Students enrolled in the University of Virginia’s “Defense Against the Dark Arts” course do not dispel demons with the wave of a wand, but they do write spells that may keep their programs safe.
A small group of summer-session students working with UVA associate computer science professor Aaron Bloomfield are learning programming and coding as a barrier to cyberattacks. The class looks at computer viruses, past and current, encryption and how to break computer programs.
“The goal is that they learn enough about these topics so they can write better and more secure programs, so their programs are less likely to be broken or hacked,” Bloomfield said. “Another goal is that they are aware enough of these topics that in their operations of computers, they can take more responsible actions.”
The course focuses on individual programs and computers, with another course in the School of Engineering and Applied Science concentrating on network computing security. Students who take the class are primarily computer science majors who have already taken programming prerequisites.
The students sign a pledge that they will not use the information they gain in the class to attack a computer they are not authorized to attack. Bloomfield said the students study the Association for Computing Machinery’s code of ethics, which includes admonitions that software engineers always act in the public good, maintain their integrity and professionalism, and work within the best interests of the customer and the public good.
The course was created by computer science professor Jack Davidson, a Harry Potter fan who would teach the first day of the class in his graduation robe and wearing a conical wizard’s hat.
Bloomfield’s approach is mainly defensive, but a good defense requires an understanding of the offense.
“You can’t properly build a defense unless you understand what the offense is,” he said. “We study how viruses mutate, how they spread, how they infect computers, how they infect files. They study how viruses make themselves harder to detect, so a lot of what they are doing is defensive, but they still have to study how the offense works – otherwise you don’t know what to defend against.”
Viruses have been around almost as long as computers. Bloomfield teaches how older viruses can be the foundation of current viruses, as well as how they can be bundled together.
“There are many techniques viruses use to infect files or make themselves harder to detect,” he said. “And in the ’80s and ’90s, viruses would have one or maybe two of these techniques. By studying some of the viruses from that time, we can see an individual technique in isolation, how it works and how the anti-virus scanners had to adapt to compensate for it.
“Nowadays, malware is far more complex. But just looking at that one piece of malware you have to understand how each of the parts works in isolation, so you can understand how they work together as a whole.”
Many older viruses can be easily detected and counteracted today, but combining them adds to their efficacy, and they still have many of the same goals.
“Some viruses are no longer effective because of changes in hardware,” Bloomfield said. “A simple example is a virus that infects floppy drives, because no one uses floppy drives anymore. But those techniques can be used to infect USB keys, which people do use. So a lot of the techniques we used in the 1980s, even though they won’t work on modern hardware, are similar to techniques used on more modern hardware such as USB keys.”
Bloomfield said that while there are some people who still create malware for the fun of it, most attacks have a motive, such as taking someone’s money or gaining geopolitical advantage, such as the Stuxnet virus that attacked the Iranian nuclear enrichment program several years ago. The virus caused physical damage to the equipment, resulting in monetary loses and setting the program back about a year.
“There is a goal, something an entity wants to profit from, whether it’s financial profits or profiting by preventing another country from developing nuclear weapons,” Bloomfield said. “There are a number of companies that are targeted for competitive reasons. A lot of companies have their data stolen through cyberattacks; a lot of times it is so another company can gain a competitive edge, sometimes it is just to do damage to the company, and sometimes it is just to extract money in the form of ransom.”
Stephen Park, a rising fourth-year computer science major from Burke, came to the class out of curiosity and has become much more aware of the threats.
“We live in such a technologically advanced and increasingly networked era, where things such as personal banking and government infrastructure are extremely important to protect,” he said. “It is vital for us to educate ourselves on the significance of these security threats and the consequences that follow, because it can affect just about anyone.”
While media reports tend to promote a stereotype of lone-wolf hackers, Bloomfield notes that today hacking often involves teams of code writers put together by governments or businesses for specific purposes.
“I think a lot of the computer security entities, whether they be company contractors or the three-letter agencies – CIA, NSA, KGB – hire teams of people, computer scientists, to develop this malware,” he said. “Stuxnet, which damaged the Iranian nuclear facility, is believed to have taken a team of 20 to 30 people multiple years to develop. And they were experienced computer scientists and programmers. There are some people who do this as part of their job.”
A wide range of people are involved in cyber espionage, and many countries, in one form or another, hire people to launch cyberattacks against targets.
But there are also outliers as well, who launch cyberattacks without an apparent profit motive. Bloomfield cites the Ashley Madison cyberattack; Ashley Madison billed itself as a discrete dating site for married people, and its system was hacked in 2015, with the hackers stealing customers’ email information. The hackers, or “hacktivists,” demanded that the site shut down. It did not and details about the customers’ emails were released.
“This was fascinating because they didn’t want money or anything else, they just wanted the company to shut down,” Bloomfield said. “They were not motivated by financial anything. They just wanted to damage the company for ethical reasons. That was one of the first examples covered extensively in the media of an attack based on perceived fault of the company or hatred of the company.”
Small businesses can protect themselves by working through larger companies, such as selling items on Amazon, which takes a percentage of the sale, but also provides a lot of cybersecurity.
“I think there are many ways one can offset the defenses,” Bloomfield said. “That is just one; there are a host of providers that supply more security than others, because that is what people want. And as your business gets larger, then you are going to need to hire an ever-increasing team of people whose job is to defend against attacks on your network and your company.”
Bloomfield’s students focus on writing programs to resist and repel attacks, and Bloomfield said they must be aware of the problems that exist so they can be smarter when they work with computers and write programs.
“I hope they learn that they need to step up their game to make their program more secure, which is typical of everybody in this class,” he said. “I need to step up my game in terms of making my programs more secure, too.”