From: Pravin Bhat (pravinb@u.washington.edu)
Date: Tue Nov 30 2004 - 22:10:02 PST
Paper summary: The paper analyzes the replication mechanisms used by internet
scale worms in terms of their propagation time, visibility, and persistence in
the face of countermeasures. The authors discuss the success some simple
worms have had in the past and volunteer techniques that could be used to build
either super-fast worms or essentially invisible worms. As a countermeasure to
this grave threat, the authors propose a CDC like response center that would to
have detect and counter epidemics with a turnaround time of few minutes.
Paper Strengths:
The paper brings to light a grave threat that we are currently not prepared
to face. The authors have done a great job of backing their claim that the current
infrastructure is highly unstable by fleshing out designs for flash worms which
in theory could infect all vulnerable targets across the internet in less than
a minute. Without the benefit of these plausible worm designs the paper might
have dismissed as paranoia undeserving of immediate attention.
The paper provides an exhaustive survey of replication exploits used by the current worms
and predicts future exploits that the community might have to prepare for. While
this list is constantly changing, having a handy compilation of these exploits will
help engineers preemptively patch existing weak-points and create that a mindset
that fosters a more security oriented design in the future.
The paper also does a great job of prioritizing the attack-points.
The authors suggest that the attackers are likely to attack high-bandwidth targets
to ensure fast and widespread infection. Since a lot of the high-bandwidth targets are
hosted by big corporations and universities which tend to have more authority over
their users than most ISPs we could motivate, maybe even legislate, these institutions
to force their users to constantly patch their systems.
The authors identify P2P applications as an easy target for future attacks. This
suggests that we need to incorporate popular P2P protocols into existing firewall
technologies.
Limitations and room for improvement:
The authors propose a cyber CDC that will have to algorithmically detect and counter
flash worms. However the author do not provide any concrete algorithms that can
achieve this task. Flash worms can not only propagate through the entire
internet within minutes but also detect saturation just as fast. Such worms would be
virtually impossible to detect using an online(real-time) algorithm since the worm
will be generating traffic only during the first couple of minutes before it goes
dormant. On the other hand, offline algorithms would require storing massive amounts
of traffic history followed by extensive analysis. In fact who is to say flash worms
havent been already implemented by defense agencies as potential wartime weapons.
Considering the success 12 year olds have had in creating successful
worms I would guess existence of 'weapons-grade' worms is not far fetched.
One has to wonder if, ethically, it was appropriate for the authors to present
worm designs that could potentially cripple the entire internet without researching
concrete solutions to counter these worms. In fact it is quite possible that
classification of traffic as worm vs non-worm is an undecidable problem.
The paper is quite verbose. It could have been written in fraction of the
pages used without the loss of any essential content.
Future works:
- Worms exploit homogenity of applications for mass replication. A possible defense
against this exploit would be to increase heterogenity of applications algorithmically.
- Building stronger sandboxes and type safety into future operating systems
- Software development/analysis tools for error detection
- Forced software updates to ensure complete eradication of worms once detected
in the internet
- Deployment of a cyber CDC.
This archive was generated by hypermail 2.1.6 : Tue Nov 30 2004 - 22:10:03 PST