Shield framework holds promise for network security

By VAWN HIMMELSBACH
Thursday, June 2, 2005 Updated at 9:35 AM EDT
Special to Globe and Mail Update

As they battle the growing hordes of hackers, viruses and spyware, some security experts are eyeing a new technology being developed in the labs at Microsoft Corp.

After a vulnerability is discovered in a program or operating system, businesses must often wait days or weeks for software patches to be developed, leaving them exposed in the interim. And even when a fix is released, companies usually need to test patches before applying them to make sure they won't destabilize crucial programs or crash the corporate network.

Meanwhile, it currently takes hackers about six days on average to build and release an effective attack after a security hole is publicized.

"More than 90 per cent of worms are exploiting known vulnerabilities," said Jim Kajiya, a director at Microsoft Research in Redmond, Wash.

Advertisements
To minimize the threat to companies immediately after vulnerabilities are found, a research effort is under way a Microsoft to develop a new technology called a Shield framework. Shields are "exploit-generic" network filters that can be installed on a system as soon as a security hole is discovered, similar to the way a tourniquet is applied to a serious wound until a doctor can stitch it up. Shields wouldn't replace the need for patches that fix the underlying problem, but they would be designed to block attacks aimed at the vulnerability until a permanent patch is applied.

"Shielding precedes patching," Mr. Kajiya said. "It doesn't look at the virus itself, it looks at what the virus does, it looks at the behaviour of the PC and where damaging things may occur."

The idea is that when a vulnerability is found, Shield software would be set up to examine the incoming or outgoing traffic of any vulnerable applications. Acting as a sort of highly focused firewall, it would block suspicious traffic that might be trying to exploit a security hole.

"Firewalls are very inflexible," said Mr. Kajiya. "Shields do it on a much finer grain."

They're also less disruptive to network traffic than full-blown firewalls, easier to install, and more resilient to polymorphic attacks such as viruses that change slightly every time they replicate to avoid detection.

The technology would apply to any size of business, with system administrators managing Shields that would protect entire networks, initially running from servers. Claudiu Popa, president of network security specialist Informatica Corp. in Toronto, says once the technology matures, there's no reason why it couldn't be adapted to run on workstations or even laptops, too.

Shields would be a valuable addition to the business world's security arsenal, Mr. Popa said, but there are some serious issues that must be solved before the technology can go into mainstream use.

At the top of the list is the fact that a Shield has the potential to disrupt an operating system and the very programs it's meant to protect if it doesn't work flawlessly. Shields also require a lot of computing power, and an entire network could come to a standstill if massive amounts of traffic had to be filtered.

"It has a huge impact on how applications work," Mr. Popa said. "A number of parallel technologies need to be developed in order for this thing to actually be released."

Microsoft's overall security strategy is called the Next-Generation Secure Computing Base, which is expected to roll out next year with its new operating system, codenamed Longhorn. Due to the technical hurdles involved, Mr. Kajiya said he didn't know if Shield technology would be ready in time to ship with the NGSCB.

"They certainly don't want to be laughed at, and they're going to be very careful about releasing information that will set the industry's expectations," said Mr. Popa