To diversify and survive: the application of population biology concept into computer

[Peter Huang <yinrong () rogers com>]

Abstract:
On January 25, 2003, the SQL Slammer worm (w2.SQLSlammer.worm), also known 
as Sapphire (F-Secure), w32.SQLexp.worm (Symantec), and Helkern 
(Kaspersky) fully exploited known vulnerabilities in Microsoft SQL 2000 
servers and caused tremendous network jam around the world. In this 
article, the concept of population biology is proposed to apply to the 
computer programming. The concept is to diversify the same software 
functionality with a population of executables to avoid being eliminated 
or exploited by a virus or worm like SQL Slammer.
---------------------------------------------------------------------------
-
In biology, it is a known fact that a species with a diverse population is 
less likely to be extinct than a species with a "cloned" population under 
selection pressure. It is one of important reasons why we want to keep the 
biodiversity, I believe.

What the SQL Slammer has exploited during the last weekend exposed not 
only the vulnerabilities in Microsoft SQL 2000 but also the 
vulnerabilities in the normal delivery methods of software package. A 
normal software package contains the same documents, the same executable 
files. In other words, the package is just copied or "cloned" without 
diversity. What just had happened taught us a lesson about the importance 
of diversity in computing world as well, I think.

If we study the SQL Slammer worm in assembly language 
(http://www.eeye.com/html/Research/Flash/sapphire.txt) carefully, we will 
realize how selective or "laser-guided" this worm is. If the population of 
the SQL 2000 server executable had been diversified, then the impact of 
the SQL Slammer would have been much less noticeable.

So, I propose the concept of installation time linking to diversify the 
same software functionality with a population of executables. In other 
worlds, different executables have the same functions.

Installation Time Linking Of Object Files Into An Executable
 
The concept of the installation time linking is that it enables the 
executable to be randomly laid out (including the Import Address Table 
abused by the SQL Slammer). Functionally speaking, the executable image #1 
and image #2 listed above in Figure 1 are the same even though the layouts 
are different. Therefore, if a program like the SQL Slammer is targeting a 
special executable program, it will lose its effectiveness on another 
executable because of different image layout or addresses, (unfortunately 
it might crash the application). 

The disadvantage of this technique is that it requires more customers' 
support if the software has problems. It might become more difficult for 
the vendors to patch or provide so-called service packages, (well a 
service package just simply overwrites existing files or adds new ones 
currently, right?). 

If this concept goes further, then the operating system does the dynamic 
linking of libraries or object files in a randomized order as well to 
diversify further.

Whether this concept is practical or not remains to be seen.
---------------------------------------------------------------------------
-

For the article with the figure 1, please visit 
http://members.rogers.com/yinrong/articles/PopulationComputing.pdf

Thank you and have a nice day.

Peter Huang
http://members.rogers.com/yinrong