Sandia Studies Botnets In 1M OS Digital Petri Dish 161
Ponca City, We love you writes "The NY Times has the story of researchers at Sandia National Laboratories creating what is in effect a vast digital petri dish able to hold one million operating systems at once in an effort to study the behavior of botnets. Sandia scientist Ron Minnich, the inventor of LinuxBIOS, and his colleague Don Rudish have converted a Dell supercomputer to simulate a mini-Internet of one million computers. The researchers say they hope to be able to infect their digital petri dish with a botnet and then gather data on how the system behaves. 'When a forest is on fire you can fly over it, but with a cyber-attack you have no clear idea of what it looks like,' says Minnich. 'It's an extremely difficult task to get a global picture.' The Dell Thunderbird supercomputer, named MegaTux, has 4,480 Intel microprocessors running Linux virtual machines with Wine, making it possible to run 1 million copies of a Windows environment without paying licensing fees to Microsoft. MegaTux is an example of a new kind of computational science, in which computers are used to simulate scientific instruments that were once used in physical world laboratories. In the past, the researchers said, no one has tried to program a computer to simulate more than tens of thousands of operating systems."
Re:I've got an easier way (Score:2, Informative)
The source code does not help you to imange what happens in peer to peer network with very large amounts of cleints that have a different kind of environment. Not to mention software that has bugs.
BTW... who is the first to post to the xkcd comic about it [xkcd.com] normal people have aquaria
Re:I've got an easier way (Score:2, Informative)
Uhh, the First Post?
A few notes from Ron Minnich (Score:5, Informative)
I love the "life imitates xkcd" aspect.
We're well aware that Wine is not quite enough to run many windows bots. Until a year or so ago, however, there was a researcher in North Carolina running Storm under Wine, but he told me that that effort ended when Storm added a kernel driver. We've got some ideas in that area. We expect that implementing them will cost less than 1 million Vista licenses.
I was surprised to find I have become a cybersecurity expert! What I really am is an HPC expert who is using HPC tools and resources to build a system for studying cybersecurity phenomena on a millions-of-nodes scale.
Doing anything with a million of something gets interesting fast. There's a lot of interesting challenges.
Thanks
ron
Re:Wine? (Score:3, Informative)
...Except for that they basically would have to say "Hey MS, your code is broken, so broken that we need free licenses in order to show the world how broken it is". While it is a great idea and would benefit them, all MS can see is bad press, and they want to avoid that.
I'm pretty sure that the notion of windows being susceptible to malware and viruses is probably something Microsoft has come to terms with, i really can't imagine anyone getting terribly upset. Viruses exist, someone wants to do some research, it shouldn't be that offensive of an idea.
-Taylor
Re:Is that really a windows environment? (Score:5, Informative)
I think you're misunderstanding what they are doing. They are not studying in-the-wild worms. They are trying to build theoretical models of botnets and how they propagate through networks--this is the equivalent of computer simulations of viral epidemics. You don't need to simulate what the virus does in a person to study how it spreads through a population.
Re:Life imitates XKCD (Score:5, Informative)
Well, given that XKCD was imitating an old hacker competition...
Re:A few notes from Ron Minnich (Score:1, Informative)
MSFT licensing in the big leagues is almost an honor policy sort of thing.
There are ways for them to set up a single in-house activation server that doles out 1,000,000 activations, for example. It's what I would do.
Or they could run every license as an evaluation copy for the 30 days, they could script something to re-arm the licensing to run it up to 180 days. (This is possible on all copies of Windows.)
On top of that, as a research project they may be able to partner with Microsoft and not pay anything at all for 1,000,000 legit licenses for use in this project. Heck, Microsoft might want to help so they can fix some of these issues.
Re:Life imitates XKCD (Score:4, Informative)
Goes to show that ideas are a dime a dozen.
Implementing something like this is what makes the news.
Re:A few notes from Ron Minnich (Score:5, Informative)
The biggest limit we've found on the VM side is memory footprint of the VM guests, and it's very easy to control that with Linux; harder with Windows. We have some ideas in that area too, but it's way too early to speculate on them.
But from my point of view, it is a lot easier to do this kind of work in Linux than in Windows (I have done NT drivers in a past life), not least because of the openness of the environment. Hence, I'd rather try to find a way to make it all work on Linux.
Consider this work the beginning of the story; it's not even chapter 1, maybe it's the preface. There's a lot of work left to do. There's a lot we still don't know.
thanks
ron
Re:Is that really a windows environment? (Score:3, Informative)
WINE is far less resource intensive, and typically runs far faster, than fully virtualized simulation software, especially because it leaves out the basically rewritten-VMS kernel and memory management of the Windows kernel in favor of Linux's own pretty zippy kernel. And the cost of buying and running a million actual Windows boxes to avoid the performance penalties of virtualization is simply infeasible.
Re:A few notes from Ron Minnich (Score:3, Informative)
Do you really think it would be easier to set up (and periodically reinstall) a million copies of Windows vs. telling Linux to virtualize a million instances?
I'm assuming they would do both. If they didn't have to individually license each Windows instance, it would be trivial to clone a million virtualized instances of a fresh Windows install. (I'm sure he's right that this would make resource management more difficult/costly than using WINE, however.)
Re:They can't afford an MSDN subscription? (Score:3, Informative)
Someone marked this as 'funny' but it is true. Read the license it is per user... If your creating a cluster with THOUSANDS of nodes and testing things you are perfectly within your rights to do this. You can even get most of the different versions of the OS going. 98, 98se, 95 (shudder), ME (double shudder), NT4, 2k, XP, Vista, 7, etc... Putting different versions at different patch levels etc...
http://msdn.microsoft.com/en-us/subscriptions/cc150618.aspx [microsoft.com]
They lost me at Wine. As that would not truly create the environment they are trying to describe.
I have had up to 100 desktops all going from 10 msdn licenses (10 users). With different levels of the OS to test install and different configurations. They probably dont even need a very high level of it.
Linux for a reason... (Score:5, Informative)
The researcher posted up above saying he's an HPC researcher, not a computer security guy, and in that context using Wine makes sense.
HPC people typically study emergent behavior -- how a lot of nodes interacting by simple rules generate complicated phenomena. The challenge is coming up with the simple rules in a form that accurately captures whatever leads to the emergent behavior you want to model. In this case, "actually being Windows so all the viruses work exactly right" is less important than getting a lot of nodes running to capture the interesting behaviors of viruses spreading through a large network.
Supercomputing is difficult on Windows. I'm at a computational physics conference now, and everything runs on Linux just because it's bloody *easier* to make everything go. I doubt many people here would even know *how* to run our models on a Windows supercomputer.
Performance issues aside, my guess is that the fellow chose Linux because the computer *already* ran Linux.