Abstract: On January 25, 2003, the SQL Slammer worm (w2.SQLSlammer.worm), also known as Sapphire (F-Secure), w32.SQLexp.worm (Symantec), and Helkern (Kaspersky) fully exploited known vulnerabilities in Microsoft SQL 2000 servers and caused tremendous network jam around the world. In this article, the concept of population biology is proposed to apply to the computer programming. The concept is to diversify the same software functionality with a population of executables to avoid being eliminated or exploited by a virus or worm like SQL Slammer. --------------------------------------------------------------------------- - In biology, it is a known fact that a species with a diverse population is less likely to be extinct than a species with a "cloned" population under selection pressure. It is one of important reasons why we want to keep the biodiversity, I believe. What the SQL Slammer has exploited during the last weekend exposed not only the vulnerabilities in Microsoft SQL 2000 but also the vulnerabilities in the normal delivery methods of software package. A normal software package contains the same documents, the same executable files. In other words, the package is just copied or "cloned" without diversity. What just had happened taught us a lesson about the importance of diversity in computing world as well, I think. If we study the SQL Slammer worm in assembly language (http://www.eeye.com/html/Research/Flash/sapphire.txt) carefully, we will realize how selective or "laser-guided" this worm is. If the population of the SQL 2000 server executable had been diversified, then the impact of the SQL Slammer would have been much less noticeable. So, I propose the concept of installation time linking to diversify the same software functionality with a population of executables. In other worlds, different executables have the same functions. Installation Time Linking Of Object Files Into An Executable The concept of the installation time linking is that it enables the executable to be randomly laid out (including the Import Address Table abused by the SQL Slammer). Functionally speaking, the executable image #1 and image #2 listed above in Figure 1 are the same even though the layouts are different. Therefore, if a program like the SQL Slammer is targeting a special executable program, it will lose its effectiveness on another executable because of different image layout or addresses, (unfortunately it might crash the application). The disadvantage of this technique is that it requires more customers' support if the software has problems. It might become more difficult for the vendors to patch or provide so-called service packages, (well a service package just simply overwrites existing files or adds new ones currently, right?). If this concept goes further, then the operating system does the dynamic linking of libraries or object files in a randomized order as well to diversify further. Whether this concept is practical or not remains to be seen. --------------------------------------------------------------------------- - For the article with the figure 1, please visit http://members.rogers.com/yinrong/articles/PopulationComputing.pdf Thank you and have a nice day. Peter Huang http://members.rogers.com/yinrong
