mailing list archives
Re: To diversify and survive: the application of population biology concept into computer
From: Crispin Cowan <crispin () wirex com>
Date: Mon, 03 Feb 2003 13:49:35 -0800
Peter Huang wrote:
Read this paper to see the relative strenghts and weaknesses of the
On January 25, 2003, the SQL Slammer worm (w2.SQLSlammer.worm), also known
as Sapphire (F-Secure), w32.SQLexp.worm (Symantec), and Helkern
(Kaspersky) fully exploited known vulnerabilities in Microsoft SQL 2000
servers and caused tremendous network jam around the world. In this
article, the concept of population biology is proposed to apply to the
computer programming. The concept is to diversify the same software
functionality with a population of executables to avoid being eliminated
or exploited by a virus or worm like SQL Slammer.
"The Cracker Patch Choice: An Analysis of Post Hoc Security
Techniques". Crispin Cowan, Heather Hinton, Calton Pu, and Jonathan
Walpole. Presented at the National Information Systems Security
Conference (NISSC) <http://csrc.nist.gov/nissc/>, Baltimore MD,
October 16-19 2000. PDF <http://wirex.com/%7Ecrispin/crackerpatch.pdf>.
The concept of biodiversity goes back many years. The first computer
biodiversity paper I am familiar with is this, but there are undoubtedly
"Self-Nonself Discrimination in a Computer (1994)" (Make
Corrections) (44 citations)
Stephanie Forrest Alan S. Perelson, Proceedings of the 1994 IEEE
Symposium on Research in Security and Privacy.
The biodiversity defense relies heavily on analogies to proper biology.
My counter-analogy is that yes, biodiversity works as a defense in
nature, but not anywhere near as well as skin does. Organisms have skin,
cells have membranes, and these organs do most of the work of keeping
pathogens out of the organism. Computer systems (even with firewalls)
have really crappy skin, if they have any at all. Investing in better
skin will return greater results than biodiversity for a long time to come.
But the trouble with analogies is that analogies are like goldfish:
sometimes they have nothing to do with the topic at hand :-) So without
resorting to anlogies, the concrete argument against the biodiversity
defense is that biodiversity induces incompatibility. For it to be an
effective defense, the biodiversity has to impose *more* incompatibility
on the attacker than it does on the defender. This is problematic,
because while you know what artifacts the defender depends on, you do
*not* know what artifacts the attacker is depending on, so you have to
change every artifact you can think of that does not inconvenience the
defender, and hope that works. Meanwhile, defenders are already feeling
the pain of diversity (heterogeneous systems) and are rushing to
*homogenize* their systems as much as possible, because the expense of
biodiversity exceeds the benefits.
Not to say that biodiversity won't work, just that it is more expensive
than you might like. On the other hand, very often for a given
biodiversity technique (varying some artifact) there is an associated
"restrictive" technique (controlling access to that same artifact) that
will be more cost effective. So go ahead and explore biodiversity
techniques, but don't forget to look around for associated restrictive
techniques that might work better.
Crispin Cowan, Ph.D.
Chief Scientist, WireX http://wirex.com/~crispin/
Security Hardened Linux Distribution: http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html
Just say ".Nyet"