2. CONCEPTUALIZACIÓN TEÓRICA
2.1 ESTADO DEL ARTE
2.1.3 Evaluación interna y externa de los aprendizajes La incidencia de las pruebas estandarizadas en las prácticas evaluativas de los docentes es un factor que no ha sido
It is now obvious that worms pose a serious threat to individual computers, to computer communications, to the Internet in general, and even to the infrastructure of entire nations. What can the world do to bring this threat under control or at least to reduce its magnitude? The authors of the excellent paper [Staniford et al. 02], to which this discussion owes much, argue in favor of establishing a cyber center for disease control (CCDC), similar to the centers for disease control and prevention (CDC [CDC 04]) of the United States government. The CDC’s mission is to promote health and quality of life by preventing and controlling disease, injury, and disability. Similarly, the mission of the CCDC should include the following points:
To quickly identify any outbreak of rogue software.
To isolate, disassemble, and understand any newly-discovered threat. To actively fight new infections.
To anticipate new types of viruses and worms and to educate the computer security community about these future threats.
To plan methods and tools to detect any anticipated threats.
To educate the public about computer security and safe ways of using computers.
Identifying outbreaks. Currently, new attacks of rogue software are identified, isolated, disassembled, and read by volunteers who then propose ways to neutralize an attack. There is no central organization dedicated to these tasks. It normally takes at least hours for news about a new attack to reach the millions of Internet users. It also takes at least a day or two for volunteer experts (often located at universities) to understand the threat and develop countermeasures. This type of response is too slow for the worm techniques discussed in this section. Moreover, a clever worm creator may combine the worm attack with a separate DoS attack designed to slow communications between the various volunteers working on the worm and between them and the suffering public. It may come as a surprise to most readers to learn that the volunteer experts concerned with identifying and fighting rogue software communicate by means of a few mailing lists. A perpetrator who knows about those lists and who specifically targets them in a DoS attack, can greatly delay any response to the main attack.
The proposed CCDC can develop several mechanisms for communications between those responsible for a defense. Such mechanisms should not be limited to the Internet and may include fax, telephone, and wireless. The CCDC should also launch organized research into ways to quickly and automatically detect a worm attack. This can be achieved by, for example, software that listens to traffic on the Internet, analyzes its patterns, and discovers anomalies. Another option is hardware sensors placed at several strategic locations in the Internet, again listening to traffic and analyzing it. Such work cannot be done by private individuals or organizations. It has to be planned and coordinated by a government-sponsored agency.
Analyzing new worms. When a worm is discovered, its spreading mechanism (or at least its principle of spreading) is known from the way it is discovered. Experts
106 3 Worms
are then called in to disassemble the worm and understand its trigger and payload. In the past, worms and viruses were small and fairly simple to read and understand, but we may not always be that lucky. A clever fraudster may write a program with lots of extra, unneeded and unused (chaff) instructions. Given the original source code, with labels and comments, such instructions can easily be identified and ignored. Trying to read and understand disassembled code, with no labels, no comments, and no real way to distinguish instructions from data, may complicate the process of reading and understanding the code, as illustrated by Figure 3.2.
ADD R4,#500 SUB R0,D L: MULT E,F . . M: DIV S,R1 . . LOD J STO L . . J: JMP M . . D: DATA 23 . . (a) 100 ADD R4,590 101 SUB R0,280 102 MULT E,F . . 110 DIV S,R1 . . 223 LOD 278 224 STO 102 . . 278 JMP 110 . . 280 ??? 23 . 590 CMP 0,0 % literal 500 (b)
Figure 3.2: Source Code And Disassembled Code.
Part (a) of the figure is easy to read, but part (b) suffers from the lack of labels and from the inability of the disassembler to distinguish between instructions and data. Thus, the literal 500 is disassembled in part (b) as an instruction (whose code happens to be 500) while the data item 23 at labelDis disassembled into??? because 23 doesn’t happen to be the code of any instruction.
Even having full access to the source code of a program does not always make it easy to read and understand it. Any reader who doubts this statement should look at the programming “pearls” submitted to the international obfuscated C code contest [IOCCC 04].
The CCDC should therefore develop tools for program analysis. Many worm writ- ers use routines copied from publicly-available software libraries that have the codes of past worms. The ability to recognize such routines in a disassembled code can greatly enhance its readability. The CCDC should also have laboratories with different plat-
forms, operating systems, and communications software, to help in analyzing worms and viruses by executing their codes slowly, instruction by instruction and examining its effects.
I am often asked if virus writers are good programmers. This is a little like asking if Jack the Ripper was a good surgeon—for the most part, such a question is not only irrelevant, but offensive. Any skill displayed in executing a malicious act can only make that act more abominable.
—Jim Bates (Pimpernel software) in [Virus bulletin 05] May 1994.
Fighting new infections. It is clear that the proposed CCDC should educate the public in topics such as analyzing data traffic, that can lead to early detection of worms. It may also be useful to place special software agents at the largest Internet gateways, where much of the Internet traffic passes. Such agents are normally passive, but when a new worm is discovered, they can be quickly trained by CCDC personnel to recognize data packets that contain the worm or parts of it and delete them.
Anticipating new threats. New worms may either be based on old ones or use new principles. The CCDC should have researchers think of ways to revive and extend old worms. Once someone comes up with an idea for a future worm, the CCDC may want to anticipate it and reprogram its agents to fight it if and when it is observed. Whenever someone discovers a security hole, CCDC personnel should think of how it could be exploited by a new worm (a new security hole will be patched, but this takes time, perhaps even weeks). When new communications software is released, the CCDC should work closely with its maker to scrutinize the software for security weaknesses.
The CCDC could also issue a set of recommendations to software makers, in much the same way as the International Telecommunications Union (ITU) issues recommen- dations to makers of telecommunications equipment. The recommendations should be directed toward developing secure software, software that will not have security holes to begin with.
Public involvement. No one lives in a vacuum. We compete with each other all the time, we try to develop new ideas, approaches, and points of view that help us compete, but by doing so we also cooperate. This observation implies that the CCDC should be open to the public. Anyone should be allowed to contribute ideas and everything (well, almost everything) that the CCDC does should be public knowledge. Operating in an open environment has its cost. The perpetrators would learn all about the strategy and tools developed by the CCDC, but judging from past experience, the advantage to CCDC from news, ideas, and suggestions coming from the public will far outweigh any danger stemming from having this knowledge in the hands of wrongdoers.
A final basic issue regarding the CCDC is to what degree it should operate in an open fashion. For example, during an outbreak the CCDC could maintain a Web site for use by the research community. Such an approach would allow many different people to contribute to the analysis of the outbreak and of the pathogen, perhaps adding invaluable insight and empirical data. This sort of coordination happens informally today, in part; but it is also the case that currently a variety of anti-viral and security companies analyze outbreaks independently, essentially competing to come out with
108 3 Worms
a complete analysis first. This makes for potentially very inefficient use of a scarce resource, namely the highly specialized skill of analyzing pathogens.
Rogue software is a global problem, so the CCDC should ideally be an international organization, perhaps a new United Nations agency. An international agency would make foreign governments more cooperative. Also, having skilled watchers in all time zones may help all of us sleep better. It feels different when you know that someone (a brother, but not big brother) is watching while you are asleep.