LOL, ROTFL and WTF: My Winter Vacation
I've also submitted two project proposals for Sun's Code For Freedom (CFF) contest. I'll be developing high availability agents for Zabbix and Cron, so that they may work off the box on the Open High Availability Cluster suite. I'll be coding over the GDS (Generic Data Service) template, that allows you to code without having to deal with the cluster framework. So all you have to do, is focus on starting, stopping, probing and validating the application you're developing the agent for. Sounds easy? I'll only know for myself once I start work. So you'll be seeing a lot of technical posts throughout my coming semester. (There go my readers I guess)
Apart from CFF, the other thing that's going to keep me busy through the coming months is the research paper I'm working on for the HP Innovate awards. We all know the kind of havoc that crackers wreck on networks across the world. Commercial Banks have reported losses in the order of billions of dollars due to cyber attacks on their servers. To detect such attacks, we have things called Intrusion Detection Systems (IDSs). But then again, conventional IDSs are based on signatures. A signature is a string developed out of some particular parameters, that distinguish one attack from others. The problem here is, if the IDS doesn't have the signature for an attack, it's not going to detect the intrusion itself, and this is where signature based systems completely fail. If this is going over your heads, let me take a more common example. All of you know what an Anti Virus suite is right? You do know that without 'updating your virus definitions' your system is vulnerable right? So that's what I'm talking about. Anti virus software are based on signatures.
It's not very difficult for the attacker to make minor modifications to an attack so as to get it's signature changed. As far as viruses are concerned, it's real easy to add useless code that will get the virus' signature altered. Consider a virus' code, being executed as assembly language instructions (this isn't proper code ok?):
00 Original Code...
01 Original Code...
.
.
.
N Original Code...
Now the above piece of code will give you a signature we'll call ABC. Now if your anti virus has this signature ABC, it will be able to detect the above virus. Now look at the modification I'm making here.
00 Original Code...
01 Original Code...
.
.
K MOV <Some register>, <some value>
L MOV <Some register>, <some other register>
.
.
N+2 Original Code...
Now the above piece of code has two new instructions in between it that needn't serve any purpose whatsoever (known as 'dummy code'). All I have to do is insert this kind of code in between different parts of my program, without worrying about changing the program's functionality. But this virus will now have a different signature, and the anti virus won't be able to detect it inspite of having the signature ABC of a virus which does the same thing.
The same kind of little tricks go toward bamboozling IDSs as well. So hence, we need to move away from signature based systems, towards an era of intelligent, anomaly based IDSs. So I'm basically working on the application of AI to such IDSs for the HP Innovate awards.
I’ll be writing about all these as and when I’m working on them. Right now, I feel like playing Tekken 5. So adios…
Comments