[HACK] Fw: To diversify and survive: the application of population biology concept into computer

David A. Pérez kamborio at hotmail.com
Tue Feb 4 14:40:07 CET 2003


Hola,

Imagino que muchos ya habreis leido el articulo, pero para aquellos que no
hayan tenido la suerte, aqui os va (al final del correo). Absolutamente
excepcional y algo a tener muy encuenta en la construccion de software en el
futuro.

Tambien podria dar mucho juego para un articulo para Ciberp at ais }:-)

Salu2,

David A. Pérez

                              http://www.kamborio.com/
 _                       _                   _
| | __  __ _  _ __ ___  | |__    ___   _ __ (_)  ___
| |/ / / _` || '_ ` _ \ | '_ \  / _ \ | '__|| | / _ \
|   < | (_| || | | | | || |_) || (_) || |   | || (_) |
|_|\_\ \__,_||_| |_| |_||_.__/  \___/ |_|   |_| \___/
      El perdón es la venganza de los buenos (anónimo)

----- Original Message -----
From: "Peter Huang" <yinrong at rogers.com>
To: <bugtraq at securityfocus.com>
Sent: Friday, January 31, 2003 5:06 AM
Subject: To diversify and survive: the application of population biology
concept into computer


>
>
> Abstract:
> On January 25, 2003, the SQL Slammer worm (w2.SQLSlammer.worm), also known
> as Sapphire (F-Secure), w32.SQLexp.worm (Symantec), and Helkern
> (Kaspersky) fully exploited known vulnerabilities in Microsoft SQL 2000
> servers and caused tremendous network jam around the world. In this
> article, the concept of population biology is proposed to apply to the
> computer programming. The concept is to diversify the same software
> functionality with a population of executables to avoid being eliminated
> or exploited by a virus or worm like SQL Slammer.
> --------------------------------------------------------------------------
-
> -
> In biology, it is a known fact that a species with a diverse population is
> less likely to be extinct than a species with a "cloned" population under
> selection pressure. It is one of important reasons why we want to keep the
> biodiversity, I believe.
>
> What the SQL Slammer has exploited during the last weekend exposed not
> only the vulnerabilities in Microsoft SQL 2000 but also the
> vulnerabilities in the normal delivery methods of software package. A
> normal software package contains the same documents, the same executable
> files. In other words, the package is just copied or "cloned" without
> diversity. What just had happened taught us a lesson about the importance
> of diversity in computing world as well, I think.
>
> If we study the SQL Slammer worm in assembly language
> (http://www.eeye.com/html/Research/Flash/sapphire.txt) carefully, we will
> realize how selective or "laser-guided" this worm is. If the population of
> the SQL 2000 server executable had been diversified, then the impact of
> the SQL Slammer would have been much less noticeable.
>
> So, I propose the concept of installation time linking to diversify the
> same software functionality with a population of executables. In other
> worlds, different executables have the same functions.
>
> Installation Time Linking Of Object Files Into An Executable
>
> The concept of the installation time linking is that it enables the
> executable to be randomly laid out (including the Import Address Table
> abused by the SQL Slammer). Functionally speaking, the executable image #1
> and image #2 listed above in Figure 1 are the same even though the layouts
> are different. Therefore, if a program like the SQL Slammer is targeting a
> special executable program, it will lose its effectiveness on another
> executable because of different image layout or addresses, (unfortunately
> it might crash the application).
>
> The disadvantage of this technique is that it requires more customers'
> support if the software has problems. It might become more difficult for
> the vendors to patch or provide so-called service packages, (well a
> service package just simply overwrites existing files or adds new ones
> currently, right?).
>
> If this concept goes further, then the operating system does the dynamic
> linking of libraries or object files in a randomized order as well to
> diversify further.
>
> Whether this concept is practical or not remains to be seen.
> --------------------------------------------------------------------------
-
> -
>
> For the article with the figure 1, please visit
> http://members.rogers.com/yinrong/articles/PopulationComputing.pdf
>
> Thank you and have a nice day.
>
> Peter Huang
> http://members.rogers.com/yinrong
>



More information about the hacking mailing list