Eugene H. Spafford, "The Internet Worm: Crisis and Aftermath", Communications of the ACM, Vol. 32, No. 6, pp. 678-687, June 1989.  Home/Search   Document Not in Database   Summary   ACM   TOC   Related Articles   Check

....program that self propagated across a network by exploiting security vulnerabilities in host software. This program, which infected several thousand hosts and disrupted Internet wide communication due to its high growth rate, is the modern archetype for contemporary Internet worms [12] [13]. There have been few studies of computer worms since 1988, perhaps because there have been few outbreaks until recently. However, in response to Code Red several quantitative studies of its growth have been developed. Staniford Chen et al. provide an analytic model of Code Red s growth matched ....

E. Spafford, "The Internet Worm: Crisis and Aftermath," Communications of the ACM, vol. 32, no. 6, pp. 678--687, June 1989.

....point further up the stack and place code he wishes to execute at that location. With such an attack, a malicious party can run their own code with the permissions of the compromised application process (often Administrator or root for network services) The infamous Internet worm of 1988 [37] exploited a known such weakness (in the fingerd application) and the recent Code Red worms did the same (in Microsoft s IIS server) In each case, the particular overflow attack was well known ahead of time, but the software fixes were slow to appear and administrators remained vulnerable until ....

Eugene H. Spafford. The Internet worm: crisis and aftermath. Communications of the ACM., 32(6):678--687.

....line program onto the Internet. At 00:34 on November 3, 1988, Andy Sudduth of Harvard University posted the following message: There may be a virus loose on the Internet. Indeed, Sun and VAX machines across the country were screeching to a halt as invisible tasks utilized all available resources [1] [2] No virus brought large computers across the country to a standstill the culprit was actually the first malicious worm. Unlike viruses and trojans which rely on human intervention to spread, worms are self replicating software designed to spread throughout a network on their own. Although ....

E. Spafford, "The internet worm: Crisis and aftermath," 1989.

....resources or planting viruses In spite of the fact that a geographically dispersed machine is harder to protect than one in a secure environment, I contend that security on the Global Computer will be better than wehavetoday. Look at the Internet worm that crippled a large number of computers[6] or the penetration of U.S. Government computers by German hackers. 7] In the former case, known security holes in Unix were exploited to plant the worm. The latter security problem was uncovered by accidentby someone worried about small accounting discrepancies. The main reason that the security ....

E. H. Spafford. The internet worm: Crisis and aftermath. Comm. ACM, 32(9), September 1989.

....has been considerable research on developing intrusion detection systems. Such systems analyze audit data or message traffic for detecting and reporting suspicious activities in 4 For example, the 1988 Internet worm exploited security weaknesses in common versions of popular operating systems [36]. 12 a computer system. There are two broad classes of intrusion detection approaches. In the first class are systems that recognize the occurrence of known attack patterns in the audit trail. In the second class are systems that first build a profile of normal system or user behavior and report ....

E. Spafford. The Internet Worm: Crisis and Aftermath. Communications of the ACM, 32(6):678--687, June 1989.

....These bugs can provide test cases against which researchers can evaluate more sophisticated testing and verification strategies. Second, one of the bugs that we found was caused by the same programming practice that provided one of the security holes to the Internet worm (the gets finger bug)[2, 3] We have found additional bugs that might indicate future security holes. Third, some of the crashes were caused by input that you might carelessly type. Some strange and unexpected errors were uncovered by this method of testing. Fourth, we sometimes inadvertently feed programs noisy input, e.g. ....

E. H. Spafford, "The Internet Worm: Crisis and Aftermath," Communications of the ACM 32(6) pp. 678-687 (June 1989).

....is in need of some level of protection) Newspapers and periodicals are replete with examples of instances where security failures occurred because of lack of proper procedure or due to failure to recognize a particular vulnerability. One only has to review, for example, the Morris Worm event [3] [4], the excessing of government agency computer equipment with sensitive information still resident on magnetic medium, the mailing of IRS CD ROMs with a virus present, or the software failure in AT T s switches only a few years ago in order to recognize the continue relevance of INFOSEC ....

Spafford, E., "The Internet Worm: Crisis and Aftermath." Communications of the ACM, vol 32, no. 6, June 1989, pp. 678-688.

....Assuring that computer programs and systems are secure is an important and difficult problem. Security flaws are still being discovered in computer programs that have been in use for many years. Many of the flaws are caused by the same basic recurring faults [Spa92] For example, the Internet worm [Spa89] exploited errors in Unix network programs. Examination of the flaws which caused the errors revealed them to be of an elementary nature. It is time for a concerted effort to try to prevent such flaws from occurring. Therefore, an appropriate initial application of property based testing and the ....

Eugene. H. Spafford. The internet worm: Crisis and aftermath. Communications of the ACM, pages 678--687, June 1989.

....of errors was the use of dangerous input functions, such as the notorious gets( function. The problem is that gets( has no parameter to limit the length of the input data. Besides causing reliability problems, use of gets( was also the flaw that permitted a major breach in Internet security[3,4]. By using gets( the programmer is making implicit assumptions about the structure of the data being processed. The manual page from the Solaris 2.3 system wisely contains the following warning: When using gets( if the length of an input line exceeds the size of s, indeterminate behavior may ....

Spafford, E.H., The Internet Worm: Crisis and Aftermath. Communications of the ACM 32, 6 (June 1989), 678-687.

.... a single broken fiber despite 7 fold redundancy [Neu87] the 1980 complete network failure which occurred when a single bit was dropped from a widely propagated status word [Ros81] and the 1988 Internet worm catastrophe which prompted many sites to preemptively shutdown as a means of protection [Spa89] 4 ficiently short duration that clients can wait until the failure is repaired. These assumptions are invalid in a large scale system; new replication techniques must be developed to cope with large scale issues. 1.3 Hypothesis The hypothesis of this research is that a large scale, wide area ....

....6 it must be addressed at some point, but it is outside the scope of this effort. 1.4. 5 Dissertation outline The remainder of this work consists of two main parts, the architecture and implementation of the Ficus 7 file system (Chapter 2) and a rigorous presentation 6 The Internet worm case [Spa89] is a recent example of vulnerabilities in large scale environments. 7 The name was inspired by the topological similarity of two trees, one from cyberspace and one from nature. The cyberspace tree is found in a large scale filing environment composed of existing standalone tree structured name ....

Eugene H. Spafford. "The Internet Worm: Crisis and Aftermath." Communications of the ACM, 32(6):678--687, June 1989.

....(Stroustrup) 1986 328 The C Programming Language; second edition (Stroustrup) 1991 669 The C Programming Language; third edition (Stroustrup) 1997 910 Table 3: The evolution in complexity of C and C . even system software that should have been coded in such a way is often compromised (Spafford 1989). Therefore, the connection of any safety critical system to the Internet can severely affect its reliability. 5 PROGRAMMING LANGUAGES Similarly to operating systems, programming languages also have a tendency to grow in size and complexity as they mature. Taking as a rough measure the page ....

Spafford, E. H. (1989, June). The Internet worm: Crisis and aftermath. Communications of the ACM 32(6), 678--687.

....TCP IP Internet, in response to rising security concerns. Such concerns have increased markedly in the past few years, after a number of well publicized events, such as a series of espionage attempts directed at U.S. government research laboratories [Stoll 1988] the Internet Worm of November 1988 [Spafford 1989], and other risks of being interconnected with interorganizational networks [National Research Council 1991] There are a number of different ways that sites might reduce their closeness of association with the Internet. The most extreme measure is simply to disconnect from the Internet. Because ....

E. H. Spafford. The Internet Worm: Crisis and Aftermath. Commun. ACM, 32(6), pp. 678-687, June 1989.

....in. Indeed, taking the world of computing alone, malevolence, not altruism, appears to be prevalent [29] and this is irrespective of how well intentioned the work may be to start with ( 26] gives details of the idea of a useful worm program which was used to devastating effect not so long ago [27], despite never being intentionally designed for malevolent purposes) Taking this lack of altruism into account, some measures must be taken to make our agents less vulnerable to others incompetent or malevolent behaviour. There are different approaches to this. The first, most obvious, is not ....

Eugene H. Spafford. The Internet Worm: Crisis and Aftermath. Communications of the ACM, 32(6):678--687, June 1989.

....limited trust should I route this message via that node, or not could translate to do I trust this node enough to route this message through it Another example is the Internet. Just how much trust comes into such systems was evident in the virtual collapse of the Internet a few years ago (Spafford, 1989). That it collapsed was perhaps due to excessive laxity on the part of some people, but the Internet Worm took advantage of various trusted host connections (Spafford, 1989) Trust is something little understood in such artificial networks (Woo Lam, 1992) The formalism presented in this ....

....Internet. Just how much trust comes into such systems was evident in the virtual collapse of the Internet a few years ago (Spafford, 1989) That it collapsed was perhaps due to excessive laxity on the part of some people, but the Internet Worm took advantage of various trusted host connections (Spafford, 1989). Trust is something little understood in such artificial networks (Woo Lam, 1992) The formalism presented in this thesis would allow nodes in such networks to reason with and about trust, but also would allow network managers another means of assessing their networks. Of course, such a means ....

Spafford, Eugene H. 1989. The Internet Worm: Crisis and Aftermath. Communications of the ACM, 32(6), 678--687.

....for agents to be able to send email, but how can we judge whether an individual email is safe to send Furthermore, each library adds another security model and more trusted code to the environment, increasing the likelihood of bugs or holes that an attacker could exploit. The Internet worm [Spafford 1989] provides a lesson in how the combination of mobile code and security weaknesses can enable large scale attacks on the Internet. In addition to protecting recipients from agents, we may also want to protect agents from recipients. A provider may only be willing to distribute agents if the privacy ....

E. H. Spafford, June 1989. The INTERNET worm: Crisis and aftermath. Communications of the ACM, 32(6):678--687.

....and returns only the final result. However transmitting an agent to a remote machine introduces numerous complexities. The agent must either precede from machine to machine in round robin fashion or run multiple copies of itself on each machine which raises the specter of the Internet worm [Spa89] The agent must be able to run on different machine architectures since there is no guarantee that the domain is contained within a uniform architecture. Privacy and authority become more complicated since remote machines must be protected from malicious agents at the same time that agents are ....

Eugene H. Spafford. The internet worm: Crisis and aftermath. Communications of the ACM, 32(6):678--687, 1989.

....While doing so has powerful potential for supporting loosely coupled cooperative applications [Kahn Cerf 1988, Schwartz 1991c] it poses some dangers as well. First, there is the danger that such computations may spread uncontrollably, as in the case of the Internet Worm of November 1988 [Spafford 1989], the error that lead to the AT T network outage of January 1990 [Fitzgerald 1990] and a number of other situations characterized by the Automatic Generation of Messages [Manber 1990] Second, even if such computations do not spread in an uncontrolled fashion, they may potentially generate a ....

E. H. Spafford. The Internet Worm: Crisis and Aftermath. Commun. ACM, 32(6), pp. 678-687, June 1989.

....citing privacy concerns. Our ability to obtain study participants was also complicated by the Internet worm of November 1988, which invaded thousands of Internet sites and raised the security consciousness and workloads of most system administrators shortly before we started collecting data [Spafford 1989]. We asked 62 different sites to participate. Among these, fifteen sites containing 22 machines that logged mail traffic (hereafter referred to as log hosts ) did so. Some domains transmitted data from multiple log hosts, corresponding to separately administered computing facilities (referred to ....

E. H. Spafford. The Internet Worm: Crisis and Aftermath. Commun. ACM, 32(6), pp. 678-687, June 1989.

....In particular, interconnection at the datagram level is an all or none mechanism, allowing outsiders access to all the hosts and applications of an organization on the internetwork. The magnitude of this threat has been underscored by several incidents affecting large internetworked communities [19, 22, 24, 25]. To completely protect against penetration, every host within an organization must be made secure, no small feat when it involves tens of thousands of poorly managed workstations and PCs. One alternative, perhaps less secure but certainly more feasible, is to block certain kinds of packets at the ....

....can support mail and USENET without violating our policy of no direct connections except through trusted relays. This policy is particularly relevant because a bug in the original implementation of the 4. 2BSD sendmail daemon creates a serious security hole (and was exploited by the Morris Worm [19, 22]. Unless you are sure that none of the sendmail daemons within your organization have this bug, it is best not to let anyone test this premise. Using a mail relay host means that you need only worry about the security of its sendmail daemon. 3.5.2. Telnet and FTP IP supports a number of other ....

[Article contains additional citation context not shown here]

Eugene H. Spafford. The Internet Worm: Crisis and Aftermath. Communications of the ACM 32(6):678-687, June, 1989.

....no more dangerous than the data in a data base or the text file from a word processor. Imagine however, the problems that could arise if evolving digital organisms were to colonize the computers connected to the major networks. They could spread across the network like the infamous internet worm [2, 8, 83, 84]. When we attempted to stop them, they could evolve mechanisms to escape from our attacks. It might conceivably be very difficult to eliminate them. However, this scenario is highly unlikely, as it is probably not possible for digital organisms to evolve on normal computer systems. While the ....

Spafford, Eugene H. 1989. The internet worm: crisis and aftermath. CACM 32(6): 678-- 687. Contact: spaf@purdue.edu

....of errors was the use of dangerous input functions, such as the notorious gets( function. The problem is that gets( has no parameter to limit the length of the input data. Besides causing reliability problems, use of gets( was also the flaw that permitted a major breach in Internet security[3,4]. By using gets( the programmer is making implicit assumptions about the structure of the data being processed. The manual page from the Solaris 2.3 system wisely contains the following warning: When using gets( if the length of an input line exceeds the size of s, indeterminate behavior may ....

Spafford, E.H., The Internet Worm: Crisis and Aftermath. Communications of the ACM 32, 6 (June 1989), 678-687.

....of errors was the use of dangerous input functions, such as the notorious gets( function. The problem is that gets( has no parameter to limit the length of the input data. Besides causing reliability problems, use of gets( was also the flaw that permitted a major breach in Internet security[3,4]. By using gets( the programmer is making implicit assumptions about the structure of the data being processed. The manual page from the Solaris 2.3 system wisely contains the following warning: When using gets( if the length of an input line exceeds the size of s, indeterminate behavior may ....

Spafford, E.H., The Internet Worm: Crisis and Aftermath. Communications of the ACM 32, 6 (June 1989), 678-687.

....trigger the failure and they normally result in violation of [expected] policies. Detailed analysis of the factors that contribute to the existence of these vulnerabilities is mostly limited to cryptic articles posted to hacker newsgroups or web sites. There are a few notable exceptions [Lin75, Spa89a, Spa89b, Sto90, Kum95, DFW96, MF97, DW95] and this report attempts to add to these with a detailed analysis of five common computer vulnerabilities. The analysis of each vulnerability attempts to identify its characteristics, the [expected] policies violated by its exploitation, and contributes ....

Eugene H. Spafford. The Internet Worm: Crisis and Aftermath. Communications of the ACM, 32(6):678-- 687, Jun 1989.

....and an author who is familiar not only with the network services and facilities, but also with the operating facilities required to support them once they have reached the machine. The Internet worm incident of November, 1988 clogged machines and networks as it spread, and is an example of a worm. [9, 8] Worms have also appeared in other science fiction literature. Recent cyberpunk novels such as Neuromancer by William Gibson [4] refer to worms by the term virus. The media has also often referred incorrectly to worms as viruses. This paper focuses only on viruses as defined here. Many of the ....

Eugene H. Spafford. The internet worm: Crisis and aftermath. Communications of the ACM, 32(6):678--687, June 1989.

....in more fully examining the security implications of their areas, provided that outside interest warrants it. Since 1987, Professor Spafford has been exploring issues in practical computer security. His work has included widely cited work in analysis of malicious code such as viruses (e.g. [27, 26, 28, 31, 32]) In 1991, he coauthored the award winning book Practical UNIX Security [13] now considered the standard reference in the field. He has also been involved in work on static audit and analysis tools. An initial result of this work was the COPS[12] security audit tool for UNIX systems, used ....

Eugene H. Spafford. The Internet Worm: Crisis and aftermath. Communications of the ACM, 32(6):678--687, June 1989.

....is to explore how to increase confidence in existing systems in a cost effective and user friendly manner. At Purdue over the last five years, I have been exploring issues in practical computer security. My work has included widely cited work in analysis of malicious code such as viruses (e.g. [22, 23, 26, 27]) In 1991, I coauthored the award winning book Practical UNIX Security [11] now considered the standard reference in the field. I have also been involved in work on static audit and analysis tools. An initial result of this work was the COPS [10] security audit tool for UNIX systems, used ....

Eugene H. Spafford. The Internet Worm: Crisis and aftermath. Communications of the ACM, 32(6):678--687, June 1986.

....such as a life critical emergency. The article also discusses why no break in is harmless. 1 Introduction On November 2, 1988, a program was run on the Internet that replicated itself on thousands of machines, often loading them to the point where they were unable to process normal requests. [1, 2, 3] This Internet Worm program was stopped in a matter of hours, but the controversy engendered by its release has raged for a year and a half. Other recent incidents, such as the wily hackers 1 tracked by Cliff Stoll [4] the Legion of Doom members To appear in a special issue of The ....

Eugene H. Spafford. The internet worm: Crisis and aftermath. Communications of the ACM, 32(6):678--698, June 1989.

....The Xerox worms were actually useful they would travel from workstation to workstation, reclaiming file space, shutting off idle workstations, delivering mail, and doing other useful tasks. The Internet Worm of November 1988 is often cited as the canonical example of a damaging worm program. [26, 27, 22] The Worm clogged machines and networks as it spread out of control, replicating on thousands of machines around the Internet. Some authors (e.g. 7] labeled the Internet Worm as a virus, but those arguments are not convincing (cf. the discussion in [25] Most people working with ....

Eugene H. Spafford. The internet worm: Crisis and aftermath. Communications of the ACM, 32(6):678--687, June 1989.

....(4:34 10 16 ) possible passwords of length one through eight. At 50,000 attempts per second, an exhaustive search of this keyspace would require over 27,480 years to complete. This tendency to select weak 3 passwords has led to a number of system break ins, some quite highly publicized: cf. [15, 19, 21, 22, 27]. Current technology is such that construction of a large pre encrypted dictionary on line using optical disks is easily done. By creating such a dictionary, a password search and attack may be easily conducted in a matter of seconds. Without such a database, but using a tool such as deszip on a ....

Eugene H. Spafford. The Internet Worm: Crisis and aftermath. Communications of the ACM, 32(6):678--687, June 1986.

No context found.

Eugene H. Spafford, "The Internet Worm: Crisis and Aftermath", Communications of the ACM, Vol. 32, No. 6, pp. 678-687, June 1989.

No context found.

E. H. Spafford. The Internet worm: crisis and aftermath. Communications of the ACM., 32(6):678--687.

No context found.

E. Spafford, The Internet worm: crisis and aftermath, Communications of the ACM, 32(6):678-687, June 1989

No context found.

Eugene H. Spafford. The Internet worm: Crisis and aftermath. Communications of the ACM, 32(6):678--687, June 1989.

No context found.

E. Spafford, The Internet worm: crisis and aftermath, Communications of the ACM, 32(6):678-687, June 1989

No context found.

E. H. Spafford. The internet worm: Crisis and aftermath. Communications of the ACM, pages 678--687, June 1989. 165

No context found.

Spafford, E. H. "The Internet Worm: Crisis and Aftermath." Communications of the ACM 32: 678--687. Taylor, P. 1986. Respect for Nature. Princeton: Princeton University Press.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC