Convinced that businesses will use nonmalicious worms to cut down on network security costs, a high-profile security researcher is pushing ahead with a new framework for creating a “controlled worm” that can be used for beneficial purposes.
Dave Aitel, vulnerability researcher at New York-based Immunity Inc., unveiled a research-level demo of the “Nematode” framework at the Hack In The Box confab in Kuala Lumpur, Malaysia, insisting that good worms will become an important part of an organizations security strategy.
“Were trying to change the way people think,” Aitel said in an interview with Ziff Davis Internet News. “We dont want people to think this is impossible. Its entirely possible to create and use beneficial worms and its something businesses will be deploying in the future.”
For years, security experts have debated the concept of using good worms to seek and destroy malicious worms. Some believe that its time to use the worms tactics against them and build good worms that fix problems but the chaos and confusion associated with self-propelled replicating programs have left others unconvinced.
Aitel is among those who believe it is “inevitable” that worm technology can significantly reduce the cost of disinfecting and maintaining a corporate network.
“We already have a proof-of-concept that can take a very simple exploit, go through a few steps and, in a matter of minutes, create a working nematode,” Aitel said.
He took the name for the concept from the pointy-ended worm used to control pests in crops. “We can generate a nematode any way we want. You can make one that strictly controls, programmatically, what the worm does,” Aitel explains.
Aitel, who did a six-year stint as a computer scientist at the NSA (National Security Agency) before moving on to work as a code-breaker for research outfit @Stake Inc., is adamant that nematodes can provide the answer for lowering security costs.
He sees a world where “strictly controlled” nematodes are used by ISPs, government organizations and large companies to show significant cost savings.
During his Hack In The Box presentation, Aitel outlines the reasons for creating nematodes and displayed strict protocols that can be used to control the beneficial worms.
He said nematodes can be automatically created from available vulnerability information and even showed off a new programming language to create the worms.
Nematodes
: The Making of Beneficial Network Worms”>
Aitel acknowledged potential problems with the concept, noting that worms are very hard to write and use large amounts of network bandwidth. Because worms are harder to target and control, he noted that IT administrators live in constant fear.
The concept includes the use of “Nematokens,” servers that are programmed to only respond to requests from networks cleared for attacks and the NIL (Nematode Intermediate Language) that can be used as a specialized and simplified “assembly for worms.”
The NIL can be used to convert exploits into nematodes quickly and easily. In some cases, Aitel believes that exploits can be written to NIL directly to simplify the process even more.
This will be part of your security teams toolkit,” Aitel argues, noting that his companys work is “research-level proof of concept” that details the theory and theology of using beneficial worms.
“If you look at the security cost of maintaining a large network, most CIOs agree its way above what they want to pay. With this [nematode] concept, you can take advantage of automating technologies to get protection for pennies on the dollar. Thats the drive behind developing a lot of these new forward-looking technologies,” Aitel said.
“Nematodes are a step beyond the next step. Were two stages away from using this,” he added. “The goal has always been to build the network that protects itself automatically with automated technologies. Were certainly not more than five years away from this sort of technology becoming something that you can buy.”
“We already have an engine that takes exploits and turns them into worms and does it in a way that allows you to inject control mechanisms into that. Thats something that will appeal to businesses.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.