First published: 15th July 2003
It is not the teaching of how exploits, viruses, and worms work that is the problem. It is the unnecessary creation of self-replicating code. We need more people who understand viruses and how to combat them, but it is not necessary to create a virus to understand them. Additionally, knowing how to create a virus is nowhere near the complete skill set needed to combat them. Combined with the inherent dangers of self-replicating code this makes virus writing practicals unnecessary and unethical.
The inherent dangers are a result of three properties of self-replicating code: generality, range of effect, and persistence These change how we need to think about security. In particular, if the precautions taken to prevent escape of the code from the secure laboratory fail, then there is no pre-determined limit on how much damage it can cause, or how long it can survive. As we know there are no absolute guarantees in security, the course organiser should therefore minimise the potential for damage by supplying anti-virus developers with samples of all the viruses created. One University class of new viruses each year (say, 50 viruses) is not going to make a big difference to the total number of new viruses -- there are currently at least 50,000 known types. However, if this is a good and useful course, then every University, world-wide, should have a similar course and we could see 50,000 new viruses a year, just from those courses.
So, is it possible to study viruses and worms without creating them? The feature that differentiates a virus from other programs is modifying other programs to include a copy of itself, but, in terms of studying techniques and understanding, what is the difference between:
- modify program A to include a copy of program B.
- modify program A to include a copy of yourself.
Would the student's understanding of the techniques involved be reduced if he wrote a program to do (1) instead of (2)? How do they compare in terms of safety? The program from (1) could be used by a miscreant to modify programs, perhaps creating Trojans with bad effects wherever the miscreant introduced the Trojans. The program from (2) is a virus, and, as noted above, capable of spreading indefinitely, modifying other programs with unknown results. So: (1) is a tool that, when used with intent to damage can cause harm -- no worse than an axe, (2) can spread like wildfire from a single accident or careless incident. A dropped cigarette butt and an axe can both destroy a forest, but one takes a lot more work and intent. So, new infection methods can be examined by creating programs that create arbitrary programs -- making it self replicating is not necessary for understanding the technique.
Universities should be teaching students how to work and research safely and ethically. Undergraduate medical students don't cut up live people, they learn anatomy cutting up dead people. When I was learning microbiology and genetic engineering, we learnt about containment of our experiments, how to sterilise our equipment, before and after, and safe disposal of the cultures. Computer science students should be learning how to research computer viruses without creating them.
We do need to teach this stuff, but that does not require virus writing practicals, just as police officer training does not require murder practicals. Understanding self-replicating code is different from writing it. In fact, reverse engineering is a much more important skill for an anti-virus researcher -- when presented with an unknown program, how do you work out everything it does, without inadvertently allowing it to cause damage or escape.
I hope that makes it clearer why it is not necessary for students to write viruses, and why it is not responsible to do so. Many anti-virus researchers have a similar opinion, as can be seen from this open letter:
http://www.avien.org/publicletter.htm
The signatories are not just anti-virus vendor insiders; many are from major players in the IT industry, and IT users, including commercial and academic organisations. The University of Calgary has its academic freedom, but it should consider the reasons why so many of its peers, and those in the field it claims it is serving, object before proceeding.