To diversify and survive: the application of population biology concept into computer

From: Peter Huang (yinrong@rogers.com)
Date: 01/31/03

  • Next message: David Litchfield: "Preventing exploitation with rebasing"
    Date: 31 Jan 2003 05:06:23 -0000
    From: Peter Huang <yinrong@rogers.com>
    To: bugtraq@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is)

    Abstract:
    On January 25, 2003, the SQL Slammer worm (w2.SQLSlammer.worm), also known
    as Sapphire (F-Secure), w32.SQLexp.worm (Symantec), and Helkern
    (Kaspersky) fully exploited known vulnerabilities in Microsoft SQL 2000
    servers and caused tremendous network jam around the world. In this
    article, the concept of population biology is proposed to apply to the
    computer programming. The concept is to diversify the same software
    functionality with a population of executables to avoid being eliminated
    or exploited by a virus or worm like SQL Slammer.
    ---------------------------------------------------------------------------
    -
    In biology, it is a known fact that a species with a diverse population is
    less likely to be extinct than a species with a "cloned" population under
    selection pressure. It is one of important reasons why we want to keep the
    biodiversity, I believe.

    What the SQL Slammer has exploited during the last weekend exposed not
    only the vulnerabilities in Microsoft SQL 2000 but also the
    vulnerabilities in the normal delivery methods of software package. A
    normal software package contains the same documents, the same executable
    files. In other words, the package is just copied or "cloned" without
    diversity. What just had happened taught us a lesson about the importance
    of diversity in computing world as well, I think.

    If we study the SQL Slammer worm in assembly language
    (http://www.eeye.com/html/Research/Flash/sapphire.txt) carefully, we will
    realize how selective or "laser-guided" this worm is. If the population of
    the SQL 2000 server executable had been diversified, then the impact of
    the SQL Slammer would have been much less noticeable.

    So, I propose the concept of installation time linking to diversify the
    same software functionality with a population of executables. In other
    worlds, different executables have the same functions.

    Installation Time Linking Of Object Files Into An Executable
     
    The concept of the installation time linking is that it enables the
    executable to be randomly laid out (including the Import Address Table
    abused by the SQL Slammer). Functionally speaking, the executable image #1
    and image #2 listed above in Figure 1 are the same even though the layouts
    are different. Therefore, if a program like the SQL Slammer is targeting a
    special executable program, it will lose its effectiveness on another
    executable because of different image layout or addresses, (unfortunately
    it might crash the application).

    The disadvantage of this technique is that it requires more customers'
    support if the software has problems. It might become more difficult for
    the vendors to patch or provide so-called service packages, (well a
    service package just simply overwrites existing files or adds new ones
    currently, right?).

    If this concept goes further, then the operating system does the dynamic
    linking of libraries or object files in a randomized order as well to
    diversify further.

    Whether this concept is practical or not remains to be seen.
    ---------------------------------------------------------------------------
    -

    For the article with the figure 1, please visit
    http://members.rogers.com/yinrong/articles/PopulationComputing.pdf

    Thank you and have a nice day.

    Peter Huang
    http://members.rogers.com/yinrong