Saturday, March 21, 2009

Disruptive/Stabilizing Selection Pressures and Virtualization

In evolutionary biology disruptive selection pressures are commonly seen when there is a radical change in the environment in which an entity is attempting to survive in. The more drastic the environmental change, the stronger the selection pressure that will be applied to the population. Sometimes the changes will be drastic enough that the population goes extinct, while in other cases the population will be able to evolve and adapt to the new environment. In information security, an emerging potentially drastic change is the application of virtualization through out the computing environment.

There have been a number of suggestions and even implemented systems which use Virtualization as a security measure. Some systems even treat it as the ultimate solution to malware propagation on the Internet. Aside from the increased overall complexity of the resulting system and requirements for management, using virtualization as a security measure will be a game changing event, but not one which solves the malware issue. Looking at the implementation of virtualization as a security mechanism from an evolutionary biology point of view, this virtualization strategy will act as both a disruptive and stabilizing selection pressure in the co-evolutionary system of information security.

Disruptive selection pressures cause an entity to abandon their current strategy and pursue a different strategy. These pressures select against those who employ a specific strategy. In the case of stabilizing selection, pressures act on an entity to reinforce their current strategy and selects against employing other strategies. There are two ways in which malware can respond to the wide spread adoption of virtualization. It can either abandon the items being virtualized or it can exploit virtualization to its advantage.
  • In the first case, malware abandons operating in the virtualized layers of the operating system and applications. Virtualization acts as a disruptive selection pressure in which malware evolves to exploit the layers above and below the virtualized layers.
  • In the second case, malware evolves to exploit the new virtualized environment. Virtualization has made new exploitable resources available and will act as a stabilizing selection pressure as malware beings to evolve strategies which exploits virtualization.
In the case of disruptive selection, malware's response will move out of the virtualized layers of the information system (e.g. the operating system and possibly the application environment) and into the layers either above or below the virtualization. The layers above the virtualization would be considered to operate within a browser environment. Virtualization can even be applied to specific applications such that if one is exploited, it will not affect the host operating system. Despite this fact, virtualization will not protect the system against attacks such as Cross Site Scripting (XSS), Cross Site Request Forgery (CRSF), Phishing, Sidejacking, and SQL Injection. It will not protect against attacks which exploit the user through social engineering and still allows malicious scripts to ex-filtrate private and/or sensitive information from the system.

Also, this disruptive selection pressure can cause malware to move down through layers towards the BIOS, firmware, and hardware of an information system. Generally virtualization will be able to protect an information system as data is being processed or once it has already been processed. If an attack ignores these layers, it can exploit the system without being detected. Fundamentally, virtualization trusts the hardware in which is it operating and this trust relationship can be exploited. There are a large number of places in which malware can hide on a system besides at the application and operating systems layers such as in BIOS, Firmware (e.g. a NIC) or even within the processor.

Evolutionary biologists have previously conducted experiments which focused on evolutionary adaptation of bacteria which demonstrated that given a resource limited environment bacteria can evolve by selection to fully exploit environmental changes. A population of E. coli was placed under controlled environmental conditions which allowed the organism to survive and maintain population levels. The bacteria essentially had a disruptive selection pressure applied to its main method of harvesting resources from the environment. The new environment contained resources which if a few changes were made to the metabolic process of the E. coli organism, it would all it to utilize the new resources which it would otherwise not be able to use. The bacteria's progress was measured throughout the experiment, and eventually the right mutations occurred and the bacteria's population grew exponentially as it was able to harvest additional resources in the environment.

Virtualization can act as a stabilizing selection pressure on the evolution of malware. Instead of causing malware to move to other layers of the system, virtualization offers new resources which malware may be able to exploit. Presently there is a significant number of malware that are capable of detecting virtualization but this detection exists to only prevent it from executing as most malware analysis workstations inspect malware inside a virtualized environment. Escapes from a virtualized environment have already been demonstrated, as have VM exploits. If virtualization becomes common through out the environment, malware will be able to evolve its strategies such that it can survive in this environment.

The widespread adoption of virtualization as an information security counter-strategy will in some cases provide no selection pressure on an attacker's strategy. Virtualization will also not address a number of exploitation strategies which exploit the interconnections between systems. It will not be able to provide a defense against man-in-the-middle attacks or attacks which focus on the protocols which are used to connect information systems together.

Lastly, it will take time to make a virtualized solution common in the environment. In the short term, the virtualized clients will have an advantage in that they occupy a small portion of the entire population, but as time passes the likelihood that malware can exploit this new virtualized strategy will increase. Like with the example of E. coli adapting to an environment which initially severely limits its fitness, eventually malware will be evolve to exploit its new environment. Rolling out virtualization to the entire population of computers will not be done over-night and it will take a few years. Unlike the E. coli which was suddenly exposed to an environment which hampered its fitness, malware will be more gradually exposed to virtualized environments. Despite the time difference in the exposure to the emergence of a selection pressure, just like the E. coli malware will be forced to change by its environment, allowing it to evolve the necessary adaptations which will allow it to survive. It is not a question of can it evolve, but rather how long it will take to evolve.

Simply using virtualization as a defense does not mean that a system is instantly protected against all existing malware strategies. It will stop some exploitation strategies but it is not a complete defense and can even increase the risk to the environment as virtualization adds software which must be secured in addition to the increased complexity to the system in its operation and management.

There are a number of directions in which using Virtualization as a common defense could force malware strategies to evolve. Malware could evolve under stabilizing selection pressures which would cause it to evolve strategies for escaping and exploiting the very software which is used to protect the system. Malware could also evolve under disruptive selection pressures and evolve strategies to target the hardware which has traditionally been assumed to be trusted. Attacks against Firmware, BIOS, CPU, NICs, and even the Trusted Platform Modules have been successfully demonstrated. Although virtualization is not the only selection pressure in causing the creation of hardware attacks, it will increase the selection pressure and force these attack strategies to move in that direction. Already there have been discussions and demonstrations about implementing System Management Mode (SMM) rootkits by poisoning the system's cache. Beyond that, using virtualization as an information security measure will not protect a system from scripted attacks, social engineering or man-in-the-middle attacks.

No comments:

Post a Comment