Regarding a selection for mobile code/scripting language

["Eric Knight" <eric () swordsoft com>]

Dear Vuln-Dev community:

I've got a question for anyone who has an opinion about picking a scripting
language for a "remote administration tool" that will be expected to provide
reasonably efficient robustness for administration and security functions.
I'm 90% tempted just to create my own (did it before) but I'd like to open
the floor for discussion.

Background:

I'm wrapping up "Phase 2" of my defensive IW project, I've got roughly 75%
of the framework completed as described in my "Treatise on Informational
Warfare" and I'm starting to plan for Phase 3, which I hope won't take as
long.  The critical pieces appear to be completed and tested on small
scales, made user friendly, and days away from being place into Beta.  The
missing pieces, as I see it, are the communications back-channel relay and
the ability to provide for client/server side scripts (e.g., mobile code.)

I realize not everyone read the publication, so I'll try to explain the
current status:

1)  It has the "feel" of a Trojan horse system (intelligent agent) that
governs security and administrative functions. Although the features are
present that are typical in any RA tool, this system has a lot of safeguards
against abuses, by design.
2)  Event framework for handling events of all kinds -- analytical, user
initiated, schedule initiated, action/response, etc.
3)  Communication framework currently supports transfers of files, commands,
and record data across an encrypted socket.
4)  Visualization framework for security information (charts, interactive
controls, etc.)
5)  Analysis framework for security analysis, action, response.
6)  Internal record communication structure with ability to
read/write/process XMLish tree record data.  Like a giant native XML
database.
7)  Fun stuff like remote registry control, remote program execution,
copying and transferring files omni-directionally, identifying hardware,
equipment, configurations, etc. Allowing remote changes, etc..
Forensic analysis all over the place.
8)  Appears to be hitting its anticipated target of 1,000 potential
simultaneous clients on a beefed up server (?) No way to test.  Yes, in
theory its expandable higher up the chain as predicted in the model.
9)  Yeah, sky's the limit, it can be used for almost anything -- its always
present, managing tasks, collecting logs, transferring information, etc.
You could toss your firewall logs to an unused desktop and have it perform
analysis, you could reconfigure the filters on all the desktops. You could
collect the contents of folders, directories, and perform analysis...
Remote installation of software..  These steps would be easiest with a
mobile code system and a shared public library of tools that administrators
have already written.

Maybe its easier to do this, too..  A picture is worth a thousand words::

http://www.swordsoft.com/VES/VESLook1.jpg
http://www.swordsoft.com/VES/VESLook2.jpg
http://www.swordsoft.com/VES/VESLook3.jpg

Ultimately, the point is that computers react faster to threats than people
do, and I'm building the associated framework to be able to move in that
direction and make the whole day-to-day processes of crossreferencing and
research "less difficult", easier to visualize and considerably faster.  For
the time being, the system's framework is limited to hardcode and needs to
have its horizon's broadened.

The system is very closely wired, so recording events and commands driven
from the console can easily be done though the creation of "server agents",
and I'm 2+2ing that together thinking that it can have "semi-self
programming" abilities -- watch and learn -- and add them as tasks across
the enterprise. By definition, I want these tasks to be disposable (memory
resident) and discarded after use, or saved.

Second, I want to have lots of mobile scripts that perform generalized
tasks -- remote backup, vulnerability testing (both local/remote), event
response/creation/analysis, WFC access, etc.  Also, I don't want to limit
myself to Windows, *nix is my best programming environment by personal
choice, but I can do both.

Third, I'm curious about depth of control -- I know that a sandbox for code
is required, but if I can already extend outside the sandbox (script:  copy
executable to remote computer, run executable -- 100% outside the sandbox),
should this even be a full programming language?  I'm thinking something
like Basic that is intuitive to write, or possibly Pascal-ish or C-ish (for
the syntax).  Object oriented?  Not sure.  Compiled or interpreted?
Probably interpreted because I can already transfer compiled code.

Anyway, the only closing thoughts I have is that what exists right now is a
framework with some limited examples, its not quite the "masterpiece" of
unified, automated, and fully reactionary enterprise security yet.  I've
been trying to locate comparable tools "out there", not finding anything
much except some theoretical papers and some "project" pages that haven't
been updated in a long time.  Trojan technology appears to be the closest
example, and it may be a good reference for visualization.

When I released my paper, the general estimation of the completion of my
project was supposed to be 15-30 years in the future (from comments made
about it), and I thought it was possible to complete it in two.  I'm
concluding now that its going to be finished in about 6 months from
current progress as an individual effort, although many parts of it are
ready for solving immediate needs.

I'd appreciate any feedback at all, this has been a quiet and relatively
discreet coding project, and I'd like to know more about what the industry
thinks.  I hope that it will be ready for the "masses" as quickly as
possible, and I don't have any intentions on delaying.

Thank you,

Eric Knight, Security Research Workaholic