Saturday, March 21, 2009

Disruptive/Stabilizing Selection Pressures and Virtualization

In evolutionary biology disruptive selection pressures are commonly seen when there is a radical change in the environment in which an entity is attempting to survive in. The more drastic the environmental change, the stronger the selection pressure that will be applied to the population. Sometimes the changes will be drastic enough that the population goes extinct, while in other cases the population will be able to evolve and adapt to the new environment. In information security, an emerging potentially drastic change is the application of virtualization through out the computing environment.

There have been a number of suggestions and even implemented systems which use Virtualization as a security measure. Some systems even treat it as the ultimate solution to malware propagation on the Internet. Aside from the increased overall complexity of the resulting system and requirements for management, using virtualization as a security measure will be a game changing event, but not one which solves the malware issue. Looking at the implementation of virtualization as a security mechanism from an evolutionary biology point of view, this virtualization strategy will act as both a disruptive and stabilizing selection pressure in the co-evolutionary system of information security.

Disruptive selection pressures cause an entity to abandon their current strategy and pursue a different strategy. These pressures select against those who employ a specific strategy. In the case of stabilizing selection, pressures act on an entity to reinforce their current strategy and selects against employing other strategies. There are two ways in which malware can respond to the wide spread adoption of virtualization. It can either abandon the items being virtualized or it can exploit virtualization to its advantage.
  • In the first case, malware abandons operating in the virtualized layers of the operating system and applications. Virtualization acts as a disruptive selection pressure in which malware evolves to exploit the layers above and below the virtualized layers.
  • In the second case, malware evolves to exploit the new virtualized environment. Virtualization has made new exploitable resources available and will act as a stabilizing selection pressure as malware beings to evolve strategies which exploits virtualization.
In the case of disruptive selection, malware's response will move out of the virtualized layers of the information system (e.g. the operating system and possibly the application environment) and into the layers either above or below the virtualization. The layers above the virtualization would be considered to operate within a browser environment. Virtualization can even be applied to specific applications such that if one is exploited, it will not affect the host operating system. Despite this fact, virtualization will not protect the system against attacks such as Cross Site Scripting (XSS), Cross Site Request Forgery (CRSF), Phishing, Sidejacking, and SQL Injection. It will not protect against attacks which exploit the user through social engineering and still allows malicious scripts to ex-filtrate private and/or sensitive information from the system.

Also, this disruptive selection pressure can cause malware to move down through layers towards the BIOS, firmware, and hardware of an information system. Generally virtualization will be able to protect an information system as data is being processed or once it has already been processed. If an attack ignores these layers, it can exploit the system without being detected. Fundamentally, virtualization trusts the hardware in which is it operating and this trust relationship can be exploited. There are a large number of places in which malware can hide on a system besides at the application and operating systems layers such as in BIOS, Firmware (e.g. a NIC) or even within the processor.

Evolutionary biologists have previously conducted experiments which focused on evolutionary adaptation of bacteria which demonstrated that given a resource limited environment bacteria can evolve by selection to fully exploit environmental changes. A population of E. coli was placed under controlled environmental conditions which allowed the organism to survive and maintain population levels. The bacteria essentially had a disruptive selection pressure applied to its main method of harvesting resources from the environment. The new environment contained resources which if a few changes were made to the metabolic process of the E. coli organism, it would all it to utilize the new resources which it would otherwise not be able to use. The bacteria's progress was measured throughout the experiment, and eventually the right mutations occurred and the bacteria's population grew exponentially as it was able to harvest additional resources in the environment.

Virtualization can act as a stabilizing selection pressure on the evolution of malware. Instead of causing malware to move to other layers of the system, virtualization offers new resources which malware may be able to exploit. Presently there is a significant number of malware that are capable of detecting virtualization but this detection exists to only prevent it from executing as most malware analysis workstations inspect malware inside a virtualized environment. Escapes from a virtualized environment have already been demonstrated, as have VM exploits. If virtualization becomes common through out the environment, malware will be able to evolve its strategies such that it can survive in this environment.

The widespread adoption of virtualization as an information security counter-strategy will in some cases provide no selection pressure on an attacker's strategy. Virtualization will also not address a number of exploitation strategies which exploit the interconnections between systems. It will not be able to provide a defense against man-in-the-middle attacks or attacks which focus on the protocols which are used to connect information systems together.

Lastly, it will take time to make a virtualized solution common in the environment. In the short term, the virtualized clients will have an advantage in that they occupy a small portion of the entire population, but as time passes the likelihood that malware can exploit this new virtualized strategy will increase. Like with the example of E. coli adapting to an environment which initially severely limits its fitness, eventually malware will be evolve to exploit its new environment. Rolling out virtualization to the entire population of computers will not be done over-night and it will take a few years. Unlike the E. coli which was suddenly exposed to an environment which hampered its fitness, malware will be more gradually exposed to virtualized environments. Despite the time difference in the exposure to the emergence of a selection pressure, just like the E. coli malware will be forced to change by its environment, allowing it to evolve the necessary adaptations which will allow it to survive. It is not a question of can it evolve, but rather how long it will take to evolve.

Simply using virtualization as a defense does not mean that a system is instantly protected against all existing malware strategies. It will stop some exploitation strategies but it is not a complete defense and can even increase the risk to the environment as virtualization adds software which must be secured in addition to the increased complexity to the system in its operation and management.

There are a number of directions in which using Virtualization as a common defense could force malware strategies to evolve. Malware could evolve under stabilizing selection pressures which would cause it to evolve strategies for escaping and exploiting the very software which is used to protect the system. Malware could also evolve under disruptive selection pressures and evolve strategies to target the hardware which has traditionally been assumed to be trusted. Attacks against Firmware, BIOS, CPU, NICs, and even the Trusted Platform Modules have been successfully demonstrated. Although virtualization is not the only selection pressure in causing the creation of hardware attacks, it will increase the selection pressure and force these attack strategies to move in that direction. Already there have been discussions and demonstrations about implementing System Management Mode (SMM) rootkits by poisoning the system's cache. Beyond that, using virtualization as an information security measure will not protect a system from scripted attacks, social engineering or man-in-the-middle attacks.

Friday, March 13, 2009

Directional Selection Pressures in SSH Brute Forcing

A practical application of evolutionary biology in information security is found looking specifically at the evolution of a common Internet attack. Selection pressures were previously examined here at a high level, but SSH brute force attacks provide a more practical example of directional selection pressures. Directional selection pressures act to move a character or strategy in a specific direction.

SSH attacks are simply result of taking a list of accounts with common passwords and trying all of the username/password combinations to see if any of them allow access into a system. Early attempts simply tried to supply all of the combinations as fast as possible to determine if there was a valid combination present. Applications such as denyhosts, fail2ban, and sshguard exist to detect brute force attempts and ban those IP addresses from trying to access the server.

At a high level the counter strategy employed to prevent successful brute force attempts on a system implements a rule similar to the following: If a number of unsuccessful login attempts are detected within a short period of time; block all connection attempts from that address for an extended period. This rule acts as a directional selection pressure in that it forces attackers that are using the brute force strategy in a specific direction by controlling the login attempt frequency and number of source IP addresses.

Beginning in May of 2008 through December 2008 and into January of this year, there were reports of a newer Slow/Low-key Brute force attempts from various BotNets. With these newer attacks, the attack strategies were modified such that they are occurring at a much slower rate and occurring from various source addresses. In deed, upon inspection of the rules that were implemented to counter the attack, as they were acting as a directional selection pressures, it should have been expected to see a response in the attack strategies as they evolved in reaction to the selection pressures.

The SSH brute force detection rules have two principle components which act on the attack in as a selection pressure in a directional manner; the number of failed attempts per period and the source IP addresses. Only attacks which slowed their rate (in response to the failed attempts per period directional selection pressure) and distributed their attacks (in response to the source IP address selection pressure) could be expected to have a reasonable chance of being able to get through their account/password dictionaries.

It is possible that an attacker could have modified their strategy in only one direction to continue their attacks. If the attacker simply distributed their attack and failed to throttle the login attempts, all of the hosts which were participating in the attack would have been banned fairly quickly. If the attacker just used a single host and throttled their attack, it would take a substantial amount of time to iterate through the account/password dictionary.

If the attack strategy is inspected further, to find that the account list that is attempted is in alphabetical order and is synchronized across the BotNet. By making use of these additional characters, the strategy employed to block these attacks could continue to evolve.

A counter-strategy could be employed to include tracking the addresses that are using brute forcing by seeing if they are supplying accounts alphabetically. This counter-strategy has the weakness in that the attacker would only need to modify the order in which the accounts are tracked to a random sequence. This would get around the alphabet test but at the cost of additional resources to track the combination of usernames and passwords which have been attempted. Without tracking the attempted combinations, the BotNet would eventually starting using previously supplied combinations which are known to have failed and count as wasted attempts (and resources). Or the attacker could simply increase the number of bots that were participating in the attack such that only one bot supplies an account/password combination. This would require a large number of bots to participate in the attack, and also have the cost of requiring additional coordination through out the BotNet. By increasing the number of bots participating in the attack, it also exposes the attacker to additional risk in that it would allow a researcher to learn the identity of more of the bots in their network.

By devising a counter strategy which targets the synchronization of the accounts across the BotNet, a new strategy could be used as a basis for augmenting the firewall rule set by keeping a list of accounts that were attempted recently. If another address attempts to use that account, it would automatically drop the connection and block further connection attempts from that address.

Another counter-strategy could be implemented which borrows from Conficker/Downadup's attack strategy. Conficker scans for infect-able hosts on the same network, as they are typically all configured in a similar way (in the enterprise there are GPO policies which are frequently pushed out and for the home user they are almost always left in the default configuration). Making use of this information, instead of blacklisting just the host which is attempting to brute force the system, the attacker's network could instead be blacklisted.

The server could simply nullify the ability of the attacker's brute force attempts by requiring a form of multifactor authentication.

To the researcher who conducted further analysis of the attack, it appeared that the Slow/Low-key SSH brute force attempts began to modify their strategy further to avoid the OpenBSD machines that they were monitoring.

SSH brute forcing provides an easy way to compromise a host, as no exploit is needed and a host running SSH is designed to be remotely administered. Since the strategy employed to detect SSH brute force attempts acted as a directional selection pressure, the attacker was able to modify their strategy to avoid detection for an unknown period until the total number of failed login attempts rose to the level in which administrators and researchers noticed. Eventually the attacker further modified their strategy to avoid the OpenBSD machines that were being used all together.

Friday, March 6, 2009

Evolutionary Costs and the Life/Dinner Principle

As illustrated previously, the time it takes to evolve strategies and/or the ability to exploit existing environments (or a population) is important. An additional factor that should be considered when examining exploits are the associated costs. Within evolution these items are referred to as the evolutionary costs.

There are costs associated with utilizing a strategy, evolving a new strategy, and neglecting the use of an existing strategy.
  • In utilizing a strategy, an entity must pay the costs of maintaining that strategy. It should be recognized that in employing or retaining the capability of a strategy consumes resources that could have been spent elsewhere.
  • Evolving a new strategy also consumes resources, and those resources have to be taken from another source. They are going to come from resources that could have been spent to refine another strategy, develop a different strategy or continuing the usage of a existing strategy (i.e. allowing a current strategy to atrophy).
  • Lastly neglecting the use of an existing strategy could have the cost of preventing an organism from surviving from the fact the organism may have misspent resources. Not using an existing strategy could adversely affect an entity in that the resources consumed during development a new strategy could have been used elsewhere to form a necessary new strategy (and are considered to have been wasted in this effort).
Evolution and development are two different concepts within evolutionary biology. In a simplistic form, evolving refers to the process of creating a strategy through natural selection. Development is the process of creating a strategy for an individual entity. To more clearly illustrate the difference; birds as a class have evolved wings but while they are individuals in the egg as embryos they develop wings.

When dealing with the costs of employing strategies for survival, it should be noted that the costs for all entities involved are not shared equally. This potential asymmetry is summed up in the life/dinner evolutionary principle (as popularized in both the Selfish Gene and the Extended Phenotype written by Richard Dawkins, but originated by M. Slatkin in Models of Coevolution). Slatkin uses the rabbit and fox from one of Aesop's fables to illustrate the basic idea of the asymmetrical costs in association with life/dinner principle.

Consider the case when a rabbit is being chased by the fox. The rabbit is running for its life, while the fox is only running for its dinner. The cost of failing is different for those involved. For the rabbit, if it fails it looses its life, while for the fox; if it fails it only looses its dinner. So the rabbit is going to be willing to spend more to ensure its survival in a given race, because if it is unsuccessful there will not be another generation of rabbits produced (at least from this rabbit's germ line). The fox can afford to lose this specific race; as if it fails it will have an opportunity to pursue another rabbit in the future.

It could be argued that if after several of these races and the fox remains unable to catch a rabbit, then it could very well be facing its final race too. This is true, but if you compare the costs associated with a single race, the rabbit is still going to face the more severe cost of failure.

Within this co-evolutionary race, the rabbit/fox race can pursue a number of different strategies to ensure their survival. The simplest way to continue the race would be that the fox can attempt to run faster as well as the rabbit can attempt to run faster. It is important to consider that this is not the only strategy that the rabbit can pursue; it could also develop better camouflage, better sensory systems to learn of the foxes presence before he comes too close, or even become more maneuverable so that if the fox does pursue him he can out maneuver the fox and escape, or the rabbit can just produce so many rabbits that in general the likelihood of a single individual becoming dinner is small. In general which ever method becomes more prominent in the rabbit population, the fox will have to escalate his attacks to deal with these new strategies.

Although the co-evolution is occurring in the rabbit/fox competition, there are costs and trade offs associated with each of these potential advancements. Obviously as we do not see rabbits that can run arbitrarily fast (out side of cartoons and comics). In order to evolve a strategy, there are costs associated with this development. The development takes resources that could have been devoted to creating or even just maintaining something. In the security field there are trade offs which must be considered, and the penalties for not maintaining the proper balance of strategies can be just as severe for an information system as it is for a rabbit.

The penalty asymmetry is commonly seen in the development of an information system. When a system is designed, it has to address all of the threats that will be present in its environment, but an attacker only needs to find one successful strategy to compromise the system. An attacker also has additional advantages;
  • They do not have the expectation that they are not going to compromise every system they encounter. If they were unsuccessful in exploiting the initial target, they can move on to another system. It is built into their strategy, that they will not compromise every system they encounter only just enough to find dinner.
  • They have time to attempt multiple strategies against the system and continue using different combinations of strategies until they find one that works.
  • They do not have to play by the rules. Even more than that they have no expectation that they are going to stay within the design requirements of the system.
Unlike the general case in evolutionary biology in which if any animal's strategy fails, it pays for the costs of that failure directly. While within information security those who fail do not necessarily pay the costs for the failure. For example, spear phishing (e.g. targeted phishing) and whaling targets an individual within an organization to gain access to its resources and information. When an individual opens an email that contains a targeted attack, although they are the cause of the failure, it is the organization which pays the cost of the failure. Another cost to consider in information security is who pays the cost of failure.

Although there are response lags to develop or deploy new strategies and it takes time to exploit other resources. There are costs for developing, maintaining and even using evolutionary strategies. These evolutionary costs are also not necessarily paid evenly by all involved in the red queen race.