Publication Abstract

Weaver, N., Paxson, V., Staniford, S., Cunningham, R. K., Large Scale Malicious Code: A Research Agenda, March 2003.

Abstract

The reliable operation of our networked computing infrastructure is essential to many governmental and corporate activities. Unfortunately, this infrastructure is highly vulnerable to automated attacks by computer worms: programs that propagate themselves to all vulnerable machines on the Internet. Such wide-scale malicious code is a major threat. Previous worms, such as Code Red and Nimda, were relatively minor: they contained no overtly malicious payload designed to affect the infected machine and attacked comparatively well-known vulnerabilities. Even so, they were moderately disruptive and highlighted the systemic vulnerabilities as the worms infected hundreds of thousands of machines in a few hours. Numerous companies and institutions lost a day of work while the computers were restored. Future attacks can be considerably faster through some simple optimizations and alternate strategies, allowing all vulnerable machines to be infected in far less than an hour: faster than humans can react. Alternatively, some strategies don’t accelerate the spread but make the attack much harder to detect. An attacker using an otherwise unknown vulnerability could potentially corrupt millions of computers, if the vulnerable population is widespread. A malicious attacker could search or disrupt any information present on the infected machines, and/or use them to conduct wide-scale attacks on the Internet infrastructure. What makes the threat particularly serious is that the resources required to launch such an attack are comparatively small: a few skilled programmers and a small group of test machines. There are several strategies possible, including active scanning, topologically-aware, contagion, metaserver, and flash attacks, which can’t be detected or responded to by current systems. There are numerous possible payloads, such as data erasers, hardware-damaging routines, Internet-scale denial-of-service attacks, or widespread espionage, which could significantly affect the U.S. economy if contained in a widespread worm. If our nation wishes to rely upon commodity networked computers for our day to day business, governmental, and military operations, we need to invest in several avenues of research to address the threat posed by the different families of malicious code. Much of this research must be government-sponsored because of the forward looking nature, the lack of a clear money-making proposition, and the requirement for widespread and proactive defenses. This report aims to survey the different types of research necessary for addressing the threat, and, in particular, to then assess the priority of providing funding for the different areas. Some areas, while promising, are already being pursued by existing efforts or commercial entities; others are high risk, but with only modest promise; while still others have high promise and are currently undersupported. These latter form the highest funding priority, while the others should have less priority. Much remains to be done to defend against worms. Although there is already considerable research in the area of creating more secure and robust computer systems, few of these features are easy to use or widely deployed. Since there appear to be a limited number of strategies that enable a worm to find and infect new targets, it should be possible to create automated sensors which detect and respond to these various strategies. Once a worm is detected, it is then possible to institute reactions which throttle the worm based on its method(s) of propagation. Some type of automated response will be essential to slow the worm to the point where human reasoning again becomes relevant. To succeed, improvements will be needed in tools that automatically perform an initial analysis of a worm based on its behavior: what it can infect, how it spreads, and particular features of its code. Such information can guide more precise responses and alert Internet sites if the worm poses a particularly significant threat. Manual analysis is currently based on disassemblers, debuggers and similar tools, with current worms requiring extensive periods of time. Since even today’s worms spread world-wide in less than half that time, the current manual analysis tools are too slow to aid in creating meaningful responses. By developing improved tools and other techniques, it should be possible to reduce analysis time considerably. Significant effort is also needed in improving the response and recovery procedure. The current response relies on only loose coordination among individuals, with the few channels for updates being limited and susceptible to secondary attack. Considerable research is needed to develop recovery techniques which can automate this process and mechanisms which can resist a determined attack. Cooperative defenses are essential for many facets of worm defense. Some may need to be mandated, while others may simply be subsidized. Cooperation offers numerous benefits. Many sensing and analysis schemes benefit from wide, cooperative deployments to increase sensitivity and robustness. Another benefit is derived from the global effects: some deployments can tolerate more significant, short term responses. Reactions that temporarily deny access to systems with a specific vulnerability will slow the overall spread of an infection. We envision the possibility of a Cyber CDC to lead the development and deployment of these defenses. There needs to be a considerable government role due to the common problems which worms present and the need for cooperative responses. Although any individual might only see a small risk to their own data, the overall risk is unacceptably high.