The antimalware industry's holy grail is automatically detecting never-before-seen malware, remove the offending code, and restore any affected software to an undamaged state. Considering current antimalware offerings, the industry has a way to go.
A team comprising members from the University of Utah and Raytheon BBN Technologies may have moved antimalware research significantly closer to the industry's goal. Their software suite: A3 (Advanced Adaptive Applications) "adaptively defends" computers, in particular servers, running the Linux operating system.
Part of DARPA's CRASH program
A3 is the result of a four-year research project supported by the Clean-slate design of Resilient, Adaptive, Secure Hosts (CRASH) program. The CRASH website explains the program's goal is to develop computer systems:
● That are resilient to cyber-attacks
● Adapt and continue offering services after a successful attack
● That use information from earlier attacks to deal with future attacks
● Repair software after an attack succeeded
Eric Eide, co-lead of the University of Utah team, clarifies how A3 accomplishes the CRASH objectives in this interview with Cool Science Radio. Eide says the team began with the premise that all software will have bugs ad infinitum. To work around that deficiency, A3 creates what Eide calls containers. A container wraps around each software application and becomes the defense demarcation line.
Eide next explains that outside the container is hostile, and all inbound traffic to the container is monitored. Inside the container, A3 observes the health of the application using software introspection. If A3 determines the application to be unhealthy, steps are taken to diagnose what inbound traffic created the negative condition. A3 will then block that traffic, and return the application software to a healthy state.
Not just theoretical
This blog post explains how the team tested A3. "The ShellShock/Bash bug has been in the news a lot recently and it seemed like a great opportunity for us to test our A3 fully automated repair technology against a real zero-day attack," mentions the blog post. "We found that the mandatory mediation policy enforced by A3 blocked the effect of the injected command attack."
Here are the steps A3 uses to disarm ShellShock/Bash:
● The policy violation triggers A3 to explore and repair the underlying security hole automatically.
● A3 took around 2 minutes to find a repair using virtual machine introspection to insert a system call block, which prevented a sys_clone call made by Bash.
● A3 used an additional 1.5 minutes to find a source code repair for the Bash code.
"What we are claiming is that A3 can automatically localize and find a patch that makes the protected application resilient in seconds," the post continues. "If the adversary tries another exploit and causes an undesired condition in the protected application, A3 will find a refinement."
Eide alludes the next step is to build on their research, determining how A3 may help secure components of cloud computing. "I'd say we have a lot more experiments to do," wrote Eide in an email. "We would like to try A3 against more malware samples, and in a wider variety of conditions, to see how it holds up and how we can improve it."
Not productized yet
As mentioned earlier, A3 is ported to work with Linux operating systems. If interested, Eide mentions the code is open source and available on the A3 website.
This University of Utah press release offers an example of how A3 could be used in a commercial space. "A3 potentially could be used in the consumer space, such as in web services like Amazon," the release advises. "If a virus or attack stops the service, A3 could repair it in minutes without having to take the servers down."
Members of the A3 team assert there are no plans to port the security software for consumer computers. However, they are confident, with the research now released, developers will work towards that end.