Monday, December 19, 2005

Thoughts on Monoculture

Tom Ptacek and friends have been blogging at a furious pace, and I noticed he recently argued against Dan Geer's latest article (.pdf) which supports software diversity as a means of "improving security." Tom also found a friend in Halvar Flake. Now, Halvar may be really smart, but it doesn't mean Halvar's argument makes sense in the context that most people share when software monoculture is debated.

Halvar writes exploits. That is his mindset and worldview. Here is the scenario he outlines:

"[T]ake a useful piece of information (for example, a source tarball) and distribute it randomly on a small subset of the computers in the organisation. In the monoculture example, I would need an exploit for the monocultureOS. In the diversity example, I need an exploit for any of the OSs on which the information that I want is stored. Joy. Please diversify!"

According to this reasoning, Halvar thinks software monoculture improves security. By operating a diverse set of operating systems, the target organization seems weaker to Halvar. He can steal that "useful piece of information" from the weakest OS operated by the organization.

That argument makes sense if the goal of "security" is to deny access to a piece of information stored on a variety of hosts. Call that a confidentiality goal.

What if the goal of "security" is not confidentiality, but accessibility? In that case, I argue monoculture is a stupid idea, and diversity is stronger. Imagine saving copies of that piece of information on systems all running the same OS. A destructive worm appears and wipes out the hard drives of all of the organization's hosts. Now what?

In the diverse world, the information on the vulnerable OS is wiped out by the worm. However, copies of the information survive on the other OS'.

If your goal is survivability, I can't see how software monoculture is a good idea. You've got to decide what balance of confidentiality, availability, and integrity are important and then see if monoculture or diversity will meet your goals.

3 comments:

John Ward said...

I added my 2 cents on this on my blog.

Am I going to have to seperate you and Tom Ptacek?

Gunnar said...

Agree, security is not a boolean. There are both horizontal and vertical views to a system. Diversification helps the horizontal aspects of security.

Anonymous said...

I was impressed with Ranum(?)'s reasoning on this issue. The biological analogy is flawed because computer hosts can coordinate immunity through patch management, central configuration of host based firewalls, etc.

Some threats emerge if a single host on a network is compromised. Multiplying OSs multiplies vectors, and potentially divides administrative expertise.

I'll grant you the scenario of the fatal 0-day attack. I'm not sure that dividing the market share into more chunks is going to prevent epidemics, though. It will probably mean more, smaller epidemics.

I'm an anti-windows bigot, and plan to proceed with managing XP workstations with ad-hoc tools, rather than AD in spite of sound advice given by everyone I talk to, including one of the lead developers on the Samba team. So I am predisposed to like the monoculture argument with its implied dissing of MS. But I see a lot of problems with the analogy and its prescription. If we were to follow its prescription, how many OSs would we need to adopt? Several flavors of linux, all three major BSDs, Solaris, VMS, NetWare? Attackers are going after even small niche apps, so there would still be plenty of attacks on a world of evenly distributed OS market share. Then there are cross-platform vulnerabilities. Run the wrong PHP script and it doesn't matter what the host OS is running.

I'm not sure accessibility is assured if the average user has a choice of unfamiliar surviving OSes.