One thing is certain in the IT World, the proliferation of malware isn’t slowing down and the risks are increasing. Even those of who are really careful are at far greater risk these days because the bad guys keep getting better and better (it just occurred to me that it would be great if two ransomware outfits wound up holding each other’s data hostage but I digress).
Just consider the Shellshock vulnerability discovered in late September this year. Within the first day of discovery something like 24,000 hacking attacks based upon the flaw were detected.
In the long term these types of vulnerability mean that systems will have to get more complex to thwart malware incursions and eventually each system and each application in each system will wind up with multiple layers of defense. This, in turn, will demand more memory and more cycles ... confirming once again that what Intel giveth, the black hats taketh away.
That said, a new defense for servers running Linux holds great promise in reducing the impact of malware and hacking and perhaps saving some of those overheads. Called Advanced Adaptive Applications, or A3, it was developed over the last four years Flux Research Group at the University of Utah run by Eric Elde, a research assistant professor of computer science, and associate professor John Regehr, in conjunction with Raytheon BBN and funded by Defense Advanced Research Projects Agency (DARPA).
What’s so cool about A3? It can not only detect zero-day (never before seen) malware and attacks, it can also “inoculate” servers from future infections by that agent.
According to the University of Utah News Center A3 is “a software suite that works with a virtual machine” that consists of:
… “stackable debuggers,” multiple de-bugging applications that run on top of each other and look inside the virtual machine while it is running, constantly monitoring for any out-of-the-ordinary behavior in the computer. … A3 can detect new, unknown viruses or malware automatically by sensing that something is occurring in the computer’s operation that is not correct. It then can stop the virus, approximate a repair for the damaged software code, and then learn to never let that bug enter the machine again.
Does it work? The researchers set up a test and:
To test A3’s effectiveness, the team from the [university] and Raytheon BBN used the infamous software bug called Shellshock for a demonstration to DARPA officials in Jacksonville, Florida, in September. A3 discovered the Shellshock attack on a Web server and repaired the damage in four minutes … The team also tested A3 successfully on another half-dozen pieces of malware.
A3 works by using a technique called Virtual-Machine Introspection (VMI) which places:
… a monitoring agent on the ‘outside’ of a virtual machine to obtain information about the state of the system that is running on the ‘inside’ of the virtual machine. The Flux Group is developing a VMI-enabled debugging framework, called Stackdb, that is the basis of the A3 environment's detection, prevention, and repair capabilities. For example, Stackdb allows A3 to observe significant events during replay executions, and thus helps to close the semantic gap between the “inside” and “outside” views of a system's behavior. / Atop the basic VMI framework, the Flux Group is implementing semi-automated analyses of security and performance. A new scripting language, called Weir, helps programmers to define and compose analyses that utilize VMI and other data sources.
A3 is a container-type system and uses Kernel-Focused Advanced State Management (ASM) to monitor and repair the containerized kernel. The project is open source and the currently available software includes Stackdb, a VMI-enabled debugging library for multi-level systems; ASM, a system for kernel-focused anomaly detection and repair; Weir, a streaming language for systems analysis; XenTT, a “time-traveling” hypervisor; and security-enhanced UNFS3, a user-mode NFS server with a configurable security policy. There's also a collection of scripts and files used in various A3 demonstrations “but these are not ‘ready to run’ … We hope to provide ready-to-run demos in the near future."
A3 is not only on the leading edge of system integrity assurance but could actually change how we battle malware and hacking. That’s something that can’t come too soon.