Tom Ptacek and friends have been blogging at a furious pace, and I noticed he recently argued against Dan Geer's latest article (.pdf) which supports software diversity as a means of "improving security." Tom also found a friend in Halvar Flake. Now, Halvar may be really smart, but it doesn't mean Halvar's argument makes sense in the context that most people share when software monoculture is debated.
Halvar writes exploits. That is his mindset and worldview. Here is the scenario he outlines:
"[T]ake a useful piece of information (for example, a source tarball) and distribute it randomly on a small subset of the computers in the organisation. In the monoculture example, I would need an exploit for the monocultureOS. In the diversity example, I need an exploit for any of the OSs on which the information that I want is stored. Joy. Please diversify!"
According to this reasoning, Halvar thinks software monoculture improves security. By operating a diverse set of operating systems, the target organization seems weaker to Halvar. He can steal that "useful piece of information" from the weakest OS operated by the organization.
That argument makes sense if the goal of "security" is to deny access to a piece of information stored on a variety of hosts. Call that a confidentiality goal.
What if the goal of "security" is not confidentiality, but accessibility? In that case, I argue monoculture is a stupid idea, and diversity is stronger. Imagine saving copies of that piece of information on systems all running the same OS. A destructive worm appears and wipes out the hard drives of all of the organization's hosts. Now what?
In the diverse world, the information on the vulnerable OS is wiped out by the worm. However, copies of the information survive on the other OS'.
If your goal is survivability, I can't see how software monoculture is a good idea. You've got to decide what balance of confidentiality, availability, and integrity are important and then see if monoculture or diversity will meet your goals.