Benevolent Worms
Yet another story about benevolent worms and how they can secure our networks. This idea shows up every few years. (I wrote about it in 2000, and again in 2003. This quote (emphasis mine) from the article shows what the problem is:
Simulations show that the larger the network grows, the more efficient this scheme should be. For example, if a network has 50,000 nodes (computers), and just 0.4% of those are honeypots, just 5% of the network will be infected before the immune system halts the virus, assuming the fix works properly. But, a 200-million-node network with the same proportion of honeypots should see just 0.001% of machines get infected.
This is from my 2003 essay:
A worm is not “bad” or “good” depending on its payload. Viral propagation mechanisms are inherently bad, and giving them beneficial payloads doesn’t make things better. A worm is no tool for any rational network administrator, regardless of intent.
A good software distribution mechanism has the following characteristics:
- People can choose the options they want.
- Installation is adapted to the host it’s running on.
- It’s easy to stop an installation in progress, or uninstall the software.
- It’s easy to know what has been installed where.
A successful worm, on the other hand, runs without the consent of the user. It has a small amount of code, and once it starts to spread, it is self-propagating, and will keep going automatically until it’s halted.
These characteristics are simply incompatible. Giving the user more choice, making installation flexible and universal, allowing for uninstallation—all of these make worms harder to propagate. Designing a better software distribution mechanism, makes it a worse worm, and vice versa. On the other hand, making the worm quieter and less obvious to the user, making it smaller and easier to propagate, and making it impossible to contain, all make for bad software distribution.
All of this makes worms easy to get wrong and hard to recover from. Experimentation, most of it involuntary, proves that worms are very hard to debug successfully: in other words, once worms starts spreading it’s hard to predict exactly what they will do. Some viruses were written to propagate harmlessly, but did damage—ranging from crashed machines to clogged networks—because of bugs in their code. Many worms were written to do damage and turned out to be harmless (which is even more revealing).
Intentional experimentation by well-meaning system administrators proves that in your average office environment, the code that successfully patches one machine won’t work on another. Indeed, sometimes the results are worse than any threat of external attack. Combining a tricky problem with a distribution mechanism that’s impossible to debug and difficult to control is fraught with danger. Every system administrator who’s ever distributed software automatically on his network has had the “I just automatically, with the press of a button, destroyed the software on hundreds of machines at once!” experience. And that’s with systems you can debug and control; self-propagating systems don’t even let you shut them down when you find the problem. Patching systems is fundamentally a human problem, and beneficial worms are a technical solution that doesn’t work.
Nicholas Weaver • December 5, 2005 3:40 PM
Actually, (reading just the summary, not the Nature? article), this isn’t a “white worm” approach, this is really just a “Honeyfarm (use honeypots to analyze & create a filter) and distribution” paper.
But IMO, it doesn’t sound interesting, and it is an argument against Nature (and Science) publishing security papers: they don’t have a good basis for reviewing them.
Many researchers (myself included) have been proposing such things for years (I hyped the possibility 2+ years ago at a Usenix WIP) and many are currently implementing such things, including the research group I’m in (both here at ICSI and Stefan Savage’s group at UCSD), the Collapsar group at Purdue, many members of the Honeynet alliance, etc etc etc.
The real contribution of the Nature paper it sounds like, the simulations themselves, just aren’t interesting. This is already the “This will work if you solve the engineering problems” is blatently obvious. We’ve known the sensitivity requirements (detect is when approx 1/k is infected, if you have K addresses (not necessarily honeypots) and the worm is random) since my first WIP.