Re: To diversify and survive: the application of population biology concept into computer

[Crispin Cowan <crispin () wirex com>]

Peter Huang wrote:

> Abstract:
> On January 25, 2003, the SQL Slammer worm (w2.SQLSlammer.worm), also known 
> as Sapphire (F-Secure), w32.SQLexp.worm (Symantec), and Helkern 
> (Kaspersky) fully exploited known vulnerabilities in Microsoft SQL 2000 
> servers and caused tremendous network jam around the world. In this 
> article, the concept of population biology is proposed to apply to the 
> computer programming. The concept is to diversify the same software 
> functionality with a population of executables to avoid being eliminated 
> or exploited by a virus or worm like SQL Slammer.
Read this paper to see the relative strenghts and weaknesses of the 
biodiversity defense:

   "The Cracker Patch Choice: An Analysis of Post Hoc Security
   Techniques".  Crispin Cowan, Heather Hinton, Calton Pu, and Jonathan
   Walpole.  Presented at the National Information Systems Security
   Conference (NISSC) <http://csrc.nist.gov/nissc/>, Baltimore MD,
   October 16-19 2000. PDF <http://wirex.com/%7Ecrispin/crackerpatch.pdf>.

The concept of biodiversity goes back many years. The first computer 
biodiversity paper I am familiar with is this, but there are undoubtedly 
earlier examples:

   "Self-Nonself Discrimination in a Computer (1994)"  (Make
   Corrections)  (44 citations)
   Stephanie Forrest Alan S. Perelson, Proceedings of the 1994 IEEE
   Symposium on Research in Security and Privacy.
   http://citeseer.nj.nec.com/forrest94selfnonself.html

The biodiversity defense relies heavily on analogies to proper biology. 
My counter-analogy is that yes, biodiversity works as a defense in 
nature, but not anywhere near as well as skin does. Organisms have skin, 
cells have membranes, and these organs do most of the work of keeping 
pathogens out of the organism. Computer systems (even with firewalls) 
have really crappy skin, if they have any at all. Investing in better 
skin will return greater results than biodiversity for a long time to come.

But the trouble with analogies is that analogies are like goldfish: 
sometimes they have nothing to do with the topic at hand :-) So without 
resorting to anlogies, the concrete argument against the biodiversity 
defense is that biodiversity induces incompatibility. For it to be an 
effective defense, the biodiversity has to impose *more* incompatibility 
on the attacker than it does on the defender. This is problematic, 
because while you know what artifacts the defender depends on, you do 
*not* know what artifacts the attacker is depending on, so you have to 
change every artifact you can think of that does not inconvenience the 
defender, and hope that works. Meanwhile, defenders are already feeling 
the pain of diversity (heterogeneous systems) and are rushing to 
*homogenize* their systems as much as possible, because the expense of 
biodiversity exceeds the benefits.

Not to say that biodiversity won't work, just that it is more expensive 
than you might like. On the other hand, very often for a given 
biodiversity technique (varying some artifact) there is an associated 
"restrictive" technique (controlling access to that same artifact) that 
will be more cost effective. So go ahead and explore biodiversity 
techniques, but don't forget to look around for associated restrictive 
techniques that might work better.

Crispin

--
Crispin Cowan, Ph.D.
Chief Scientist, WireX                      http://wirex.com/~crispin/
Security Hardened Linux Distribution:       http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html
                            Just say ".Nyet"

Attachment: _bin
Description: