USENIX '04: Dan Geer, Scott Charney, Avi Rubin: Debate: Is an Operating System Monoculture a Threat to Security?

Dan Geer, Chief Scientist, Verdasys, Inc.;
Scott Charney, Chief Trustworthy Computing Strategist, Microsoft Corporation
Moderated by Avi Rubin, Johns Hopkins University

*****

One line position summaries:

Dan Geer: In any ecosystem, diversity promotes health

Scott: Forcing diversity doesn't solve the problem

*****

Dan Geer:

Is in security by accident.

A computing monoculture is a danger on many levels.

Computing systems tend to behave like biologic systems; our metaphors reflect this. Understanding the natural world lends a better understanding our technological world. Examination of the genome shows that it's cheaper to keep everything than to prune what is no longer needed.

But is the biological, evolutionary cycle the only possible way to do things?

The minimum gene set is the core genetic infrastructure to make life work.

Immunity is biologically expensive. The more advanced the organism, the more immunity is needed.

The bigger & juicier the technological target, the more it needs to be defensive.

The only protection from this is isolation, but that leads to other problems -- it's not always feasible.

Hence, egress filtering is as important as ingress.

Spam has many similarities to an autoimmune disorder, as wanted ham is lost with filtered spam.

Some pathogens are opportunistic (AIDS), just like Nimda, Slammer, Witty, etc worms.

Microsoft itself is not immune to these vulnerabilities.

Herd immunity: if the herd is protected as a whole from epidemics, individuals can still be vulnerable.

Half life curve: vulnerabilities can never be patched with constant effort. Compare against immunization to the influenza virus.

Worst case disease: 100% infection, rapid spread, slow onset. We see such things in modern computer viruses.

Biological mutation is non-random [really??? --chd], and computer virus mutation is directed and strongly connected to selection processes. This accelerates the accumulation of mutations.

The e. coli in your gut is highly resilient, and much less "monoculture-esque" than it may seem. By reproducing at a 1% rate, it can replenish itself rapidly, and cannot be purged -- nor should it.

Puncuated equilibrium -- sorry, missed what he said here.

Microsoft is adding a plethora of features, but we can't ex post facto sprinkle security over all of these diverse components. Marcus Ranum gets this wrong -- he places too much faith in the diversity of Windows software.

TCP isn't a monoculture, just as e. coli isn't. If it were, the internet would have collapsed around us years ago.

Null hypothesis: lessons learned in the natural world apply to the computing world.

Therefore, following from the assumption that this is true (not a stretch), then yes a software monoculture is a massive threat.

Technical professionals are overwhelmed trying to defend computing targets.

The monoculture bets on the defence of unknown vulnerabilities; when they become known, they become a threat, but when they remain unknown, they can be ignored.

The Witty worm is a powerful example of the risks.

As with economiics, diversity isn't cheap -- true, but the risks are more expensive.

All monocultures live on borrowed time. Potato famine, boll weevil, Brazilian cocoa farmers, etc.

DAMN THIS GUY TALKS FAST.

*****

Scott

English / History major, public office in the Bronx, then a corruption agent for the Feds. For 8 years in the 1990s, he was [with?] the lead federal prosecutor for cybercrimes.

He feels that Geer oversimplifies the issue. Cisco, for example, is a big player that could be complained about; likewise, it isn't obvious how diversification would help the spam issue.

In prosecuting cybercrime, cases fell in three areas: confidentially, integrity, availability.

Gave example of a case where someone got a system account that tickled a system misconfiguration that caused a $.75 accounting error, but uncovering it revealed a Soviet espionage ring that would have lain dormant if the trivial monetary issue hadn't been investigated.

People attacking confidentiality of systems will not advertise their actions, because they want to exploit the asset over a long period of time.

In integrity attacks, as with confidentiality attacks, monoculture isn't really the problem and changing that won't really make the problem go away.

Southwest Airlines attributes their success to a monoculture -- they fly just one type of plane, so their maintainence issues are much simpler, any pilot can fly any plane, etc. Yes, this makes them vulnerable to a hypothetical FAA grounding of their one plane, but they accept that risk.

In analyzing cascading errors, he asserts that going to a 50/50 Linux / Windows world wouldn't necessarily break the monoculture. Its not hard to posit a broad attack intending to bring down the network couldn't either fork & hit both platforms, or be launched with two attacks in parallel.

Splitting from 1 to 2 dominant platforms doesn't mitigate the problem; you have to split into millions of platforms to have a statistically significant effect.

The goal has to be increase security, not break the monoculture.

In the early 90s as a prosecutor, he tried to talk the dominant vendors into taking security seriously, but they responded that the market was far more interested in features & usability; they all said to go away.

He feels that complexity is the enemy of security. We need to find ways to halt cascading effects, using our resourses in cost-effective ways.

*****

Question session:

Q-Rubin:
In terms of diversity, we have a handful of legit OSes in common use. What is the plan to promote diversity & how to account for the mutation tendency in natural systems?

A-D: Any time you have one system more than 50% (or possibly, 43%) of the ecosystem, the tendency towards system-wide failures increases drastically. Obviously, broadening the landscape is needed. Maybe we should spend some of the new horsepower on diversity (e.g. different instruction sets on every single machine) might be worth considering.

A-S: Diversity is needed. We're in early days of the third revolution of civilization (agriculture, industrial era, information) and we obviously have a long way to go. The markets are not designed to deal with these needs, but we still need a reasonable return on investment,

Q-Rubin:
If diversity won't help spam & similar viruses, what will help?

A-S: User education, technology, "don't open attachments", etc. But people won't do this, just as people don't all wear seatbelts. Software that prevents opening executable code etc will help too.

A-D: Attractive nuisance -- if a failure to protect your systems ends up being used by a third party allows someone to attack some other third party, there should be some culpability there. This is pretty much how spam is delivered today (attractive nuisance, force majeur, etc) and we can't allow the vendor to be blameless for allowing this to happen. Forcing ownership of culpability helps a lot.

Q;
There are OSes besides Windows & Linux, and Linux itself is quite diverse.
APIs should be made open & we can have a diversity of implementations.
The single most dangerous software ever written is Internet Explorer.

A-S: The antitrust decree does mandate the publication of APIs, but he doesn't think this will solve all the problem. Secure functionality wasn't a requirement when IE was written [really??? --chd].

A-D: The easiest way into any major app is to overflow its buffers -- this gets you past everything else. Hence, application interfaces are a bigger issue than system interfaces. Simple, well documented interfaces are a principle avenue to changing what is in place in the field

Q-Perry Metzger, co-author of Dan's paper:
Scott focused his talk on experiences as a prosecutor, etc -- not the real question. We all know that diversity won't fix everything, but S. mostly did not address the problem that a monoculture leads to.
Are you really going to assert that having all Windows machines makes anything safer from worm infestatijons?
Diversity isn't a panacea; but there are certain classes of problems it helps.

A-S: Having old, unpatched versions of Windows is bad. [no shit --chd]. Customers need to figure out where diversity will have the biggest positive gain in their environment.

A-D: Organizations need to decide how much they want to patch machines that are often, frankly, pirated. It's possible harden an environment in a way that makes it brittle, not tough -- Southwest Airlines is probably tough more than brittle, but that's a bet they're making. Absent leadership, what can individual enterprises do?

A-S: When considering what to do, enterprises need to analyze what forms of security will bring in the most effective results: auditing, firewalls, etc.

A-D: It's like catastrophe insurance. At some point it's a good thing that we don't all needed

Q-Dave Frisado, Google, to "Reverend Dan"
The biodiversity argument isn't apt. The computers aren't independent units like cells or organisms, with the capacity for immunoresponse. Diversity isn't enough to manage a lot of the problems they see -- a single remote Windows based attack can swamp their Unix servers & starve bandwidth. They had a diverse environment with multiple platforms & it still didn't help.

A-D: We're still at a primitive stage in evolutionary terms [Mr. Google agrees with this --chd]. Therefore, we have a long way to go. bandwidth throttling can help. [Dave asserts that this isn't the role of an immune system].

Q-???:
Informed heterogenity is the way to go, not forced. Hackers are blamed for the problems, not vendors that produced the flawed software. In a culture where it's assumed that someone else will fix it, where does the buck stop? How can we fix this?

A-S: Vendors have to reduce the number of vulnerabilities. The security push for Windows Server 2003 came after it was coded [damn, that was smart --chd], so it was admittedly too late to be really effective. Still, we have to keep at it. The need for backwards compatibliity prevents them from being able to have a clean slate rework of that which is known to be broken. If we've dug a hole that's so deep we have to start over, then how do we deal with that?

A-D: Regulatory compliance is the biggest motivator of change here, unfortunately. When compliance is proposed, how does industry respond? Poorly. The recent Sarbanes-Oxley act was all issues for IT personnel to address, and aside from this audience, no one cares about the issues it raised.

A-S: Microsoft's complaint with the recent national security policy was that it didn't go far enough.Security is a cost center, not a business enabler. The fact that it's a necessary cost is driving some change here.

A-D: ffffff

Q-???:
Monoculture by choice isn't so bad, but monoculture by de facto market compulsion is a risk.

A-S: I like choice. It's a good thing. Beyond that, it goes to antitrust issues and I can't discuss that.

A-D: Choice has to be such that defined interfaces are simple, stable, and they work

Q-Marcus Ranum, silly cowboy shirt:
Please comment on your targeting algorithm in going after Microsoft rather than the Intel instruction set, the browser monoculture, etc. Isn't this just another anti-MS rant?

A-D: Not at all. The data backs up his analysis.

*****

Scott -- closing remarks:

We have dug ourselves a big hole, and we need to think about security holistically. Increasing diversity will not necessarily solve our problems. We can do other things to be more secure, and we need to take those steps. Dan said that we're in a primitive state, which I agree with. The solution he wants is 50 to 100 years off, and we need to deal with today's problems today. We have to have actionable goals to make meaningful progress in order to bring a more secure environment.

Dan -- closing remarks:

Nature has without question shown that monocultures are a dying state or a last gasp. We must submit to nature's lessons. We have run all we can to stay in place. We realize now that amateur attacks obscures the actions of truly dangerous professionals. We are too interdependent to ignore these risks. "We have met the enemy and he is us."

*****

Straw poll: before the talks, the audience overwhelmingly took Dan's point of view. That only changed slightly by the end.