEYOU could be a problem even after Melissa, even
though they basically did exactly the same things (ILOVEYOU was even more
intrusive, and thus should have been easier to detect by the anti-virus
software out there).

It *seems* that anti-virus software relies mainly on recognizing known
patterns.   Assuming this is true, known patterns is the only thing stopping
a worm from _really_ spreading and breaking havoc for a long long time.

That's where the self-modifying code comes in handy, even if it can't
discover new vulnerabilities.

> A machine opcode emulation sandbox (http://www.bochs.com/ would seem a
> good starting point), plus development of a robust mutation function
> including screening (fitness function) does obviously require
> nontrivial crunch resources. The fastest way to revive crashed MS
> boxen would seem to revert to a standard sane state in an emulator,
> anyway. Even watchdog-triggered reboot from a solid state drive would
> seem too slow (?).

The biggest beowulf is out there on the users' desks.

Imagine a worm that sent on modified copies of itself.  It would include
a routine that would exchange text phrases with phrases found in the
mailbox of the host, and somehow slightly change the script itself.

The actual code would have to change. The algorithm changing the code
would also be changed, by itself.  Somehow the initial code would have
to make ``almost sure'' that the script is changed in sane ways.

After just 10-20 evolutional steps, the script could have changed beyond
recognition, and who knows, it may have come up with a better way of
changing itself    :)      (Scary thought)

The basic idea here is to let the hosts do the work. Let the script evolve
following a basic evolutional model (script mutates, anti-virus makers take
out the weak scripts, only viable scripts reproduce).

Now, if only MS LookOut supported scripting in Lisp    ;)

> In fact, a fledgling worm with above capabilities can bootstrap its
> own substrate, if released into the wild. Clearly, the bandwidth
> requirements vs. crunch are negligeable. Any takers?

It would be a fun experiment.   But seriously, I think one should consider
the consequences of taking down some 50% of all businesses for maybe several
months...

> 
> [...]
>  > Thanks again for everyone's feedback.  And if I ever want to create any 
>  > genetically engineered weapons, I'll know where to turn. :-)
> 
> The strange thing is, that even on this list, people still think we're
> joking. 

That's even scarier than the stuff actually on this list    :|

-- 
................................................................
: jakob at ostenfeld.dtu.dk  : And I see the elder races,         :
:.........................: putrid forms of man                :
:   Jakob Østergaard      : See him rise and claim the earth,  :
:        OZ9ABN           : his downfall is at hand.           :
:.........................:............{Konkhra}...............:




More information about the Beowulf mailing list