Communications - February 2011

textbooks on sorting and searching, on database methods, on computer graphics. These textbooks present algorithms and source code listings. The many different techniques of sorting, for example, are analyzed and their implementations are examined thoroughly. Students are encouraged to explore new approaches to sorting, to improve on what is known, to push the limits of performance. Whereas such explorations are standard practice in areas such as sorting, they do not exist for malware. Malware was absent from nearly all undergraduate curricula six years ago and it is still absent, for essentially the same technical and ideological reasons.

technical and ideological Requirements

On the technical side, teaching malware requires knowing viruses, worms, Trojans, and rootkits, which obligates teachers to have read their source code, which in turn requires them to have the ability to reverse the binaries, and the facility to launch, run, and infect machines on an isolated subnet. Having read a sufficiently large, representative sampling of historic malware source code then leads to formulating various generalizations to build a theory of malware that can be tested by writing derivative malware, new in a shallow sense but not necessarily innovative. These experiences then should culminate in inventing never-before-tried malware to foresee trends in cyberspace.

On the ideological side, arguments range from “moral purity” to “ allocation of responsibility.” These arguments are fueled by fear of the un-

the reason we
cannot solve the
malware problem
is simple: We
don’t have a theory
of malware.
Detecting and
arresting malware
and its launchers
won’t be easy
unless we
ramp up on all
fronts, especially
education.

known, especially when the unknown is potentially toxic. Having one’s reputation ruined by being labeled irresponsible, negligent, reckless, or incompetent is a strong disincentive. It is difficult to imagine computer scientists losing their professional standing or community esteem by demonstrating new multi-core implementations of Batcher’s sort, especially if it beat all current sorting techniques; but it is not difficult to conjure the poisonous politics of unveiling new malware that would escape detection by all current commercial anti-malware products. Raising the stakes with powerful sorting algorithms is a laudable, honorable endeavor; casting a spell with powerful new malware is considered undignified per se.

That malware should be taught to computer science majors runs into a frequent and bothersome accusation—that we will be granting diplomas to hordes of malicious hackers, aiding and abetting greater misbehavior than is being suffered already. Physicians, surgeons, nurses, pharmacists, and other health professionals have the know-how with which to inflict pain, torture, and death. Every profession may have its “black sheep,” but it is obvious that society benefits by having an absolute majority of responsible and caring professionals.

conclusion

I began this column by calling your at-
tention to the forthcoming triple trou-
ble of cyberwar, cyberterrorism, and
cybercrime. The last of the three—cy-
bercrime—is abundantly in our midst
already. The other two menaces are
works in progress. All three typically
deploy via malware. (Human gullibil-
ity is, tragically, a contributing factor.)
The preferred way thus far has been
to exploit overlay networks or satura-
tion-bomb regions of the Internet to
build a broad-based infrastructure of
illegally tenanted user machines and
servers—a large botnet, responsive to
peer-to-peer and command and con-
trol communications. Such a botnet’s
unwitting foot soldiers—your and my
machines—are powerful weapons in
cyberspace, capable of mounting tar-
geted distributed denial-of-service
attacks against individual users, in-
stitutions, corporations, and gov-
ernments. Botnets built by worms
can remain silent and undergo quiet
maintenance and upkeep between
bursts of activity. Botnet battles—ter-
ritorial disputes and turf fights—are
vicious confrontations for supremacy,
worth billions of dollars and euros.
For nation-states, the cyber-arms-
race is on: those with the strongest
malware will emerge as super-cyber-
powers. None of these near-future de-
velopments can be wished away. And
we continue to harm ourselves by not
teaching malware.

George Ledin, Jr. ( george.ledin@sonoma.edu) is a professor of computer science at Sonoma State University and a visiting fellow at SRI International.