Thursday, December 3, 2009

Evolutionary Processes and Natural Selection Reloaded

There are four basic evolutionary processes: Natural Selection, Genetic Drift, Undirected Mutation, and Gene Flow; all of which operate on populations of entities. The interplay between these processes can enhance or suppress the fitness of the individuals within given a population.

The process most commonly discussed when addressing evolutionary biology is the process of Natural Selection. In the basic formulation of natural selection, it only requires four conditions to operate on a population (based upon those found within Evolution, 3rd Edition by Mark Ridley);
  1. Reproduction - Entities must reproduce to form a new generation.
  2. Heredity - Entities produced via reproduction must tend to possess the characteristics (e.g. traits) from the previous generation.
  3. Individual Variation - The population of entities is not identical.
  4. Characteristic Fitness - Individual characteristics have varying degrees of fitness which allows them to propagate their traits to subsequent generations.
There are a number of issues when attempting to directly apply Natural Section from evolutionary biology to information security using a strict interpretation of the required conditions.
  1. Reproduction - A majority of the entities within information systems are installed or are copied onto other information systems rather than true reproduction. This form of reproduction is more akin replication which is essentially cloning as opposed to asexual reproduction. In asexual reproduction, each subsequent generation consists of identical or nearly identical copies that are produced as offspring, while cloning produces identical copies.
  2. Heredity - The condition for heredity is easily satisfied. Computers are quite effective at producing exact copies of programs and data, and there are numerous methods for performing integrity checks to insure that the replication events did in deed produce an identical copy.
  3. Individual Variation - Natural Selection requires that there is variatability within a population. Within information security, as programs are installed or replicate in an environment, they do so without any variatability. Ability to create exact copies of itself, and any errors within the replication routines can often cause fatal errors when the copy of the application attempts to execute. Simply stated, programs are produced by installation or infection. There may be some variation within the population if the entity is polymorphic or metamorphic, but typically a program is created and then processed through a polymorphic encoder to produce the variations.
  4. Character Fitness - The fitness of an entity within a population varies based on the character traits which it has inherited. Some characters will have a higher fitness, while others have a lower fitness. Those with a higher fitness will tend to have their characters dominate in a population as they are successful in reproducing.  As the population consists of cloned entities, which implies that the individual variatability has been eliminated or minimized, which means that there will be minimal variatability for character fitness.
There are some issues with Natural Selection and its direct application to information security. Alternatively Natural Selection can be thought of as an evolutionary algorithm. The conditions can be relaxed, and reinterpreted in a more general form to produce a selection algorithm which operates within information security.
  1. Reproduction can be reinterpreted as replication, or simply as a process or an algorithm that replicates an entity.
  2. Heredity can be reinterpreted simply as a process for passing characters from a parent entity of to its offspring. Heredity allows for individual characters to be linked between offspring and the previous generation.
  3. Individual Variation can be reinterpreted as a process in which different characters are generated based on the previous generation's characters. This could be as simple as an algorithm that incrementally modifies parameters to a function as they are passed into an entities control loop which alters its interactions between itself and the environment. Like biological systems, these parameters are modified during reproduction, and are assumed to be relatively static during the lifespan of an entity.
  4. Character Fitness can be reinterpreted simply as a filtering function, in which the individual variation causes the fitness of the entity to vary such that selection can act on the individual entities within the population causing the higher fitness entities to survive while the lower fitness entities are pruned from the population.
Natural Selection is the process operating in the environment.  Artificial selection is used to describe selection processes as they are used to modify a population by an experimenter. They both operate in a similar method on a population, but Natural Selection is free from an experimenter's influence. Due to the filtering algorithm, natural selection, like artificial selection, is not a random process. Selection occurs in a nonrandom manner; only those entities who are able to survive the selection pressure are able to reproduce. There are three basic selection pressures: directional selection, disruptive selection and stabilizing selection pressure, which have already been discussed.

Selection is readily evident in information security, as cryptographic algorithms which are broken are slowly removed from general use and newer algorithms are designed. Selection usually does not cause changes to occur instantaneously unless it is a strong selection pressure. MD5 is still within wide spread use through out the computing base despite it being known to be a weak algorithm for some time.

When considering how selection is applied to information security, it is important to understand that in evolutionary biology when an entity is selected against, it has been removed from the reproductive (or effective) population.  In most cases, this means that the entity has died.  When an entity has been selected against in information security it does not necessarily mean that the system has died.  A more complete way of stating that an entity has been selected against in information technologies, it could be to state that when a system has been selected against it is no longer present or is no longer in its intended operating state.  In the case of malware, this would be that the malware has been removed from a system, or its command and control infrastructure has been eradicated.  In the case of an IT system, if a system has been compromised it has been selected against or if the system has been wiped (as in the case of a complete rebuild).  Unlike organisms in the environment, once an organism has been eliminated it cannot not be brought back to life but IT systems on the other hand can be wiped and rebuilt.

Another significant process within evolutionary biology is the Undirected Mutation. Although life is able to have a high fidelity when it is replicating, errors are introduced when replication occurs. The errors cause the cellular processes to vary in ways that can enhance the organisms fitness, reduce it's fitness or have little effect on its fitness. Natural Selection works with Undirected Mutations to select for entities which have a higher fitness, and prune out the entities with a lower fitness. Although there are evolutionary algorithms within the fields of artificial intelligence, most of the processes that modify the behavior or enhance the functionality of programs are guided by Directed Mutation. Directed Mutations are mutations which are deliberately made with the goal of producing an desired effect, and in the case of malware it can range from increasing its ability to infect remote hosts, or hinder the ability of a malware analyst in determining the true nature of the application or simply getting past the latest anti-virus scanner definitions.

If Directed Mutations as a process are reinterpreted to include modifications at a larger scale, then it is tempting to think of directed mutations as being applied by an intelligent entity, most commonly referred to as an intelligent designer.  Although the intelligence designer has no scientific basis in evolutionary biology, it can apply to information security in a more limited way. Evolutionary biology works without having an "intelligent designer" guiding the evolution and development of an entity. Information systems typically work with a designer and/or engineer who designs a system which is then implemented. The fitness of a system is then determined and it can be revised during the next design and subsequent implementation.  As within evolutionary biology, the application of a designer to information security does not require that a single overall designer exist.  Indeed the opposite is true.  There are large numbers of individual designers operating and competing by proxy through their fielded applications and programs for systems and resources.

Genetic Drift is one of two evolutionary processes which can directly work against natural selection. In Genetic Drift, random inheritance of weakly or neutrally selected characters during reproduction can cause characters to either eventually dominate or be removed from a population. Weakly selected characters are those characters which only have minor selection pressures working against them, while neutral characters effectively have no selection pressures operating on them. Genetic Drift is one of the processes which is able to counter the act of Natural Selection. It is able to work against Natural Selection in that during reproduction, despite being a character that provides for a strongly enhanced fitness, it may not be passed along to subsequent generations. If there are two characters {A,B} and only one will be passed along, it will be either A or B. The other character can be lost unless there are sufficient numbers to ensure that statistically it is passed along. Unlike most of the other evolutionary processes, Genetic Drift does not have an easily identifiable analogy to information security other than personal preferences in the choice of browsers, office automation applications, operating systems, etc.

The last of the four major evolutionary processes is Gene Flow. Gene Flow occurs when two populations having different allele frequencies interbreed (usually due to a period of isolation and then reintroduction). Typically in an isolated population, Natural Selection and Genetic Drift will alter the characters of the population from their original frequencies.  When the population encounters another population with which it can interbreed, the resulting interactions cause gene frequencies to change in the resulting population.  It is not required that the two populations be environmentally isolated.  Gene Flow can also occur if there is a strong selection pressure operating locally within the population (normally on a fringe population in which the environment is different from that of the main body).

When selection favors specific adaptations within a population, the adjusted gene frequency of initial population's genes may flow into another population with a different set allele frequency altering the resulting gene frequencies for both populations.  This situation can occur because a population has becomes isolated due to environmental conditions or because an adaptation favors a specific frequency in a sub population. Since the genes favored in the different populations can be different, and the intermixing of the genes results in an intermediate allele frequencies, this process can actually work against Natural Selection preventing optimal solutions from being established.  As an example of this in evolutionary biology, Stephen Stearns and Richard Sage (Mal-Adaptation in a Marginal Population of the Mosquito Fish, Evolution, 1980) found that specific adaptations which could have increased the overall the fitness of a border population of mosquito fish attempting to survive in fresh water was being hindered by gene flow resulting from interbreeding with the main population.

A close parallel with Gene Flow is found within the formal education of programmers for producing secure code. In order to create and distribute programs the developer does not need to be trained in how to create a secure program, only in that they need to be able to create a functional program. Some organizations have deliberately allocated resources to train their developers in methods for developing and implementing secure programs.  But if the organization is only able to attract new developers which have not received any training in a secure development lifecycle, they must expend resources to educate the developer. Depending on the turnover rate of the organization and project schedules, this reoccurring cost could be significant enough to cause the organization to loose their focus on developing a secure product.

Genetic Drift, Gene Flow, Natural Selection and Undirected Mutation form the four basic processes of evolutionary biology. With little modification or reinterpretation these processes can be applied to information security.  Natural Selection becomes Artificial Selection, Undirected Mutation becomes Directed Mutation, Gene Flow is still represented but Genetic Drift becomes less important of an evolutionary process.

Wednesday, July 29, 2009

Extinction and End Games

Recently Jeff Moss gave an introduction to the opening of Black Hat DC 2009, in which he essentially asked "is there any problem in security that has been definitively crushed or completely eradicated? Is there a problem from 10 years ago that is no longer a concern?" Specific instances of problems have been eradicated but the families of problems that persist include computer viruses, buffer overflows, cross site scripting (XSS), SQL injection (SQLi), etc. Computer viruses have existed since 1971, buffer overflows were popularized in 1996, XSS has been around since about 1997, and SQLi has been present since 1998.

Managers and security professionals are often looking for that silver bullet for solving all of the information security issues that an organization may have. Vendors of security products are often willing to demonstrate that their single or integrated security solution will provide all of the protection that an enterprise needs against emerging threats, the next generation of attacks, etc.

As information security is engaged in a Red Queen race or an evolutionary arms race, there should be no expectation that a single or multiple strategies can always ensure the survival of an organization. The security controls that are put in place will act as selection pressures on their adversaries to ensure that only the successful exploitation strategies are passed on to the next generation of attacks. The security controls are going to ensure that attackers and malware authors continue to escalating their exploitation strategies against the implemented security solutions to ensure their survival. This escalatory relationship is akin to the evolutionary arms race between predator and prey.

There are multiple outcomes for predator and prey resulting from an evolutionary arms race (Evolutionary Biology, 3rd Edition, Futuyma);
  • The first outcome is that neither side gains the advantage. In this situation, the evolutionary arms race continues with each side escalating their strategies (Richard Dawkins and J. R. Krebs, Arms Races between and within Species, 1979). Within an escalatory arms race, both the predator's weapons and the prey's defenses become more effective than previous generations, but neither has an advantage (G.J. Vermeij, Evolution and Escalation, 1999). More simply stated, as time passes a predator's weapons become more refined, and in response to the evolution of these better weapons a prey species evolves better defenses. The end result is neither side makes any progress, but a modern predator would be able to better exploit an ancestral prey than a predator from that period.
  • The second outcome is that as the evolutionary costs for continuing the escalation increase, a set of strategies employed by both sides causes an equilibrium to be established. This equilibrium can form what is referred to as an Evolutionarily Stable System (ESS). In an ESS, a point is reached where the system is stable and resistant to invasion from outside strategies based on the costs associated for each strategy. ESSs are detailed in Evolution and the Theory of Games, by John Maynard Smith, 1982 and in the Selfish Gene by Richard Dawkins.
  • The third outcome is that the system suffers from continual or periodic changes as a new strategy is employed and a counter-strategy is evolved and then deployed. This is similar to disease/parasite and host relationships, in which a disease or parasite invades a host. The population takes time to develop resistance or immunity to the invasive disease/parasite. For a period of time the population may be quite successful at repelling the disease/parasite, but eventually the disease/parasite can develop a strategy to overcome the factor that was keeping them out of the host. This is commonly seen as the over use of antibiotics has caused various strains of antibiotic immune diseases to develop; such as Methicillin-resistant Staphylococcus aureus (MRSA) or Extensively Drug-Resistant Tuberculosis (XDR-TB).
  • Lastly the outcome of an evolutionary arms race can result in one or both of the species going extinct. One of the sides of the evolutionary arms race evolves an adaptation which allows it to fully exploit or evade exploitation from the other species in a way that it cannot adapt before becoming extinct. Conversely, if the predator was entirely focused on exploiting a single prey species, with the extinction of the prey, the predator species may also collapse.
Ideally, the goal of information security is to seek the last outcome of an evolutionary arms race, in which the opponent becomes extinct. Although this is the goal, currently within the malware and anti-malware Red Queen race, it appears that the reality of the situation is that the race is in the first outcome (continued escalation) or the third outcome (cyclic strategy and counter-strategy development). The race will continue to persist in one of these states for the foreseeable future. The cost of the evolutionary arms race is still asymmetric between defenders and attackers. The methods and strategies employed to evade Anti-Virus scanners with Free/Open Source Software (FOSS) tools such as the Metasploit Framework are still fairly effective, despite the strategies begin implemented prior to March 2008.

In order to cause an extinction of predator strategies (or in the case of information security an attacker's or malware author's strategies), it is not necessary to wipe out an entire population in a single event. Within evolutionary biology, an estimate of effective population size is given by the following equation; Pi = P0 * exp([b-d]*t), where Pi is the population size in the future, P0 is the initial effective population size, t is the time, b is the birth rate, and d is the death rate. As long as the birth rate is higher than the death rate, the population size will grow exponentially. If the death rate is higher than the birth rate, the population is shrinking. The birth and death rates are typically associated with environmental factors such as competition for available resources and types of selection pressures. Essentially the environment only has to change faster than the opponent's strategies can adapt.

By inspecting the rate of growth for malware, it appears that the "birth" rate is higher than the "death" rate. The effective malware population (based on the number of unique samples) is growing exponentially. The costs for malware populations have not reached their carrying capacity on the environment. Within evolutionary biology and ecology, the carrying capacity is the population size that a given environment can support based on the available resources. If a population is increasing in size, then the carrying capacity has not been reached as more resource are available to support the growth. As the population approaches the carrying capacity, the population growth decreases as available resources are more difficult to access. If the population exceeds the carrying capacity, the population will reduce in size as selection works against the population and the entities which are not able to extract enough resources to survive.

Ideally, security professionals would like to see the current situation change from being a continually escalating arms race or a cyclic strategy/counter-strategy to that of the extinction of attacker/malware strategies. By changing the selection pressures that are applied against these invasive strategies, it could be argued that extinction can be triggered. A set of selection pressures could be implemented such that nothing could survive or the selection pressures of the environment change so quickly that the invasive strategy does not have time to evolve successful adaptations. Another solution could involve changing local environmental selection pressures independent of the global selection pressures such that only specific strategies can thrive in specific "regions." This strategy is similar to having an organization switch to a different operating system and/or browser, so the commonly employed exploit strategies fail on the organization.

One of the main problems with implementing a strategy to solve the issue drastically changing the environment is that the environment has to change quickly, more quickly than the invasive strategy can evolve adaptations. The current computing environment is not conducive to drastic changes implemented through out the entire infrastructure. Virtualization is often proposed as a security solution, but to implement this solution globally would take years to decades. Most users are not going to upgrade to a virtualized operating system, unless they are going to acquire a new computer. Typically computers are not replaced or even upgraded annually. This represents a significant period of time in which attackers and malware author's can update their strategies and adapt to the new environment. As previously discussed, attackers and malware have the advantage when the environment changes due to their smaller size.

Another method for improving the situation within the Red Queen race that is occurring within information security, would be the attempt to convert the situation into an ESS. In an ESS, there is an equilibrium reached that is resistant to invasion by outside strategies. If this occurred attackers and malware would achieve a balance with the security professionals in which new infections are cleaned at approximately the same rate as they are occurring.

Instead of focusing on the extinction of malware in the near term, another strategy would be to focus on the infectious nature of malware and reducing the associated virulence. In dealing with the interactions between diseases/parasites and their hosts, the virulence of the disease/host tends to be associated with how it is transmitted between the hosts. A disease or parasite that is transmitted from parent to offspring is said to be vertically transmitted though a population. Diseases and parasites that are vertically transmitted tend to have a lower virulence, or exhibit avirulent behavior. If the disease or parasite reduces the host's fitness too much, then they will not be able to propagate to its offspring after/during reproduction, since no offspring will be produced. Horizontally transmitted diseases/parasites jump from host to host in a population through a variety of different mechanisms; direct contact, the environment or a pathogen vector (such as a mosquito in the case of Malaria). As the virulence of the disease/parasite is not dependent on the survival of the host to reproduce, only the contact with other vulnerable hosts, it is capable of reaching a much higher virulence and significantly reducing the fitness of the host.

There are a number of different ways that an evolutionary arms race can play out; it can continue to escalate, it can continue to escalate until the costs associated with the escalation cause the system to stabilize into an ESS, it can develop in cyclic phases such as the case in the interactions between diseases/parasites and hosts with their immune responses, or one of the interacting entities can go extinct as it is no longer able to adapt to the environment. With the rate that the malware population is increasing, it does not appear that the evolutionary arms race has stabilized into an ESS or that malware will go extinct in the near future, so either the escalatory nature of the race will continue or the cyclic interplay between strategy and counter-strategy will continue for the foreseeable future. The strategies employed by attackers and malware authors rely on small easily adaptable applications, which in terms of evolutionary biology means that the can more readily adapt to environmental selection pressures. Instead of causing malware to go extinct, perhaps a way can be found to tie it to the host, and force it to adopt a more avirulent or beneficial behavior by being vertically transmitted through a computer population instead of horizontally transmitted.

Tuesday, July 7, 2009

Reducing the Time for Adaptation

Periodically security professionals and security vendors tout the idea that reducing the reaction time between an event and employing a counter strategy can potentially resolve the evolutionary arms races within information security. This idea is similar to an Observe, Orient, Decide and Act (OODA) loop.

In strategy, there is Boyd's OODA loop which emphasizes the idea that reducing the time required for planning and reacting faster than an opponent will provide an advantage and subsequently enhances the likelihood of the opponent making a mistake. By deceasing the time that is required to react appropriately to a situation, the initiative is maintained and consequently an opponent is always responding to the situation. The more time an opponent spends reacting, the less time they have to observe and plan; increasing the likelihood that a mistake will be made. This concept has been raised recently on the panel discussions at the CATCH 2009 conference. References to this particular type of strategy, arise periodically from malware vendors in that if the time between the release of malware and the release of generally available anti-malware signatures can be reduced, it could help to solve or alleviate the malware threat.

Applying the OODA loop or simply reducing the reaction time could potentially go a long way towards helping to alleviate the malware threat. But, it should be considered that malware will always be able to evolve more quickly than an operating system, a web application, a database or even the anti-malware tool as it has the initiative and malware is typically smaller in size and less complex. Looking at this strategy from an evolutionary biology perspective, it is similar to the Red Queen hypothesis that occurs between diseases/parasites and their hosts. It is also similar to the evolutionary arms race between malware and the rest of the information security community (anti-virus,browsers, office automation applications, operating systems, application services, etc). Viruses have genomes on the order of 10^4 base pairs, bacteria have genomes on the order of 2x10^6 base pairs, and humans have genomes on the order of 6.6x10^9 base pairs (Evolution 3rd Edition, Ridley). Modern operating systems have about 40 - 55 million lines of code (equating to 2.5 - 4 GB installed), while most malware is a few orders of magnitude smaller, approximately 119 - 134 KB in the case of Conficker.

As is the case with viruses and other more complex organisms within the real world, smaller organisms are capable of evolving at a much faster rate than large complex organisms. Consider the case of RNA viruses which have a mutation rate of about 1 mutation/generation. While bacteria have about 10^-3 mutations/generation, and humans have about 200 mutations/generation (Evolution 3rd Edition, Ridley and Evolutionary Biology 3rd Edition, Futuyma). Some diseases mutate frequently enough that every replication event experiences the likelihood that the disease will have changed. Although humans have a much higher mutation rate than diseases (such as viruses and bacteria), the generation span of a human is much longer than that of most diseases. The generation lifespan on a human is on the order of 15 - 30 years, while diseases typically have generation lifespans on the order of seconds to minutes. Per unit time diseases (e.g. viruses and bacteria) can evolve much more rapidly, and yet large complex organisms are able to survive as they have strategies which allow them to combat these adaptations. Despite the rate at which diseases are capable of evolving, they do not always win. Influenzavirus has the potential of being fatal but in most cases it is not considered life threatening.

Large complex organisms have multiple methods for allowing them to survive in an environment where diseases can rapidly evolve. Entities with smaller genomes have effectively less space in which to maintain a set of strategies which they can use to exploit their environment, while larger more complex organisms have more space in which they can record their survival strategies. Some bacteria use enzymes to protect against viral infections. Eukaryotes employ even more defenses against infection, while entities like vertebrates have evolved immune systems which are capable of responding to infection by disease. One segment of the Human genome, the Major Histocompatibility Complex (MHC) contains approximately 3.6 million base pairs or 140 genes which control a portion of the human immunological system. As of October 2004, the Immunogenetic Related Information Source (IRIS) database estimates the percentage of the human genome that controls the human immune system is approximately 7%, or 1562 genes. Although the percentage of the human genome related to the human immune system seems small, it is important to consider that a significant portion of the human genome is inactive. It is estimated that 25% of the genome is attributed to diseases which have inserted their genetic code into our genome and are now inactive, while other sections contain pseudogenes which are no inactive version of ancient genes. The percentage of the human active genome which relates to the immune system could be substantially higher than currently theorized. The cost of surviving in an evolutionary arms race can be high, as significant resources are required to defend an organism from infection by diseases and parasites.

Recently researchers, such as Banerjee in An Immune System Inspired Approach to Automated Program Verification, have looked at applying some of the methods that the immune system uses for protecting itself from disease by investigating an Automated Immune System (AIS) which can be implemented in information systems.

Implementing an immune system to handle rapidly evolving threats does not eradicate the threat. Immune systems will act as a selection pressure that will cause only those diseases which are capable of adapting to survive. Some adaptations can include methods for remaining undetected by the immune system, while others can include methods for exploiting the immune system and subverting it for its own use. In essence, these systems represent another vector in which disease can exploit a host. Human Immunodeficiency Virus (HIV) actively exploits the immune system; even at the cost of its own reproductive fitness to remain active in the host to survive when anti-HIV drugs are administered. Similarly with anti-malware products, flaws in these systems have allowed malware to exist and even spread in the form of computer worms. Malicious code routinely attempts to disable anti-virus before downloading and installing malicious components. In order to remain undetected, some malware will re-enable the anti-virus products to prevent the user from noticing anything conspicuous. Anti-virus software is complex enough that it has its own vulnerabilities which may be exploited by malware. In 2006, Symantec Anti-virus had a vulnerability (CVE-2006-2630) which allowed for a privilege escalation that was exploited by the W32.Rinbot.L worm.

Simply reducing the response time will not eradicate the threat. It will provide an advantage but it will not solve the problem. In order to respond to diseases which are able to quickly adapt to host evolutionary responses, large complex organisms have had to evolve complex responses that do not rely on a single strategy to ensure their survival. The cost of ensuring survival in an evolutionary arms race can be high, as numerous strategies need to be available to counter act the threat of disease and parasites.

Monday, May 4, 2009

Risk Management with an Evolutionary Perspective

Evolutionary biology can provide useful insights into the risk management process that is used in information security. The current risk management process as described in NIST Special Publications 800-30, Risk Management Guide for Information Technology Systems and 800-39 Rev 1 (Draft), Managing Risk from Information Systems, could be summarized simply as: 1) identify the risks present in the environment, 2) counter/mitigate the risks that have been identified, and 3) repeat. This cycle is ultimately reactive in nature as flaws are only uncovered when vulnerabilities or new attacks are announced. SP 800-39 Rev 1 (Draft) is more focused on categorizing a system, and applying a set of requirements based on the system's categorization and security control customization based on tailoring. This methodology requires that the system's sensitivity rating has been appropriately determined and the predefined security controls appropriately address the threat environment.

If the assumption is made that information security is indeed a system which operating under the rules of a Red Queen hypothesis and that the security controls that are implemented are acting as selection pressures on our adversaries, the risk management process appears to be lacking as that there is nothing that takes into account how an adversary will respond to the environmental selection pressures (i.e. implemented security controls).

When a risk is identified, there are a number of ways that it can be handled within the current risk management framework. A risk can be corrected, accepted, mitigated, or transferred/insured. Each of these methods for dealing with an identified risk can be treated as one of the three types of selection pressures: directional, disruptive or stabilizing.
  • Corrected risks can act as disruptive selection pressures. It is a disruptive selection pressure in the sense that the risk has been removed; an adversary must abandon the strategy that could be used to exploit the system. The adversary will be forced to evolve a new strategy if they are going to continue to exploit the system.
  • Accepted risks can act as a stabilizing selection pressure. It is a stabilizing selection pressure in that it encourages an adversary to continue to use the existing exploitation strategy and discourages the use of other strategies in that they will cost resources to evolve and develop (which could be used elsewhere). Some would argue that an entity can also deny that a risk exists in the first place, if so then by default they are accepting the risk and treated it as an accepted risk.
  • Mitigated risks can act as either a disruptive or directional selection pressure. If the mitigation causes an adversary to abandon their exploitation strategy it will be a disruptive selection pressure on the adversary. If the mitigation simply causes the adversary to modify their existing strategy it will act like a directional selection pressure.
  • Transferred/Insured risks can act as a stabilizing selection pressure. Like accepted risks, transferred/insured risks will not exert a selection pressure on an adversary's strategy which causes them to either modify or abandon their existing strategy. If the risk is transferred or insured, it should be noted that it does not transfer the risk of an incident occurring. Just as when car insurance is purchased, the insurance company does not actually assume the risk of getting into an accident, the driver still carries that and the insurer carries the risk of having to payout out after an incident.
Each type of selection pressure exerts evolutionary costs in response. When multiple methods for dealing with a risk are identified, the evolutionary cost of the adversary to overcome the strategy should be considered in addition to the organization's cost for implementing (or not implementing as the case may be) a strategy. In general, disruptive selection pressures will exert the highest evolutionary cost on an adversary, while stabilizing selection pressures will tend to exert a minimal or non-existent evolutionary cost on an adversary.
  • Disruptive selection pressures are the most likely method to extract the highest evolutionary cost from an adversary in that they will force them to not only evolve/develop a new exploitation strategy, but also waste the effort of continuing to maintain a strategy that may not succeed.
  • Directional selection pressures will tend to exert minimal evolutionary costs on an adversary, as they must only modify an existing exploitation strategy to continue to be successful. The adversary does not need to abandon their existing strategy or develop a new strategy, just refine an existing one. There is an evolutionary cost associated with this but it will be less than if they had to abandon their current strategy and evolve a new one.
  • Stabilizing selection pressures will tend to cost an adversary the least, as they do not need to modify their current strategies therefore experiencing no change in to their evolutionary costs. There may be evolutionary costs associated with stabilizing selection pressures as the maintenance of an adversary's strategies may have a cost associated with them. Stabilizing selection pressures are not likely to force an adversary to incur any additional evolutionary costs as they have already adapted to the environment, but even then an adversary may be able to reduce their costs further by evolving a more efficient method for existing in the environment.
Using the principles of selection pressures and evolutionary costs from evolutionary biology, the risk management process can be updated to anticipate how an adversary will respond to the survival strategies of a system. When responses to a risk are proposed, they should be investigated to see how an adversary could respond. In the case of SSH brute forcing, the rules act as a directional selection pressure which caused the attacker to modify but not abandon their strategy. With the implementation of virtualization throughout an environment, it can act as either a disruptive or stabilizing selection pressure on malware. Depending on the potential costs associated with an adversary's response, the one that is likely to inflict the highest evolutionary cost should be chosen as the solution. If a solution is chosen has little or no impact evolutionary cost on an adversary to over come, it will not be long before an attacker has compromised the system.

Predicting the resultant strategies is not trivial, but understanding the selection pressures involved may make the situation more manageable. In the case of the SSH brute force and the adoption of Virtualization some strategies can be determined based on the attributes of the strategy implemented. Inspecting the strategies that are found within the natural environment could provide additional insight into how an adversary could respond. Any of the following could also be potential responses.
  • Some organisms have developed adaptations which advertise to others that they are something they are not, or they are poisonous. An adversary could mimic the behavior of the system employed. Malware such as Anti-Virus 2009 or Anti-Virus 360 appears to be anti-virus software which protects a user from attacks on the Internet when instead it is actually a Trojan.
  • Like parasites subverting the central nervous systems of hosts, an adversary could exploit the strategy that is used to help the system survive. Malware can attempt to exploit vulnerabilities in anti-virus software to attack a system, as anti-malware software usually operates as a privileged service making it a priority target since it has access to the entire system in addition to protecting the system.
  • Some animals have developed better camouflage to help mask there presence in the environment. A smaller and less noisy profile means that an attacker is less likely to detect their presence. Malware is moving to HTTP command and control channels to help mask its presence in the traffic being sent across the network.
  • Another response is to completely abandon the current strategy, and develop a new strategy which catches an organism unprepared. As part of an experiment in evolutionary biology, a predatory lizard was introduced onto several islands which were inhabited by Anoles. Initially the average length of their legs increased, which allowed them to survive by running faster to evade their predators. Eventually the average leg length decreased as the Anoles were able to avoid their predators entirely by spending more time in the trees. Malware can react to countermeasures by simply avoiding the countermeasures entirely or attacking an information system at different layers. A worm can be written to exploit web applications instead of targeting flaws in the operating system.
  • Sometimes the best response is not to respond to the strategy employed. If the counter strategy will only be infrequently encountered, it is often more cost effective to ignore it. In the case of the natural environment some predators that interact with prey populations interact so infrequently that it is more effective to not response as a population then to evolve a response. Malware authors should be aware that almost all analysis of their binaries will be conducted in a virtualized environment, yet not all malware encountered is able to detect when it is operating in a virtualized environment.
Each of different responses carries an associated evolutionary cost. Some of these like abandoning a strategy and evolving a new strategy can be high as the cost of evolve and develop a strategy are discarded and a new strategy must be evolved and developed. Other strategies can carry no additional evolutionary costs such as ignoring the threat and not modifying the current survival strategies.

The current risk management process has weaknesses when it is applied to an environment which evolving. The basic process is reactionary in nature and gives all of the initiative to the adversary and requires that the adversary first advertise their latest strategy before it could be countered. Instead of waiting for an adversary to attack an information system, the risk management methodology should include steps which attempt to determine how the current security strategies will force an adversary to adapt. Based the types of selection pressures that are applied to counter an adversary's strategy, anticipated actions can be made as to how an adversary will be forced to respond. When selecting among several different counter strategies, preference should be given to those strategies which have the highest evolutionary costs to counter (e.g. most likely disruptive selection pressures).

Wednesday, April 8, 2009

Monoculture/Heterogeneous Computing and Resource Exploitation

Using the same baseline, configuration, or technologies throughout an industry can reduce costs through ease of maintenance and deployment. It can foster information sharing as all parties involved communicate using the same formats and standards. Within cryptography, using standards and certified products allows others to gain a level of assurance regarding the trustworthiness of an algorithm or product. Reliance on the same computing platform/practices is referred to as monoculture. Despite the benefits of operating within a monoculture, there are a significant number of risks associated with it.

Looking at monocultures in information security from an evolutionary biology perspective, there are significant risks. In terms of evolutionary biology, a monoculture represents a large population which is composed of the same characters and utilizes the same strategies for survival. This represents either a lack of genetic diversity or genetic variability within the population. Genetic diversity represents the number of characters that are present within a population, while genetic variability represents the individual tendency of individual characters to vary from one another. Variation of characters within a population is one of the four conditions that is required for natural selection to operate (Evolution, 3rd Edition by Ridley and Evolutionary Biology, 3rd Edition by Futuyma). Without any variability in a population, it follows that when selection operates on a population it will either select against the entire population or select for the entire population. There is no intermediate state without variability. This does not mean that every selection event will cause the population to go extinct, but the potential for an event exists.

An entire population that is dependent on the same survival strategy is vulnerable to exploitation. If an entity is capable of finding a way to exploit the strategy used, then it has found a method which is capable of exploiting the entire population. If the population of hosts can either be easily accessed by the attacker or the hosts are in frequent contact with on another, the attacker leverages the exploit effectively such that it can spread rapidly through the entire population before a counter measure can be developed. As this entire population is employing the strategies, it can take a significant period of time before the entire population is inoculated against the exploit.

Currently the 'Cavendish' banana population is at risk from the fungus Fusarium oxysporum (i.e. Panama Disease or Agent Green) due the monoculture environment in which it is cultivated. Panama Disease already caused the collapse of the previous 'Gros Michel' crop in the 1960s. Originally the Cavendish banana population was resistant to the Panama Disease, but in 1993 a new strain (referred to as Tropical Race 4) emerged and has since contributed to the collapse of the Cavendish population of bananas in Southeast Asia. This is not the only case of a monoculture impacting a food crop. Previous to the banana monoculture, there was a potato monoculture in Ireland. In the early 1800s, Ireland was dependent on the potato crop to feed their population. Potatoes were essential clones of one another, and eventually the mold Phytophthora infestans exploited and destroyed a majority of the 1845 potato crop and one and a half million of people died from starvation.

Currently there exists a monoculture environment within computing associated with Microsoft Windows operating system; the dominant operating system in the market. A majority of the attacks on the Internet have focused on this operating system, as there is an abundant population which can be exploited.

The alternative to monoculture in information technology is a heterogeneous computing environment where there are different operating systems and applications are in use. The result is a diversified environment in which a single strategy is incapable of compromising the entire environment by exploiting the operating system or applications. Monocultures within the information technology are not just limited to the operating system. The heterogeneous computing environment associated with cell phones and mobile devices is seen as providing protection from malicious software despite their being 3x the number of mobile Internet-capable devices connected to the Internet as compared to computers.

The risks associated with a monoculture are present at all levels of computing where the same resources and standards are used. Monocultures can exist at other levels such as network architectures, office automation applications, email services/clients, web browsers, application/web servers, web application frameworks, and databases. In addition to the possible application level monocultures, hardware and standard/protocol level monocultures exists. Common protocol monocultures found in networking and the Internet include: IP, TCP, HTTP and DNS.

At BlackHat USA 2008, a DNS flaw which had been discovered earlier in the year was released to the general community. This flaw took advantage of the DNS standard and since most implementations followed all of the recommendations in the standard, they were vulnerable to exploitation from this flaw.

Although web applications can differ in their implementation, their reliance on the same back-end database technology (and a lack of input validation) allowed a large number of sites to be compromised by a SQL injection worm. The worm targeted websites which used Microsoft SQL Server as their database.

Monocultures pose a risk to information systems when they exist at any level. A system may have different web browsers deployed in its environment, but if the browsers are all running on the same operating system, exploits can target the operating system and bypass the heterogeneous browser level. As far back as 2004, there have been vulnerabilities announced which can successfully attack the underlying operating system even if different web browsers are interpreting the data.

Applying evolutionary biology to information security with respect to monocultures, it can be seen that relying on an environment of monoculture can be dangerous. Monoculture environments have little genetic variability which allows them to survive selection events, and they are vulnerable to invasion from diseases which can devastate the entire population. The implementation of a heterogeneous computing environment allows an information system more resistance and increases the likelihood of surviving an attack as an attack is not capable of exploiting an architectural or implementation flaw present entire population.

Saturday, March 21, 2009

Disruptive/Stabilizing Selection Pressures and Virtualization

In evolutionary biology disruptive selection pressures are commonly seen when there is a radical change in the environment in which an entity is attempting to survive in. The more drastic the environmental change, the stronger the selection pressure that will be applied to the population. Sometimes the changes will be drastic enough that the population goes extinct, while in other cases the population will be able to evolve and adapt to the new environment. In information security, an emerging potentially drastic change is the application of virtualization through out the computing environment.

There have been a number of suggestions and even implemented systems which use Virtualization as a security measure. Some systems even treat it as the ultimate solution to malware propagation on the Internet. Aside from the increased overall complexity of the resulting system and requirements for management, using virtualization as a security measure will be a game changing event, but not one which solves the malware issue. Looking at the implementation of virtualization as a security mechanism from an evolutionary biology point of view, this virtualization strategy will act as both a disruptive and stabilizing selection pressure in the co-evolutionary system of information security.

Disruptive selection pressures cause an entity to abandon their current strategy and pursue a different strategy. These pressures select against those who employ a specific strategy. In the case of stabilizing selection, pressures act on an entity to reinforce their current strategy and selects against employing other strategies. There are two ways in which malware can respond to the wide spread adoption of virtualization. It can either abandon the items being virtualized or it can exploit virtualization to its advantage.
  • In the first case, malware abandons operating in the virtualized layers of the operating system and applications. Virtualization acts as a disruptive selection pressure in which malware evolves to exploit the layers above and below the virtualized layers.
  • In the second case, malware evolves to exploit the new virtualized environment. Virtualization has made new exploitable resources available and will act as a stabilizing selection pressure as malware beings to evolve strategies which exploits virtualization.
In the case of disruptive selection, malware's response will move out of the virtualized layers of the information system (e.g. the operating system and possibly the application environment) and into the layers either above or below the virtualization. The layers above the virtualization would be considered to operate within a browser environment. Virtualization can even be applied to specific applications such that if one is exploited, it will not affect the host operating system. Despite this fact, virtualization will not protect the system against attacks such as Cross Site Scripting (XSS), Cross Site Request Forgery (CRSF), Phishing, Sidejacking, and SQL Injection. It will not protect against attacks which exploit the user through social engineering and still allows malicious scripts to ex-filtrate private and/or sensitive information from the system.

Also, this disruptive selection pressure can cause malware to move down through layers towards the BIOS, firmware, and hardware of an information system. Generally virtualization will be able to protect an information system as data is being processed or once it has already been processed. If an attack ignores these layers, it can exploit the system without being detected. Fundamentally, virtualization trusts the hardware in which is it operating and this trust relationship can be exploited. There are a large number of places in which malware can hide on a system besides at the application and operating systems layers such as in BIOS, Firmware (e.g. a NIC) or even within the processor.

Evolutionary biologists have previously conducted experiments which focused on evolutionary adaptation of bacteria which demonstrated that given a resource limited environment bacteria can evolve by selection to fully exploit environmental changes. A population of E. coli was placed under controlled environmental conditions which allowed the organism to survive and maintain population levels. The bacteria essentially had a disruptive selection pressure applied to its main method of harvesting resources from the environment. The new environment contained resources which if a few changes were made to the metabolic process of the E. coli organism, it would all it to utilize the new resources which it would otherwise not be able to use. The bacteria's progress was measured throughout the experiment, and eventually the right mutations occurred and the bacteria's population grew exponentially as it was able to harvest additional resources in the environment.

Virtualization can act as a stabilizing selection pressure on the evolution of malware. Instead of causing malware to move to other layers of the system, virtualization offers new resources which malware may be able to exploit. Presently there is a significant number of malware that are capable of detecting virtualization but this detection exists to only prevent it from executing as most malware analysis workstations inspect malware inside a virtualized environment. Escapes from a virtualized environment have already been demonstrated, as have VM exploits. If virtualization becomes common through out the environment, malware will be able to evolve its strategies such that it can survive in this environment.

The widespread adoption of virtualization as an information security counter-strategy will in some cases provide no selection pressure on an attacker's strategy. Virtualization will also not address a number of exploitation strategies which exploit the interconnections between systems. It will not be able to provide a defense against man-in-the-middle attacks or attacks which focus on the protocols which are used to connect information systems together.

Lastly, it will take time to make a virtualized solution common in the environment. In the short term, the virtualized clients will have an advantage in that they occupy a small portion of the entire population, but as time passes the likelihood that malware can exploit this new virtualized strategy will increase. Like with the example of E. coli adapting to an environment which initially severely limits its fitness, eventually malware will be evolve to exploit its new environment. Rolling out virtualization to the entire population of computers will not be done over-night and it will take a few years. Unlike the E. coli which was suddenly exposed to an environment which hampered its fitness, malware will be more gradually exposed to virtualized environments. Despite the time difference in the exposure to the emergence of a selection pressure, just like the E. coli malware will be forced to change by its environment, allowing it to evolve the necessary adaptations which will allow it to survive. It is not a question of can it evolve, but rather how long it will take to evolve.

Simply using virtualization as a defense does not mean that a system is instantly protected against all existing malware strategies. It will stop some exploitation strategies but it is not a complete defense and can even increase the risk to the environment as virtualization adds software which must be secured in addition to the increased complexity to the system in its operation and management.

There are a number of directions in which using Virtualization as a common defense could force malware strategies to evolve. Malware could evolve under stabilizing selection pressures which would cause it to evolve strategies for escaping and exploiting the very software which is used to protect the system. Malware could also evolve under disruptive selection pressures and evolve strategies to target the hardware which has traditionally been assumed to be trusted. Attacks against Firmware, BIOS, CPU, NICs, and even the Trusted Platform Modules have been successfully demonstrated. Although virtualization is not the only selection pressure in causing the creation of hardware attacks, it will increase the selection pressure and force these attack strategies to move in that direction. Already there have been discussions and demonstrations about implementing System Management Mode (SMM) rootkits by poisoning the system's cache. Beyond that, using virtualization as an information security measure will not protect a system from scripted attacks, social engineering or man-in-the-middle attacks.

Friday, March 13, 2009

Directional Selection Pressures in SSH Brute Forcing

A practical application of evolutionary biology in information security is found looking specifically at the evolution of a common Internet attack. Selection pressures were previously examined here at a high level, but SSH brute force attacks provide a more practical example of directional selection pressures. Directional selection pressures act to move a character or strategy in a specific direction.

SSH attacks are simply result of taking a list of accounts with common passwords and trying all of the username/password combinations to see if any of them allow access into a system. Early attempts simply tried to supply all of the combinations as fast as possible to determine if there was a valid combination present. Applications such as denyhosts, fail2ban, and sshguard exist to detect brute force attempts and ban those IP addresses from trying to access the server.

At a high level the counter strategy employed to prevent successful brute force attempts on a system implements a rule similar to the following: If a number of unsuccessful login attempts are detected within a short period of time; block all connection attempts from that address for an extended period. This rule acts as a directional selection pressure in that it forces attackers that are using the brute force strategy in a specific direction by controlling the login attempt frequency and number of source IP addresses.

Beginning in May of 2008 through December 2008 and into January of this year, there were reports of a newer Slow/Low-key Brute force attempts from various BotNets. With these newer attacks, the attack strategies were modified such that they are occurring at a much slower rate and occurring from various source addresses. In deed, upon inspection of the rules that were implemented to counter the attack, as they were acting as a directional selection pressures, it should have been expected to see a response in the attack strategies as they evolved in reaction to the selection pressures.

The SSH brute force detection rules have two principle components which act on the attack in as a selection pressure in a directional manner; the number of failed attempts per period and the source IP addresses. Only attacks which slowed their rate (in response to the failed attempts per period directional selection pressure) and distributed their attacks (in response to the source IP address selection pressure) could be expected to have a reasonable chance of being able to get through their account/password dictionaries.

It is possible that an attacker could have modified their strategy in only one direction to continue their attacks. If the attacker simply distributed their attack and failed to throttle the login attempts, all of the hosts which were participating in the attack would have been banned fairly quickly. If the attacker just used a single host and throttled their attack, it would take a substantial amount of time to iterate through the account/password dictionary.

If the attack strategy is inspected further, to find that the account list that is attempted is in alphabetical order and is synchronized across the BotNet. By making use of these additional characters, the strategy employed to block these attacks could continue to evolve.

A counter-strategy could be employed to include tracking the addresses that are using brute forcing by seeing if they are supplying accounts alphabetically. This counter-strategy has the weakness in that the attacker would only need to modify the order in which the accounts are tracked to a random sequence. This would get around the alphabet test but at the cost of additional resources to track the combination of usernames and passwords which have been attempted. Without tracking the attempted combinations, the BotNet would eventually starting using previously supplied combinations which are known to have failed and count as wasted attempts (and resources). Or the attacker could simply increase the number of bots that were participating in the attack such that only one bot supplies an account/password combination. This would require a large number of bots to participate in the attack, and also have the cost of requiring additional coordination through out the BotNet. By increasing the number of bots participating in the attack, it also exposes the attacker to additional risk in that it would allow a researcher to learn the identity of more of the bots in their network.

By devising a counter strategy which targets the synchronization of the accounts across the BotNet, a new strategy could be used as a basis for augmenting the firewall rule set by keeping a list of accounts that were attempted recently. If another address attempts to use that account, it would automatically drop the connection and block further connection attempts from that address.

Another counter-strategy could be implemented which borrows from Conficker/Downadup's attack strategy. Conficker scans for infect-able hosts on the same network, as they are typically all configured in a similar way (in the enterprise there are GPO policies which are frequently pushed out and for the home user they are almost always left in the default configuration). Making use of this information, instead of blacklisting just the host which is attempting to brute force the system, the attacker's network could instead be blacklisted.

The server could simply nullify the ability of the attacker's brute force attempts by requiring a form of multifactor authentication.

To the researcher who conducted further analysis of the attack, it appeared that the Slow/Low-key SSH brute force attempts began to modify their strategy further to avoid the OpenBSD machines that they were monitoring.

SSH brute forcing provides an easy way to compromise a host, as no exploit is needed and a host running SSH is designed to be remotely administered. Since the strategy employed to detect SSH brute force attempts acted as a directional selection pressure, the attacker was able to modify their strategy to avoid detection for an unknown period until the total number of failed login attempts rose to the level in which administrators and researchers noticed. Eventually the attacker further modified their strategy to avoid the OpenBSD machines that were being used all together.

Friday, March 6, 2009

Evolutionary Costs and the Life/Dinner Principle

As illustrated previously, the time it takes to evolve strategies and/or the ability to exploit existing environments (or a population) is important. An additional factor that should be considered when examining exploits are the associated costs. Within evolution these items are referred to as the evolutionary costs.

There are costs associated with utilizing a strategy, evolving a new strategy, and neglecting the use of an existing strategy.
  • In utilizing a strategy, an entity must pay the costs of maintaining that strategy. It should be recognized that in employing or retaining the capability of a strategy consumes resources that could have been spent elsewhere.
  • Evolving a new strategy also consumes resources, and those resources have to be taken from another source. They are going to come from resources that could have been spent to refine another strategy, develop a different strategy or continuing the usage of a existing strategy (i.e. allowing a current strategy to atrophy).
  • Lastly neglecting the use of an existing strategy could have the cost of preventing an organism from surviving from the fact the organism may have misspent resources. Not using an existing strategy could adversely affect an entity in that the resources consumed during development a new strategy could have been used elsewhere to form a necessary new strategy (and are considered to have been wasted in this effort).
Evolution and development are two different concepts within evolutionary biology. In a simplistic form, evolving refers to the process of creating a strategy through natural selection. Development is the process of creating a strategy for an individual entity. To more clearly illustrate the difference; birds as a class have evolved wings but while they are individuals in the egg as embryos they develop wings.

When dealing with the costs of employing strategies for survival, it should be noted that the costs for all entities involved are not shared equally. This potential asymmetry is summed up in the life/dinner evolutionary principle (as popularized in both the Selfish Gene and the Extended Phenotype written by Richard Dawkins, but originated by M. Slatkin in Models of Coevolution). Slatkin uses the rabbit and fox from one of Aesop's fables to illustrate the basic idea of the asymmetrical costs in association with life/dinner principle.

Consider the case when a rabbit is being chased by the fox. The rabbit is running for its life, while the fox is only running for its dinner. The cost of failing is different for those involved. For the rabbit, if it fails it looses its life, while for the fox; if it fails it only looses its dinner. So the rabbit is going to be willing to spend more to ensure its survival in a given race, because if it is unsuccessful there will not be another generation of rabbits produced (at least from this rabbit's germ line). The fox can afford to lose this specific race; as if it fails it will have an opportunity to pursue another rabbit in the future.

It could be argued that if after several of these races and the fox remains unable to catch a rabbit, then it could very well be facing its final race too. This is true, but if you compare the costs associated with a single race, the rabbit is still going to face the more severe cost of failure.

Within this co-evolutionary race, the rabbit/fox race can pursue a number of different strategies to ensure their survival. The simplest way to continue the race would be that the fox can attempt to run faster as well as the rabbit can attempt to run faster. It is important to consider that this is not the only strategy that the rabbit can pursue; it could also develop better camouflage, better sensory systems to learn of the foxes presence before he comes too close, or even become more maneuverable so that if the fox does pursue him he can out maneuver the fox and escape, or the rabbit can just produce so many rabbits that in general the likelihood of a single individual becoming dinner is small. In general which ever method becomes more prominent in the rabbit population, the fox will have to escalate his attacks to deal with these new strategies.

Although the co-evolution is occurring in the rabbit/fox competition, there are costs and trade offs associated with each of these potential advancements. Obviously as we do not see rabbits that can run arbitrarily fast (out side of cartoons and comics). In order to evolve a strategy, there are costs associated with this development. The development takes resources that could have been devoted to creating or even just maintaining something. In the security field there are trade offs which must be considered, and the penalties for not maintaining the proper balance of strategies can be just as severe for an information system as it is for a rabbit.

The penalty asymmetry is commonly seen in the development of an information system. When a system is designed, it has to address all of the threats that will be present in its environment, but an attacker only needs to find one successful strategy to compromise the system. An attacker also has additional advantages;
  • They do not have the expectation that they are not going to compromise every system they encounter. If they were unsuccessful in exploiting the initial target, they can move on to another system. It is built into their strategy, that they will not compromise every system they encounter only just enough to find dinner.
  • They have time to attempt multiple strategies against the system and continue using different combinations of strategies until they find one that works.
  • They do not have to play by the rules. Even more than that they have no expectation that they are going to stay within the design requirements of the system.
Unlike the general case in evolutionary biology in which if any animal's strategy fails, it pays for the costs of that failure directly. While within information security those who fail do not necessarily pay the costs for the failure. For example, spear phishing (e.g. targeted phishing) and whaling targets an individual within an organization to gain access to its resources and information. When an individual opens an email that contains a targeted attack, although they are the cause of the failure, it is the organization which pays the cost of the failure. Another cost to consider in information security is who pays the cost of failure.

Although there are response lags to develop or deploy new strategies and it takes time to exploit other resources. There are costs for developing, maintaining and even using evolutionary strategies. These evolutionary costs are also not necessarily paid evenly by all involved in the red queen race.

Friday, February 27, 2009

Selection Pressure, Yesterday's Strategies, Resource Exploitation and Evolutionary Costs

When attempting to think of information security from an evolutionary perspective, there are a few concepts from evolutionary biology to consider. Selection pressures, adaptive time lags, and resource/population exploitation are important to how an entity's strategies evolve.

Evolutionary pressures, selection agents, or selection pressures usually refer to the same entity within evolutionary biology; a thing or a force which causes an organism to respond and/or adapt. Selection pressures originate from the natural environment of the organisms and include things like: resource availability, changing/adverse environmental conditions, interspecies predation and intra-species competition. The more pronounced the selection pressure, the quicker an entity must respond in order to survive. Those entities that are not able to adapt (i.e. contain the required characteristics to survive) are eventually eliminated. Stronger selection pressures will eliminate maladapted entities more quickly than those which already are surviving or are able to acquire the necessary characteristics to survive.

Selection pressures can select for a characteristic to evolve in a directional, stabilizing or disruptive way. Directional selection pressures force a characteristic in a "direction." For example, directional selection pressures select for a larger or smaller characteristic. Stabilizing selection pressures force a characteristic to remain the same, and select against larger and smaller characteristics. Disruptive selection pressures select against a specific characteristic in the population. A disruptive selection pressure could select for the larger or smaller characteristic and select against the average value of the characteristic which results in the selecting characteristic to diverge.

In information security, the security controls that are implemented can be considered to be the survival strategies of an information system and even selection pressures acting upon an adversary. If an adversary does not have the ability to compromise any one of the implemented security controls, they will not be able to access the resources which the system is protecting. So in order to survive, an adversary must develop counter-strategies which are capable of exploiting the strategies that were implemented in order to survive.

Organizations should understand that their strategies will succeed and fail based on the counter strategies employed against them. While the root cause of a compromise is being analyzed, one should also investigate what selection pressures should be applied to move the organization in the direction towards secure business processes. If an organization consistently receives poor quality applications from their vendors, they should determine what selection pressures could be applied early in the process to affect the desired changes. Should the organization hold the developer responsible for a compromise of the application? The organization is contracted to provide an application that supports the business processes. A compromised application/system does not support the business goals of the organization.

Some selection pressures are strong enough that they will exert enough evolutionary pressure on a population that all of the resulting entities within the population are identical as a response to the selection pressures. Because of the strength of the selection pressure operating on the population, all of the variance of a characteristic has to be eliminated in order for members of the population to survive. Stronger selection pressures will remove the variance from the population faster than smaller selection pressures. Stated another way, some strategies exert enough of a filtering pressure that all entities must develop a specific counter strategy in order to survive.

Most malware and BotNets have a characteristic which is hard to escape; their reliance on a method to make initial contact with their controllers and join the BotNet. Initially these control channels were handled over IRC (this method has not been abandoned and is still in use), and since then they have now migrated to Peer-to-Peer communications. More recently the bots are attempting to contact their controllers via HTTP requests as Peer-to-Peer communications are filtered by boundary protection devices. Now these HTTP requests carry a name that must be looked up in DNS (e.g. part of a fast-flux DNS network). This method is becoming more common as organizational selection pressures push the bots in this direction. The reliance making initial contact with the bot-net is essentially a bottle neck which can be exploited. If the DNS look up is always a consistent or predictable string then it can be blocked by either filtering the appropriate Internet addresses even if they are part of a fast-flux network.

In evolutionary biology, it takes time for organisms to adapt to their environment. There is a time lag between when a counter strategy is employed against a population and when an entity has evolved a strategy to deal with the counter strategy. The current generation is better adapted to the previous environment than the one in which it exists (or selected for) based on conditions that existed previously. The current environment and the previous environment may have changed.

This lag commonly expresses itself in information security when systems are designed. If they are designed properly they are designed to counter all of the existing exploitation strategies that are known. Depending upon how long it takes to go from design to implementation and to delivery, the threat environment may have drastically changed. The delivered system may not be able to address all of the current threats in the environment and may need to be modified. Additionally a few years following the deployment of a system, if it is not updated, there may be emerging threats that the existing design is incapable of addressing.

This time lag also appears in the conflict between malware and anti-malware tools or attacks and intrusion detection/prevention systems, which rely on signatures to detect, identify and remove malware or attacks. A signature must be created to detect the malware, and pushes out to all of the clients before they can respond to a malware infection. In order to create a signature, a new malware variant must have been identified. Occasionally a rule will be created that was general enough that it may detect/prevent attacks that have not yet been implemented due to similarities in the way an attack's strategy attempts to exploit a target.

In evolutionary biology there is competition for resources and the easiest or the most abundant resources are typically exploited first. Sometimes the most abundant resources are not exploited right away as a population must evolve the ability to consume those resources. The abundance of a resource does not mean that it must be abundant every where, only that it is encountered frequently enough in the environment and there is sufficient competition for other resources that evolution will move an entity in that direction. Developing the ability to exploit a resource takes time and resources.

In information security this is similar to having a sufficient base of similar operating systems, browsers, databases, or frameworks to make the effort of developing an attack strategy worth while. This does not mean that just because a resource is not very common in the environment, it will not be exploited. Some operating systems will claim that they are more secure than the dominate competition, but as the number of systems increase so do the attacks against that platform. Although Microsoft Windows composes an overwhelming majority of the market, Apple has been gaining market share and the gains have been large enough that malware authors have begun to more frequently target the platform. Within the last year there has been an increase in the number of Trojans that target the Apple platform.

Although resource availability is important in determining if a platform will be exploited, another factor is apparent in the case of information security; the value of the resource being exploited. In the case of financial or government systems, which may be hosted on less common platforms there is additional incentive in targeting and exploiting these resources due to the perceived value of the system. There is some value in being able to compromise a home user's system (less so if it has a slower connection to the Internet) and there is more value in being able to compromise a web application server, but in reality some of the highest value resources are the databases which contain important information.

In short, selection pressures cause the survival strategies of entities to evolve. If they are unable to evolve, they will not survive. Responding to selection pressures, either directly (i.e. developing counter strategies) or indirectly (i.e. exploiting an unused resource) does not occur instantaneously, there is almost always delay between when the selection pressure first begins to work and a population's adaptive responses.

Saturday, February 14, 2009

Red Queen Races

The Red Queen race has been used as a model for understanding some of the various evolutionary arms races in evolution such; as parasite/host relationships and the response of pathogens to resistance (See Ridley's Red Queen or Ridley's Evolution 3rd Edition). In information security, as part of the malware red queen race, malware has co-evolved with malware detection and analysis to not only maintain its fitness but become the dominant threat to systems.

Within information security there are a number of red queen races in effect;
  • Attack strategies against applications/networks and the associated defensive strategies
  • Malware attack strategies and the resulting malware detection strategies.
  • Malware defensive strategies to prevent its analysis.
It could also be argued that cryptography is a red queen race between keeping things secret and attempting to reveal them. Cryptographic algorithms are constantly being developed to counter flaws discovered in existing algorithms and advances in technology which allows existing flaws to be exploited faster.

The strategies of attackers have changed dramatically since the early period of networking where attackers used manual methods (or custom scripts) that required a high degree of skill and/or knowledge to attack a single target. Now as tools have developed, attacks can be conducted by individuals with a low skill level and/or little knowledge about how the underlying attack works but using automated tools against any system that is accessible on the network (an overview of the development can be found in Computer Security by Bishop). In response to the development of attack tools, intrusion detection systems and log analysis tools were developed. In order to evade detection, attackers found ways to obfuscate their attacks to ensure that the attacks were reaching the end systems without alerting those monitoring networks (See libwhisker's IDS evasion techniques). More modern IDSs have responded by performing packet reassembly at the IDS to conduct packet inspection, but this consumes resources which could be allocated elsewhere. Tools such as the Metasploit Framework are making their attacks more difficult to detect by including various payload encoding techniques. Some tools are beginning to include encryption as their encoding methods are proving to be insufficient.

An overview of the history of malware can be found on's History of Malicious Programs. Malwarefinds its evolutionary beginnings in basic viruses which simply replicated to other hosts and deleted files or attempted to consume system resources. Early programs to detect malware were simply focused on signature matching techniques, and now malware detection has a variant of different techniques to detect malware.
  • Signature detection in which streams of bytes are analyzed for virus signatures.
  • Program emulation in which the functions of programs are emulated and executed. A program is determined to be malicious based on the events that occur.
  • Virtualized execution in which the byte streams are executed in a sandbox. The execution and results are watched to see when effect on the system it could potentially have.
  • System monitoring in which all programs are executed normally and the system's reaction is monitored for signs of malicious behavior.
  • Anomaly detection in which a system's baseline behavior is determined and as the system operates deviations are monitored to determine if a malicious program is operating.
Modern malware has evolved a variety of different techniques to evade detection and prevent analysis. The following items represent some of the strategies that are employed by malware to evade detection and remain in operation even after detection.
  • Metamorphic and polymorphic viruses - counter strategy to signature based detection.
  • Multiple layers of encoding - counter strategy to prevent detection and analysis. Some malware makes the decoding dynamic so that it can only jump to the correct instructions in a non-virtualized environment.
  • Memory only operations - counter strategy to performing offline analysis of malware. If it only exists in memory then taking the system offline will destroy the malware.
  • Modification of Service ACLs - uses the systems access controls against it to prevent removal by removing all access to the service's registry keys (except for the SYSTEM account).
  • DLL injection - Counter strategy against detection and removal. By being resident in another process it is more difficult to detect and makes it harder to remove the malware. This strategy has even been adopted by anti-malware vendors to ensure that malware cannot disable their detection engines.
  • In Memory Patching - counter strategy against other infections. If the vulnerability that was exploited to gain access to the system is still open, other malware can infect the system and compete for system resources. Some malware installs permanent patches, but these can easily be detected as they modify the system's baseline and if the system is rebooted a reinfection cannot occur if the malware was only memory resident.
  • Virtualization detection - counter strategy to analysis in virtualized environments. The Storm BotNet had VMware and VirtualPC detection methods, and if it detected that it was operating in a virtual environment it rebooted the system to clean the system and prevent further analysis. The Conficker/Downadup used SLDT/LDT results to determine if it is operating in a virtualized environment.
  • Disable running anti-malware services during install - simple counter strategy against malware prevention and removal is to simply disable the malware detection services. In addition to simply disabling these services, some malware will make it difficult to access websites of anti-malware vendors.
  • Remove system restore points - counter strategy to prevent system user's from just rolling their system state back to a previous clean point.
  • Use of anti-malware products as pre-screening - Some malware when it is designed is tested against existing malware products to ensure that there is a poor detection rate. There is no advantage in using a product that is already commonly detected.
The methods of locating remote hosts have also evolved. They began with small routines to simply scan remote addresses randomly and as fast as possible to spread as fast as possible. Some of these algorithms were flawed and prevented a maximal infection. Now there are prescan activities in which a scan of available targets that are vulnerable to an attack is performed prior to releasing malware. Malware will often scan for hosts on adjacent network spaces before seeking out other networks randomly (hosts on the same network will often be configured and managed the same way so they will likely have the same exploitable vulnerabilities).

Not only are the specific survival strategies of malware evolving in response to threats but the general concept of malware has changed. Malware has changed from seeing remote systems merely as targets to viewing them as valuable resources. Since systems are seen as resources, it is no longer advantageous to spread as fast as possible and take down as many systems as possible, these resources need to stay active in order to be of any use. Lastly malware is also moving in the direction of targeting specific individuals and/or organizations. The more customized the malware is to a specific organization or individual, the more likely it is to succeed in infecting a target host. The general software quality of malware has changed; it is no longer just written and released. It has acquired the properties of being professionally written to be more flexible and modular, and includes error handling and proper resource deallocation/cleanup.

Saturday, January 3, 2009

Enter the Red Queen

The Matrix is well known through out the information security profession and has become ingrained within the hacker culture. The iconic scene when Neo makes the ultimate choice is a pivotal point to the mythos. But when one examines the situation, a different path appears and perhaps the one Neo should have taken. Morpheus offers Neo the choice: "You take the blue pill; the story ends, you wake up in your bed and believe whatever you want to believe. You take the red pill; you stay in Wonderland and I show you how deep the rabbit-hole goes." Neo wants to learn the truth, so he accepts the Red pill and is brought into an adjacent room to be born into the real world. There sitting besides Neo is a Looking Glass. While Morpheus' crew is attempting to locate Neo, the Looking Glass changes and responds to Neo's touch. Maybe he should have accepted neither pill, and went through the Looking Glass instead. There instead of finding the Architect in white, who created and oversees the Matrix, Neo would have found the Red Queen, who determines the strategies that the entities within the Matrix use to respond to their reality.

Charles Darwin's 1st Edition of On the Origin of Species will be 150 on the 24th of November 2009. Given the complexity of Information Security and the rate at which the security landscape changes it might be appropriate to see if the concepts of Evolutionary Biology can be applied to Security.

In Evolutionary biology there is the concept referred to as the Red Queen hypothesis. Van Valen defined the Red Queen hypothesis as follows; "For an evolutionary system, continuing development is needed in order to maintain its fitness relative to the systems it is co-evolving with." The name of the hypothesis is based upon Lewis Carroll's Through the Looking Glass in which the Red Queen tells Alice, "It takes all the running you can do, to keep in the same place. If you want to get somewhere else, you must run at least twice as fast as that!"

Security appears to fit will within the conditions of the Red Queen hypothesis. It is an evolving system composed of co-evolving entities. For example, an enterprise creates an information system in an effort to assist in accomplishing a business goal. In order for the information system to be successful, it must contain a set of strategies that will allow it to accomplish the business goal in a way that does not compromise the goal in the process. These strategies are implemented in order to deal with existing threats (crackers, insiders, malware, etc), and in order for these threats to continue to survive, they must either modify their existing strategies or evolve entirely new strategies. The system must then deal with these new strategies and respond. On the other hand it could choose to ignore these evolved strategies, but then the business goals would become compromised. So each side must continue to evolve in order to survive, and so the race continues.

When attempting to draw parallels between evolutionary biology and information security, it is helpful to think of things with a slightly different terminology. Instead of thinking about attacker using exploits and defenders using signatures, these can be thought of as entities employing various strategies in competing for resources. In the case of evolutionary biology, this would be organisms using what ever characteristics or tools they have to exploit resources in the environment that allows for their survival, while in information security, it would be the various programs competing for processor cycles and system resources. Although there is a selection process for determining what survives in information security, it is not natural selection. Natural selection requires four conditions to operate (based upon those found within Evolution, 3rd Edition by Mark Ridley);
  1. Reproduction - Entities must reproduce to form a new generation.
  2. Heredity - Entities produced via reproduction must tend to possess the characteristics (e.g. traits) from the previous generation.
  3. Individual Variation - The population of entities is not identical.
  4. Characteristic Fitness - Individual characteristics have varying degrees of fitness which allows them to propagate their traits to subsequent generations.
The selection process which operates on the entities within information security does not follow any of these conditions. Some programs reproduce by installation or infection, but they do not have any individual variation which natural selection can use for determining what survives to the next generation. Stated another way, there is no flow of selected characteristics between subsequent generations of programs via reproduction. Program heredity is passed on by design, and not by reproduction. In general, programs are identical when installed, although there exists some polymorphic and metamorphic malware.

The idea of applying evolutionary biology to information security was the result of recently completing the Selfish Gene (Dawkins), the Red Queen (Ridley), and the Extended Phenotype (Dawkins).