Alex Smolen

Bacteria Versus Viruses

Aug 14, 2007

Welcome to, where you’ll find my writing on application security, my solutions to tricky tech problems, and general news about me.

To start off this blog, I thought in the name of “reusability” I’d put a short essay/abstract/piece that I wrote in 2004 here that I was proud of, but never went anywhere (I think it got lost in the marketing department somewhere).

Anyways, without further ado…

Bacteria Versus Viruses

by Alex Smolen

The human body is extraordinarily capable of defending itself from the antagonistic micro-organisms that permeate our environment. With viruses and bacteria covering every surface, hidden in every crevice, waiting for the opportunity to use our body as their own personal recreation area, we rely on our natural defenses and the medical community to protect us from this unseen but well-known threat.

Software applications must defend themselves as well; they too are subjected to a hostile environment of wide-ranging threats from invisible sources. Indeed, a computer “virus” closely parallels its organic namesake in the way it infects and replicates, causing destruction and leaving weakness in its wake.

Recently, I reflected on the observation that computer viruses attacks occur less frequently and cause less damage today than in the past. There could be several reasons for this, including more common and stringent anti-virus protection, and more user awareness. However, what is becoming more common, and often more destructive, are the increasing number of software “errors” which allow attackers to conquer servers using well-known techniques that exploit these “unsanitary” conditions. The day of the computer “virus” may be fading, but we are beginning to see the rise of computer “bacteria”.

Every year, the common cold causes millions, if not billions, of dollars in terms of lost productivity. What mighty force behind this phenomenon has led science on a wild goose chase for decades? The cold virus is able to mutate to fool our immune system. It is the best hacker in the ecosystem – it can r00t us year after year. Computer virus writers keep anti-virus vendors in business through the subscription model. Vendors take every new, bizarre mutation of code that shows up on the networks of the world and analyze it into submission.

However, the majority of security problems we hear about these days are the application-level exploits: the buffer overflows, the browser vulnerabilities, the SQL injection in web applications. These problems, for the most part, are well understood. There are applications which are immune to these problems, and most application-level vulnerabilities are found in a few “dirty” lines of code. This is the perfect environment for a computer bacterial infection.

When Penicillin was discovered, the deaths caused from bacterial diseases dropped sharply. Bacteria don’t evolve and mutate like viruses; they can in almost all cases be defeated with reusable techniques (antibiotics, sterilization, etc). Likewise, application security is a fairly well understood process. Validate inputs, check credentials, don’t give up to much information, load resources sparingly, and a few more strategies can, when followed consistently, significantly reduce the attack surface. Yet we consistently see people make the same mistake, time and time again, and the infection spreads from a SQL injection to a remote arbitrary code execution to a full-blown case of an owned server.

It seems like in this day and age, some vendors are only worried about threats from old attack vectors, when systems are highly susceptible to a nasty case of SQL Infection or a Buffer overflu. Can we stay healthy?