Sandia Studies Botnets In 1M OS Digital Petri Dish 161
Ponca City, We love you writes "The NY Times has the story of researchers at Sandia National Laboratories creating what is in effect a vast digital petri dish able to hold one million operating systems at once in an effort to study the behavior of botnets. Sandia scientist Ron Minnich, the inventor of LinuxBIOS, and his colleague Don Rudish have converted a Dell supercomputer to simulate a mini-Internet of one million computers. The researchers say they hope to be able to infect their digital petri dish with a botnet and then gather data on how the system behaves. 'When a forest is on fire you can fly over it, but with a cyber-attack you have no clear idea of what it looks like,' says Minnich. 'It's an extremely difficult task to get a global picture.' The Dell Thunderbird supercomputer, named MegaTux, has 4,480 Intel microprocessors running Linux virtual machines with Wine, making it possible to run 1 million copies of a Windows environment without paying licensing fees to Microsoft. MegaTux is an example of a new kind of computational science, in which computers are used to simulate scientific instruments that were once used in physical world laboratories. In the past, the researchers said, no one has tried to program a computer to simulate more than tens of thousands of operating systems."
I've got an easier way (Score:3, Insightful)
what is in effect a vast digital petri dish able to hold one million operating systems at once in an effort to study the behavior of botnets
If they've set up this mini-internet and have set up this botnet, then the easiest way to understand its behavior would be to look at the source code
Wine? (Score:5, Insightful)
I understand using WINE to avoid license fees, but wouldn't that potentially hinder the results of the experiment? I suppose that if they knew what functionality was needed by the botnet, they could be sure WINE provided what they needed, but it also seems like they might be able to work out a deal with MS to get a free site license for use in this test only, since it betters the computing world in general, which ultimately benefits microsoft?
Seems like a few phone calls might go a long way, if they get a hold of the right people.
-Taylor
Re:Is that really a windows environment? (Score:2, Insightful)
WINE (Score:3, Insightful)
Can a botnet run on WINE with 100% compatibility? Doesn't malware often use exactly the same kinds of tricks that WINE doesn't fully implement? This might not create an accurate picture.
Also, are they simulating network latency between nodes? Many bots take this into account.
Re:Is that really a windows environment? (Score:5, Insightful)
I don't see how they are analogous in this sense. In particular, if you are trying to understand botnet behavior, you need infected botnet systems. Is there a way to make Wine vulnerable to the infections that frequently hit Windows systems?
WINE is an implementation of the Win32 API. Since the *target* of WINE is to emulate Windows, then in order to be successful, it must implement the bugs as well. So the better WINE is, the better it runs *ALL* Windows software - including the viruses and malware!
I would assume (ass + u + me) that they've done enough unit testing on the particular botnet software in question to determine its compatibility with WINE, and so long as this compatibility is sufficient, then this could be a very useful test environment. It's the botnet being studied, not Windows itself!
Another example: Windows 2000. I build data management software. I test with Windows 2000. Not because Win2000 is an example of the latest greatest from MS, but because it costs me nothing extra and runs nicely in a VM. Since the only O/S features I care about are those that are already present in Win2000, it creates a very useful test environment despite lacking many pieces present in later OS versions.
Re:Is that really a windows environment? (Score:2, Insightful)
Yeah, I call bullshit that on too. If you want to study botnet behavior, which includes studying malware and viruses, then it should be a "real" Microsoft OS. I don't think WINE counts.
I am not the biggest fan of ol' M$, but considering how interesting this research is and it's possible positive impact on the greater community (which does benefit Microsoft) you would think they would at least ask Microsoft for some licenses gratis.
Microsoft would probably be reasonable, if just for the good PR, which they sorely and always need.
Re:Is that really a windows environment? (Score:1, Insightful)
Hell, they should have just called Microsoft, said "we'd like to do this research" and gotten a license to do things that way.
Re:Is that really a windows environment? (Score:4, Insightful)
I can't possibly imagine how a simulation of millions of instances of your software infecting itself would be good PR.
Re:I've got an easier way (Score:4, Insightful)
Just like the easiest way to understand how a dog works is to dissect them.
In short, no. You can figure out how some of the parts work, but there's a lot within complex software that is non-deterministic, whether for internal, external, or thoroughly inadvertant reasons on either side. Just because you _think_ you know what it's doing doesn't mean it'll act the way you expect it to.
Also, see http://xkcd.com/397/ [xkcd.com]
Re:Is that really a windows environment? (Score:3, Insightful)
Since this is a closed environment for a scientific study, it would make sense for them to use viruses which spread via exploits that they know are present.
Re:Is that really a windows environment? (Score:4, Insightful)
The research isn't to determine how Windows reacts to a botnet. They're trying to figure out how the botnet itself communicates and spreads. Or, more specifically, what the botnet looks like as it is spreading. Windows is just the platform that they're running the botnet on (sort of), but they don't really care how Windows reacts to it.
In other words, they're studying the botnet itself, not the infrastructure it runs on.
Re:I've got an easier way (Score:5, Insightful)
Re:I've got an easier way (Score:2, Insightful)
ron
Not exactly. (Score:5, Insightful)
A patent on an IMPLEMENTATION of an idea is a good thing.
A patent on an idea itself ... that's stupid. And that's what we're stuck with today.
Re:I've got an easier way (Score:3, Insightful)
You can't study emergent behavior [wikipedia.org] by studying source code. Even within one host, the interactions between malware, applications and every the piece of the OS would already have emergent properties. Magnify by tens of thousands to millions (exponentially [wikipedia.org], not additively or multiplicatively), and the sheer complexity of the entire system would overwhelm our ability to understand it.
We have ~100 billion neurons and ~100 trillion synapses. At 2^N - N - 1 subgroups, how many pieces before the system's complexity outruns our brain's processing power? A network of 47 pieces has ~140 trillion subgroups. With several million pieces...
Re:I've got an easier way (Score:3, Insightful)
Maybe. But why use ACTUAL botnets for this purpose and not study the underlying algorithms and infection behavior directly? That would give you the ability to generalize instead of relying on -botnet X, version z-
If that's what you care about, study it. Why rely on botnet authors to code some arbitrary botnet spreading code when you can write your own and study various different scenarios at will?
Comment removed (Score:4, Insightful)
Re:I've got an easier way (Score:5, Insightful)
If it's unclear what the code does, run it in a debugger and control the inputs. Step through the code line by line. If the debugger doesn't do everything you want, write a better debugger.
Is that right?
Here, I'll describe a program so simple it can be coded in under 100 lines, and can be fully specified in a few sentences, then ask you a question about its behavior. It should be easy, right?
There is a 100x100 grid of cells. Each cell is in one of two states "live" or "dead". Each cell has 8 neighbors, the cells horizontally, vertically and diagonally adjacent (the edges of the grid "wrap", so this is true even for edge cells). Each "generation", the state of the cells is updated according to the following rules:
That's it. Now, given an initial state of the grid, tell me what the state is after 100, 500 and 1000 generations. Further, tell me whether or not any patterns of live cells will survive across across generations. Will patterns repeat? Can patterns move? Interact?
Amazing complexity can arise from very simple rules. In this case (known as Conway's Game of Life, if you hadn't recognized it), the above rules contain enough power that if you make the grid infinite in size, the result is a Turing-complete computation system. In addition, the shifting patterns it creates are bewildering in their number, complexity and behavior.
Now scale that up to thousands of lines of code. Granted, not code specifically chosen to create interesting interactions, but still 2-3 orders of magnitude more complex. Further, code that itself lives in and interacts with a complex and varied ecosystem of other code, some of which is trying to detect the code and kill it -- so the code is written to be self-modifying, to "mutate" a bit, after a fashion. Also add in the ability to migrate between "ecosystems", reproduce, receive deliberate external updates and instructions, etc.
Simulation is the only way to get a handle on this sort of thing. And that's why the very smart people who designed and built the world's first million-machine simulator decided to do it.