Just over a decade ago my university started to offer a controversial course known as “CPSC 527 Computer Viruses and Malware”. Or as I refer to it: the Virus course.
The virus course has a reputation which proceeds it. I first heard of it in second year. Word was that there existed a course held in a locked and isolated lab. No internet and no electronics allowed. Only fourth year students could enrol and an essay was required.
So fast forward to late third year when I and a friend have set our minds on this mythical course. Said friend managed to uncover the controversy dating back to 2003 over the introduction of our viruses course.
Most of the resulting articles and press releases can still be found through a quick search. Most notable were two press releases from the Anti-Virus Manufacturers: Sophos and F-Prot. Both give an insight into why the course was not received well by all:
I just wanted to make sure that you are aware of the effects that participation in the course may have on the students’ future career. Most anti-virus companies (including ours) have a policy against hiring former virus writers for anti-virus work. What this means is that in the event that the students actually learn something useful in the course, they will most likely not be able to obtain employment in the anti-virus industry due to their participation in the course, and thus not be able to contribute to actually solving the virus problem.– Fridrik Skulason of F-Prot
Sadly it seems the university is developing courses according to what it believes will be most attractive to potential students rather than focusing on skills that will be useful to them in the security industry. One wonders if the University will be held legally and financially responsible if any of the viruses written on their course break out and infect innocent computer users. — Graham Cluley of Sophos
What struck me is the assumption both responses hold: it is Anti-Virus companies which bring relief from viruses.
I disagree. Security, and thus relief from viruses, instead derives from your ecosystem and your operating system. Which gets to my interest in the course:
- Have fun
- Becoming a better systems programmer
I have no interest in becoming a researcher for the Anti-Virus industry. Instead I want to create systems which will minimize vulnerabilities and reduce any ground a virus can win in finding a vulnerability. Meanwhile all Anti-Virus software can do is slow down your computer, take your money, and tell you it is time to reinstall Windows
Now Mr. Cluley and Mr. Skulason do raise a good question: why should you create a new virus? To answer that let us look back to 2007 during my tenure at the local McDonalds. In our flashback I am a new employee and my boss has taken time out of her day to instruct me on proper method for cleaning dishes. You see the drive through is right across from the washing station and thus it is the task of order takers to clean dishes while waiting for cars. Now I wasn’t a patient lad and protested against a practical demonstration. I asked her if she could instead just tell me how to wash dishes. To this she said:
You’ll only learn something once you’ve done it. — My boss circa 2007
Which is thus the core reason why CPSC 527 must be about writing new viruses. Similar themed courses at other universities may teach virues the way Mr. Cluley and Mr. Skulason wish them to be taught: by dissecting existing viruses. Granted Mr. Cluley is correct, this approach would better serve students going into the Anti-Virus industry. Dissecting existing viruses is the major task when writing an Anti-Virus scanner. Thus prospective job applicants to Sophos or F-Prot would be well served by practicing their new job while in school.
Except I have no interest in the Anti-Virus industry. Instead I want to learn to think like a virus writer. I want to look over a system’s design and notice “Hey, I can abuse that!”. Not for the purpose of abuse, but to bake security into what I create.
To that end I can say CPSC 527 was a fantastic course: I wrote a virus, an exploit for a buffer overflow vulnerability, and for the final assignment a virus scanner for the other 10 group’s viruses.
All virus work was done in the virus lab: a locked lab with no internet access on machines which required a second student to vouch for your identity before you could login. The machines themselves were linux boxes running FreeBSD in a locked down virtual machine. Even if a malicious student did brings the virsues out of the lab there would be no targets to infect!
The virsues we wrote were not complex or modern. My current value to the Russian Mafia is still about zero dollars.
With that said my virus did win the prize for best virus, which in this course means it was the worst and most annoying virus.
What my virus did was launch a rootkit into kernel space. This rootkit would then sit and count how many files a thread opened. Once the thread has opened N files it got marked as an anti-virus. Then instead of killing the undesirable scanner, we would deny all write requests. Thus a scanner would work for the files in /bin but any warnings of virsues in /sbin or /usr/bin would be silenced. The net effect was to make programmers think their scanner was broken!
The rootkit was so effective even I got caught by it! My scanner would find the infected files in /bin but not the ones I knew were in /usr/bin.
Beyond pride, writing the rootkit was enjoyable, fulfilling that goal. Spying on the scanners required hooking BSD’s system calls and stuffing data into unused fields of the thread’s task struct. I even booby trapped the system calls table: any attempt at unloading my rootkit would leave non-NULL yet invalid pointers in the system call table. Thus any calls to open or write to files would crash the kernel.
Towards the intangible goal of improving my systems programming I am now quite paranoid. My programs now enjoy user input escaping far beyond anything reasonable. I found myself escaping even the input I got from the kernel! The kernel being the program which runs my program and already controls the entire computer.
As for systems design, my fervour for mobile and Firefox OS has only increased. We need to replace the Win32 ecosystem with an ecosystem that can be sandboxed and we need to do it without throwing user freedom to the dogs. To that end the web is perfect. Web browsers have undergone years of security stress testing in the most hostile environments imaginable. The web represents an ecosystem developed from the begining to be sandboxed, it is not even possible to self modify binaries!
In general we need more programmers to take courses like 527. University students no longer write virsues for fun or to prove a point. Instead we have rogue governments attacking their own people. The risk in teaching students virus writing is now far outweighed by the benefits. We need programmers who will make security a priority. At Microsoft I learned that “UAC is not a security boundry“. What this means is that any vulnerability allowing bypassing of UAC will not get patched. They’ve resorted to this useless stance because there are already many unpatched vulnerabilities. The net effect is users are running under admin accounts which feel like regular non-all-powerful accounts.
So if you have a chance: please enrol in CPSC 527, or a similar course if your university offers one. If enough people take courses like these maybe the next UAC will not happen.