Open Source Self-Healing Software For Virtual Machines

An anonymous reader writes Computer scientists have developed Linux based software that not only detects and eradicates never-before-seen viruses and other malware, but also automatically repairs damage caused by them. If a virus or attack stops the service, A3 could repair it in minutes without having to take the servers down. The software then prevents the invader from ever infecting the computer again. "It's pretty cool when you can pick the Bug of the Week and it works." (Here's a paper with more details.)

Immune system for operating systems?

[Archtech]

The analogy is a big stretch, as it would take a very long time and huge effort to approach the unbelievably complex sophistication of the immune system. But the outlines are there: software that detects previously unknown threats, quickly mobilizes to defeat them, and then stands guard against each (now known) threat in future.

Re:

[Archtech]

And I simply adore the idea of "stackable debuggers". (Anyone remember Gary Larson's "stackable livestock"?) 8-)

Re:

[Archtech]

Thanks! Just as funny as I remembered... 8-)

Re:

[blue trane]

Sadly, it's becoming all too true in factory farming.

Meat is murder.

Re:Immune system for operating systems?

[__aaclcg7560]

As a security remediation specialist, I doubt I'll be out of the job anytime soon in repairing systems that won't update on their own. Software can only do so much before it requires carbon-based intervention to fix.

Re:

[Gravis Zero]

it would take a very long time and huge effort to approach the unbelievably complex sophistication of the immune system

so... when do they start integrating it into systemd? ;)

Re:

[Burz]

This is the one thing QubesOS [qubes-os.org] could use to improve its security-by-isolation approach: Detection and repair in VMs. Even if you assume the hypervisor stays safe (and therefore, your trusted VMs stay safe), you're still relying on VMs to get everything done and the VMs doing the risky tasks are vulnerable to attack. It would be nice if those less-trusted VMs could get automatically restored after a successful attack.

Wrong approach

[sunderland56]

So, basically you welcome viruses and malware, but fix up the damage afterwards?

Sounds like the anti-vaccine crowd. In reality, it is far better to vaccinate and never get sick, than it is to self-repair after you get a virus.

Re:Wrong approach

[Archtech]

Er, did you realize that vaccination and other forms of inoculation consist of injecting a small sample of the bacterium, virus, etc. to give the immune system a smell of it? Then the immune system tools up and is ready for the full-scale infection if it occurs.

One of the many nice things about A3 is that (optionally) sysadmins could emulate inoculation by handing specific details of threats directly to A3 instead of waiting for it to detect them itself. That would eliminate delay and enable A3 to be lined up on the border with tank divisions, a howitzer every 2 yards, and millions of men when the invasion starts.

Re:

[wonkey_monkey]

sysadmins could emulate inoculation by handing specific details of threats directly to A3

Sounds a bit like... well, like practically all other AV software, doesn't it?

Re:

[Archtech]

I guess the main difference is that the promises are being made by academics, in a formal paper. Not by salesmen and enthusiastic executives. Far from conclusive, I agree - but it's a step in the right direction. It's probably still a 1000-mile journey, but the first step has to be taken some time.

Re:

[Anonymous Coward]

being made by academics, in a formal paper. Not by salesmen

Whats the difference? They need to sell their ideas to rich people to get funding so they can pay their bills too.

Re:

[kesuki]

the big problem with self-healing servers has always been getting in a restore lock from a polymorphic virus that essentially causes the machine to spend all its time restoring machines without ever being able to re-detect the polymorphic code.

Re:

[joocemann]

I just don't think you'll find many in the younger crowd of coders to be humble enough to think that 1) their code could be buggy, or 2) that something/someone else could fix it. The only people I run into that talk about hard and true reliable coding as a standard are over 45 years old. All the young bucks think its impossible. Let's cue up the replies and downvotes (such as calling me a troll when i'm expressing a strong generalized observation) from here on slashdot to confirm my claims.

Re:

[fahrbot-bot]

I just don't think you'll find many in the younger crowd of coders to be humble enough to think that 1) their code could be buggy, or 2) that something/someone else could fix it. The only people I run into that talk about hard and true reliable coding as a standard are over 45 years old. All the young bucks think its impossible.

I think it's a matter of experience and maturity. I'm 51 and have been a (mostly) Unix system programmer and admin since while in college. I've worked on all sorts of systems from Linux/Windows PCs to a Cray 2 and YMP and I'm used to having to account for the unexpected. I try to teach the young padawans on my team to think about what could possibly go wrong, and discuss this more with others as the importance of something rises, and to expect the unexpected. An example I offer is an error message I once

Re:

[wonkey_monkey]

So, basically you welcome viruses and malware

No, of course not. Why would you think that?

In reality, it is far better to vaccinate and never get sick, than it is to self-repair after you get a virus.

Nice soundbite, until you remember that there aren't vaccines for every single disease (or even better, when you remember the analogy between the immune system and a server is a tenuous one at best)

Re:

[ihtoit]

you do realise that one of the proposed methods of vaccinating against one of the weakest viruses in nature (ebola) is to inject the patient with live influenza (pretty much the most virulent pathogen in existence) which has ebola DNA in it?

Take a leaf from the Nigerians. SIMPLE PHYICAL ISOLATION DEALS WITH THE PROBLEM. STOP FUCKING OVERTHINKING IT.

(by the way, I live an active lifestyle, I eat right (none of this chemically-tainted shit - keep your aspartame, I'll stick with xylitol, failing that: sugar),

Re:

[ihtoit]

that would be down to THEIR lack of immunity, not mine, you fucking tool.

As we say in help desk, get rid of users...

[__aaclcg7560]

Once the operating system can self-heal, evolve into an A.I., and network itself across the Internet, getting rid of the carbon-based units will be the next step in self-healing.

Re:

[Archtech]

See "The Shockwave Rider", passim. One of the classic definitions of life involves "irritability" (not quite what it might sound like). Brunner's worm demonstrates irritability in both senses; when the authorities try to wipe it out, it retaliates by destroying banking systems.

Nothing new under the sun

[AlphaBro]

This is a glorified IPS, and those in the know are aware of how ineffective such systems are. You might stop a few skiddies attacking the internet en masse, but this is a speed bump for anything remotely close to an advanced persistent threat.

Re:

[vux984]

Exactly right. This is just like the human immune system. Ebola is still usually fatal, herpes is still around, so we there's no reason to waste energy on the immune system at all; we all know how ineffective it is. :)

Re:

[Half-pint HAL]

Have you any idea how many ideas have been released free by academics? Clearly not.

Re:

[x0ra]

Come on, this is a buzzword heavy paper. It looks like some team failed to reach their quota of papers...

Re:

[x0ra]

and that's a $1,253,976.00 bingo... kinda expansive :-/

or how about

[ihtoit]

enforcing user privileges? But that'd put AV firms out of business! Tough! They can do something else, like fucking grow food.

WTF?

[AqD]

The author seems completely non-technical. He probably wants to explain things simple to people, but such article is worthless as it says basically nothing but bullshit.

What exactly is stackable debuggers? There are experimental projects detecting malware from outside of VM, but information from that couldn't be too high-level (probably involves re-assembling memory pages and monitoring of key kernel-space tables/code) or stretched into pure user-space attack like Shellshock. I doubt it could be low-cost en

Re:

[phantomfive]

What exactly is stackable debuggers?

It's debuggers all the way down!

Re:

[ihtoit]

someone's sniffing for the next plotline for Scorpion...

I mean, seriously? A fucking cat5 dangling out the arse of an airliner is the only way to get data to a laptop because "it's going too fast"?? I will keep beating the shit out of that show because it is so fucking weak it totally deserves it.

Insert malware and Linux in the same sentence ..

[lippydude]

Viruses and Malware are not a problem on Linux platforms as unlike the wintel platform, their is a clear differentiation between opening and running a file. As in the Linux desktop is virtually immune from the click-and-run type of malware that is rampant on the windows platform . How can 'computer scientists' even write a paper on malware without once mentioning Microsoft Windows !!!

Re:

[Blaskowicz]

Double-clicking on a .deb launches a package installer for me. Indeed it is "open" not "run" but I am not far away from installing some shit. If they bothered, porn sites and ads that masquerade as content etc. would make people download an "install this VLC player to view our porn" .deb piece of crap after determining the computer runs Ubuntu (which I guess is what most home linux users have, including Mint)
I've seen it on a semi-old Mac with whatever outdated version of Safari : "fake_VLC_48941.dmg" gets

Prevention?

[buckfeta2014]

The software then prevents the invader from ever infecting the computer again.

Does this mean it's going to fix bad SSH/FTP configurations, or change insecure passwords? Didn't think so.

Star-Trek inside

[x0ra]

A3 prevention-focused defenses are concentrated in the Crumple Zones (CZs). The CZs essentially impose a space-time dilation upon the application’s interaction

oh, my... I'll keep reading the paper, but this is already buzzword-bingo ready.

...and, back to the Future

[x0ra]

We use Xen 3.1.4 with Fedora Core 8 (kernel 2.6.18.8) images for both Dom0 and three DomUs in the prototype A3 environment.

2.6.18 ? Seriously ?

Not for Consumers uh huh

[Bruha]

"There are no plans to adapt A3 for home computers or laptops, but Eide says this could be possible in the future."

Exactly, the CIA, NSA, FBI, and everyone else has a vested interest in computers that CAN get infected.