Your Peace of Mind is our Commitment

Contact Us English Recent Articles

Teaching Virus Writing

The University of Calgary announcement of a course that teaches virus-writing has sparked controversy around the world. Sophos' Graham Clueley condemned the course as irresponsible, Rob Rosenberger ridiculed the idea, Robert Vibert expressed his concern and AVIEN organised a public letter. Security News This Week sentenced Sophos to the Dog-House for their remarks and Jan Hruska made clear the potential student's dismal job prospects with his company. What are the issues?

The University proudly announced the course in a press release, saying the course "will focus on developing malicious software such as computer viruses, worms", and emphasis is also placed on the legal, ethical and security aspects. The professor for the course, Dr. Aycock, is quoted, "in order to develop more secure software, and countermeasures for malicious software, you first need to know how malicious software works and the mindset of its creators". When faced with the publicity storm, the University further clarified that it would take place in a Protected Learning Environment - a secure laboratory, restricted access, no exit of removable media, no wireless access, or external network connections, and everything will be cleaned when the course ends. Therefore, we are led to believe, it is necessary to write viruses in order to understand them and there is no risk of one of the viruses created escaping.

The second point is contrary to one of the truisms of Information Security: there is no such thing as perfect security. The noted anti-virus researcher, Fridrik Skulason has commented, "I hope this implies an armed guard at the door, doing a full body search, because anything else would be insufficient". We could also speculate about combining the neat, pill-shape of some USB drives, and the existing practice of drug couriers ingesting condoms of contraband as a possible way to bypass the security arrangements. However, a student could easily write the code again back at the dorm, so this type of deliberate circumvention of the security arrangements is irrelevant.

If it is truly necessary to write a virus to understand them, the University could have very big problems preventing accidental release in future. We have known for several years that mobile phone viruses are a theoretical possibility, and powerful handsets are becoming common in the marketplace. How will Dr. Aycock research and teach mobile phone viruses? A private mobile phone network will not be cheap, but then he needs a shielded building in put it in - military-grade Tempest shielding will be very expensive.

So it is clear that even with the best precautions, an escape is a possibility, but how much does just one more virus "in the wild" matter? The escape of a virus is a lot more important than, say, dissemination of a new attack tool because of the fundamental properties of self-replicating code.

Computer Virus Basics

The principles I explain here have been said or written before by other, more distinguished writers (see Dr. Cohen, A Short Course on Computer Viruses), but it appears that not everyone was listening. A virus or worm, of course, is just another program, and it can do anything another program can do. The only difference is that it makes copies of itself. This leads to three properties: Generality, Range of Effect and Persistence. A virus can be created for any general-purpose programming environment. A virus can spread outside of the control of its creator. A virus can persist and cause a new outbreak an indeterminate time in the future.

Practical Considerations

In practical terms, the Lecturer asks a class of, say 16, students to create their viruses. At the end of class, there are 16 new viruses in the classroom. There are no absolute guarantees that one will not escape so the only truly responsible action the Lecturer can take is to collect copies of the 16 viruses, and send them to the anti-virus developers. The viruses are then added to the glut of new viruses that products must detect, making them (slightly) slower. Each time the course is run virus glut gets worse. If this is a good and useful course, we will soon have other Universities around the world offering similar courses, each making it's own small contribution to virus glut.

Educational Benefits

A little thought will show that creating a program that copies itself is not a difficult problem, any competent programmer should be capable of doing it. What then is the learning benefit of actually performing such a simple task, and how does that benefit outweigh the risks associated with the new virus escaping?

What if the students were asked to create a "good" virus? Dr. Bontchev has adequately shown that there is no such thing as a good virus. Because of their properties of range of effect and persistence, they can reach environments that the author was unaware of, or that were not even created when the virus was written, with unpredictable consequences.

But Dr. Aycock says that in order to develop more secure software, and countermeasures for malicious software, you first need to know how malicious software works and the mindset of its creators. So how can students learn to create secure software? They can use the techniques without creating self-replicating code! The payload of a virus can always be studied independently - it is just another program. The infection techniques can be studied using programs that create or modify other programs, without copying themselves. In terms of studying techniques and understanding, what is the difference between:

  1. modify program A to include a copy of program B.
  2. modify program A to include a copy of yourself.

Would the student's understanding of the techniques involved be reduced if he wrote a program to do (1) instead of (2)? How do they compare in terms of safety? A miscreant could use the program from (1) to modify programs, perhaps creating Trojans with bad effects wherever the miscreant introduced the Trojans. The program from (2) is a virus, and, as noted above, capable of spreading indefinitely, modifying other programs with unknown results. So, (1) is a tool that, when used with intent to damage can cause harm - no worse than an axe. (2) can spread like wildfire from a single accident or careless incident. A dropped cigarette butt and an axe can both destroy a forest, but one takes a lot more work and intent.

So, new infection methods can be examined by creating programs that create arbitrary programs - making it self-replicating is not necessary for understanding the technique.

Universities should be teaching students how to work and research safely and ethically. Undergrad. Medical students don't cut up live people; they learn anatomy cutting up dead people. When I was learning microbiology and genetic engineering, we learnt about containment of our experiments, how to sterilise our equipment, before and after, and safe disposal of the cultures. Computer science students should be learning how to research computer viruses without creating them.

We do need to teach this stuff, but that does not require virus-writing practicals, just as Police Officer training does not require murder practicals, even though we want Police Officers to understand the methods and motivations of murderers. Understanding self-replicating code is different from writing it. In fact, reverse engineering is a much more important skill for an anti-virus researcher - when presented with an unknown program, how do you work out everything it does and how much of a threat it represents, without inadvertently allowing it to cause damage or escape.

Medical Ethics

The course blurb also says, "This attitude is similar to what medical researchers do to combat the latest biological viruses such as SARS." But medical researchers normally put safety as the number one priority. One of the questions that needed to be urgently answered for SARS was whether it was airborne or droplet-borne, but, as far as I know, no-one suggested the simple, obvious and accurate test of placing human subjects in rooms with appropriate sources, and waiting to see who got infected.

Security and Ethics

I hope that makes it clearer why it is not necessary for students to write viruses, and why it is not responsible to do so. Many anti-virus researchers have a similar opinion, as can be seen from this open letter.

The signatories are not just anti-virus vendor insiders; many are from major players in the IT industry, and IT users, including commercial and academic organisations. The University of Calgary has its' academic freedom, but it should consider the reasons why so many of its' peers, and those in the field it claims it is serving, object before proceeding. There is obviously a large difference between the ethical standards of many people in the anti-virus industry and Dr. John Aycock which I suspect stems from many security experts attempting to classify viruses and worms as just another vulnerability when there are crucial differences.

Dr Aycock, self-proclaimed not-Author of Yoga for Buffaloes, obviously has a sense of humour. I just hope that this course announcement is another joke.


More Information

Related Articles