SecurityCurve Weblog

GIANT ANTS! (and security emergence)

It's Halloween - or, as we who are fans of cheesy sci-fi like to call it, "the high holidays". What other time of year can you watch a movie like "The Exorcist" on broadcast TV and know that - if you miss it - it'll come around again? I watched it last night (along with "The Village") and let me tell you it scares the hell out of me (pun intended) every time. Now, one could probably make the argument that casting Max von Sydow gave it a tremendous advantage in making it creepy - and I'd tend to agree with that. But it isn't all about Max von Sydow. That's not to do down Max: he goes a long way to making a movie great, but not all movies with him in it are scary (c.f. "Strange Brew", "Flash Gordon", "Conan"). No - I think what makes a horror movie scary is realism. Wait... what? No, really - "The Exorcist" is - at it's core - believable. Not the demon-possession part - but you have to admit that the mother reacts to her daughter's condition like a normal person would: she gets doctors and psychiatrists involved, she authorizes CAT scans, psychological tests, etc. Anyway, I bought it.

The believability factor is a huge one in separating the wheat from the chaff in a B movie. And it doesn't have to be high budget either. Take a movie like "Them!." If you haven't seen it, "Them!" is one of the "giant radioactive [xyz]" films from the fifties. In this case, it's giant radioactive ants that tear up the southwest. What I like about the "radioactive critter" movies is that (with a few exceptions) they tend to have the giant radioactive animals behave exactly like their smaller cousins. Now, "Them!" stretches this a bit, but the principle is still there - the gigantic ants act much like the garden variety; it's just the increased scale that makes them terrifyingly destructive. And ants are even more scary in this context because of the principle of emergence; namely, that ant behavior, while simple at the scope of an individual ant, is strikingly complex on the macro scale. In the case of ants, the resultant behavior is greater than the sum of its parts: there's the emergent property of survivability (the hive as a whole is more resilient) as well as lack of stasis (the hive is always in motion) and hierarchy-free complex behavior (the hive can operate without command and control.) Like I said, scary.

Of course, emergence isn't something that we're unfamiliar with in the technology world. We're accustomed to reading about the ermergent properties of the Internet as a whole. And Dave Fischer and Howard Lipson have been talking about emergence in software and survivability for a decade now. If you haven't checked it out, it makes for interesting reading. But what really gets my juices flowing isn't that stuff so much, but rather coming at it from the attacker side. What I mean is - there are tons of small simple "swarming" agents that are employed by attackers (e.g. worms, botnets) right? We know that small, simple, micro-behavior can have devastating success, survivability, and impact in aggregate, right? We could speculate attackers might desire to have that impact and resiliency in their attacks, right? So how might they do that in future? From a speculative standpoint, useful avenues for exploration are - in my opinion - worms and botnets. Although for some reason I find botnets to be a more fruitful area of speculation than worms (don't ask me why.)

Looking at botnets, I think we've seen a few areas where emergent properties arise; broadly speaking, we know that individual botnets have proven to be remarkably resilient - most folks who have written about botnets have commented on the fact that we seem to be losing the war when it comes to botnets. I think this resiliency is the same "survivability" principle we see in the Internet as a whole - in other words, "We define survivability as the capability of a system to fulfill its mission, in a timely manner, in the presence of attacks, failures, or accidents" (from "Survivable Network Systems: An Emerging Discipline"). Scary stuff. But in my mind, there are other questions - #1, how (besides survivability) are emergent properties in these systems currently aiding the attacker (if at all) and #2, how might we research future properties that could aid them?

One of the unfortunate things about analyzing emergent properties of malware is the fact that one of the things defining emergent properties is the difficulty of predicting them from analysis of the individual objects within the larger system. So, I guess it's pretty hard to say what might be the ultimate outcome or how an attacker could utilize these principles in a scary way. I guess that means no answers will be forthcoming from this side of the peanut gallery today, but if I had thousands of dollars in government grant money, I know what I'd be researching...