What if networks and applications could automatically detect malware intrusions, repair any damage done and then slam the door on further infections of the same type? Seems like something out of Star Trek-level science fiction, but thanks to researchers at the University of Utah, this kind of self-healing software is coming to a Linux-based business or military server near you. Malware: be afraid. Be very afraid.
I See What You’re Doing There
The biggest problem with antivirus programs? They rely on lists, whitelists for legitimate code and blacklists for software that comes with a malicious payload. But since hackers make it their mission to create new and ever-more-hidden infections, virus detectors are always one step behind the bad guys. This puts companies in a tough spot. High-performance antivirus can bog down a network and even take servers offline, while opting for a “what may come” approach could include your system going down in flames.
Not so with A3, or Advanced Adaptive Applications, which isn’t bound by typical search-and-destroy rules. Along with defense contractor Raytheon BBN and an awkwardly-named DARPA program — Clean-Slate Design of Resilient, Adaptive, Secure Hosts — the University of Utah’s Eric Eide and his team came up with a way for A3 to detect, repair and shore up network defenses on any Linux-based virtual machine (VM).
Here’s how it works: A3 first uses a set of “stackable debuggers”, which all run in real-time and search the VM for any strange activity. And unlike typical virus software, this security program isn’t looking for specific code but any computer behavior that’s out of the ordinary. If malware is found, A3 stops whatever process has been started, approximates a fix for damage and then adds the bug to its list of no-go code. And it really, really works: the team tested it against Shellshock for DARPA officials in Jacksonville and A3 not only found but repaired the damage in just four minutes. Now past the testing phase, the future looks bright for this self-healing software, although there’s a caveat: the software isn’t available for consumer use on desktops or smarthphones. According to Eide, “we haven’t tried those experiments yet.”
While A3 is the latest and greatest in the world of responsive malware detection, it’s not the first stab at this kind of thing. For example, HP launched a self-healing BIOS last year to combat malware that runs before an OS is loaded. If attackers are able to gain root access to a computer, it’s possible to alter the BIOS and force malicious code into the system; HP’s BIOSphere compares the to-be-run BIOS against an embedded image of the machine’s original BIOS — if they differ, the original is always loaded.
Retail giant Amazon is also on the self-healing bandwagon. The company just announced Amazon Aurora, a MySQL-compatible database engine paired with their Relational Database Service. According to the press release, Aurora is “fault-tolerant, transparently tolerating the loss of disks and Availability Zones, and self-healing, automatically monitoring and repairing bad blocks and disks.” This is the holy grail, and what A3 is also shooting for: repairs on the fly, without the need to shut down servers or repopulate data.
Turn the Beat Around
It’s worth mentioning, however, that A3 is open source. On the face, this is a good thing: other white-hat users can take Eide’s work and adapt it, perhaps for mobile devices, Window servers or even the Internet of Things.
There’s also a dark side, however. Malicious actors are, by and large, interested in whatever kind of attack returns the biggest benefit for the smallest outlay of work. A few, however, are innovators, and it’s not hard to imagine the risk of a re-purposed A3 or similar self-healing technology: malware designed to scan for antivirus activities, shut them down and “repair” them, rendering them useless. In an already self-healing system this might lead to a stalemate, but as CIO Today points out, many companies can’t keep up with constantly morphing malware. Add self-healing (or destructing) to that list and things get interesting.
A3 and similar self-healing software efforts show real promise in the fight against malware, but don’t get complacent. Infection control and software repair are an all-hands-on-deck situation — there’s no silver bullet here.