Dewormer conquers the world

11 September 2012

DeWorm was one of the first and the most successful Sentinels projects. ‘Georgios Portokalidis, a PhD student on the project, is now working as a postdoc at the prestigious Columbia University. The security system Argos that he worked on has been developed further in various projects and has now been downloaded almost 9000 times for use by security experts,’ says project leader professor Herbert Bos.

Bos came up with the project name in a flash of inspiration. ‘DeWorm, a wordplay,’ he says at the VU University in Amsterdam, ‘Because the English word deworm is exactly what we intended with Argos when we started on the project.’ Initially, Argos was aimed at attacks from worms on servers, such as web servers and mail servers. ‘Because when we wrote the project proposal, attackers mainly targeted those. They tried, for example, to knock out web servers. However, a year into the project we clearly saw a change take place. The attacks were now being targeted at the machines of the end-users. At browsers instead of web servers and e-mail accounts instead of e-mail servers. We therefore made some modifications to Argos so that it could also recognise and resist these attacks.’

Prof. dr. ir. Herbert Bos, project leader of DeWorm  

Argos is a technology to detect Internet attacks. It is based on so-called dynamic taint analysis. Argos examines which data interact with the system and when and then assesses if these interactions are abnormal or not. If external data intervene in the running of a program then it is nearly always malicious stuff. Within Sentinels, Argos was used in such a way that a system was immediately closed down in the event of suspect movements. ‘Later we adjusted that and used the system to observe what exactly the attackers were planning to do,’ says Bos.

As bees to the honey pot

Argos is also used to elicit attacks. The computer it is running on becomes a sort of honey pot to attract aggressive bees. Argos subsequently observes which actions attackers undertake once they have entered the system.

Argos is not a straightforward program that everybody can install at home on their PC, emphasises Bos. ‘That was sometimes how the media reported about it at first. We were overwhelmed with phone calls from people asking why it would not run on their Windows PC.’ It is intended for system managers with separate machines for security, for example. And it has proved highly popular among those experts. ‘It is not a particularly large group of people, so reaching nearly 9000 downloads says a lot.’ Bos explains the success. ‘At the time there was little available in this area. It is a complete and stable system that does its job really well.’

Initially, however, the technology did have one disadvantage: your machine was a lot slower when you ran it. ‘If you were unfortunate it could even be 16 to 20 times slower.’ Within the original set-up of the project that was not such a problem. ‘The system was developed for separate machines that must protect networks and servers, for example. The focus, however,  gradually shifted more towards separate PCs and production machines and now we are even looking at applications for handhelds.’ With this new focus we also faced new demands.
‘We are now trying to provide the same protection without the enormous overhead the platform generates, as in terms of calculating power and battery power smartphones would not be able to cope with this.’ A first step in that direction had already been made. ‘We no longer try to protect everything all the time. Only if something happens which could elicit an attack. The security only needs to be alert during activities such as opening an e-mail or clicking on a link in a web browser that you have not clicked on previously.’

Replica under scrutiny

In addition to this researchers came up with the idea that Argos does not need to be on the mobile device to be able to stop invaders. ‘We have now produced an Argos version for Android phones, which does not run on the phone itself but on a security server. We make an exact replica of the phone on the server and let Argos run on the replica. In effect we make images of your phone and send it to the server. That does cause a small delay in the detection. However, discovering 30 seconds later that your smartphone has been hacked is still better than not knowing at all.

And that delay also has an unexpected advantage. ‘As the attacker you cannot hide anything as we have images of the exact moment of entering. By playing back the execution again we see exactly what happened between the clean and the infected state. That yields valuable information for resisting subsequent attacks.’ One day, you might even be able to use the images to restore the system to the situation just before the attack. Realising that is still a considerable challenge though, according to Bos.

‘We have just published a paper about how Argos observes what malware does, and whether we can make an automatic recovery procedure around this. Autorecovery currently means that everything that might be infected is thrown away. Then you lose a lot of data. We only want to repair what the attacker has touched and leave alone everything that is unchanged.’ But even then the job’s not finished, he says: ‘Everything which is neither definitely clean nor definitely touched still needs to be checked manually. Therefore the aim is to make that group as small as possible.’

Moving train

Although the Sentinels project finished three years ago Argos has not been standing still. ‘Argos has been developed further in other projects. Within the European Seventh Framework project Noah, Argos formed the core of the infrastructure. And within the European project Wombat, Argos is being used for the detection of Internet attacks.’ But outside of the research world Argos is still being actively developed further, says Bos. ‘Argos is now the only open source software in the core of the SGNet detection system of Symantec, the major virus scanner producer. And SURFnet, which was a member of the user committee of the Sentinels project, was so interested that it has implemented Argos in its own systems.’ Shortly a new version will be released on the market. Bos says that with some pride: ‘Argos is one of the first taint analysis systems that has been made suitable for the latest operating systems, such as Windows 7.’

Photo: Sjoerd van der Hucht Fotografie

Text: Sonja Knols, IngenieuSe

Translation: NST