[28731] in bugtraq
Re: To diversify and survive: the application of population biology
daemon@ATHENA.MIT.EDU (Crispin Cowan)
Mon Feb 3 17:37:05 2003
Message-ID: <3E3EE3EF.7060101@wirex.com>
Date: Mon, 03 Feb 2003 13:49:35 -0800
From: Crispin Cowan <crispin@wirex.com>
MIME-Version: 1.0
To: Peter Huang <yinrong@rogers.com>
Content-Type: multipart/signed; micalg=pgp-md5;
protocol="application/pgp-signature";
boundary="------------enig4C8C327E162B217EDE49E3EE"
--------------enig4C8C327E162B217EDE49E3EE
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Peter Huang wrote:
>Abstract:
>On January 25, 2003, the SQL Slammer worm (w2.SQLSlammer.worm), also known
>as Sapphire (F-Secure), w32.SQLexp.worm (Symantec), and Helkern
>(Kaspersky) fully exploited known vulnerabilities in Microsoft SQL 2000
>servers and caused tremendous network jam around the world. In this
>article, the concept of population biology is proposed to apply to the
>computer programming. The concept is to diversify the same software
>functionality with a population of executables to avoid being eliminated
>or exploited by a virus or worm like SQL Slammer.
>
Read this paper to see the relative strenghts and weaknesses of the
biodiversity defense:
"The Cracker Patch Choice: An Analysis of Post Hoc Security
Techniques". Crispin Cowan, Heather Hinton, Calton Pu, and Jonathan
Walpole. Presented at the National Information Systems Security
Conference (NISSC) <http://csrc.nist.gov/nissc/>, Baltimore MD,
October 16-19 2000. PDF <http://wirex.com/%7Ecrispin/crackerpatch.pdf>.
The concept of biodiversity goes back many years. The first computer
biodiversity paper I am familiar with is this, but there are undoubtedly
earlier examples:
"Self-Nonself Discrimination in a Computer (1994)" (Make
Corrections) (44 citations)
Stephanie Forrest Alan S. Perelson, Proceedings of the 1994 IEEE
Symposium on Research in Security and Privacy.
http://citeseer.nj.nec.com/forrest94selfnonself.html
The biodiversity defense relies heavily on analogies to proper biology.
My counter-analogy is that yes, biodiversity works as a defense in
nature, but not anywhere near as well as skin does. Organisms have skin,
cells have membranes, and these organs do most of the work of keeping
pathogens out of the organism. Computer systems (even with firewalls)
have really crappy skin, if they have any at all. Investing in better
skin will return greater results than biodiversity for a long time to come.
But the trouble with analogies is that analogies are like goldfish:
sometimes they have nothing to do with the topic at hand :-) So without
resorting to anlogies, the concrete argument against the biodiversity
defense is that biodiversity induces incompatibility. For it to be an
effective defense, the biodiversity has to impose *more* incompatibility
on the attacker than it does on the defender. This is problematic,
because while you know what artifacts the defender depends on, you do
*not* know what artifacts the attacker is depending on, so you have to
change every artifact you can think of that does not inconvenience the
defender, and hope that works. Meanwhile, defenders are already feeling
the pain of diversity (heterogeneous systems) and are rushing to
*homogenize* their systems as much as possible, because the expense of
biodiversity exceeds the benefits.
Not to say that biodiversity won't work, just that it is more expensive
than you might like. On the other hand, very often for a given
biodiversity technique (varying some artifact) there is an associated
"restrictive" technique (controlling access to that same artifact) that
will be more cost effective. So go ahead and explore biodiversity
techniques, but don't forget to look around for associated restrictive
techniques that might work better.
Crispin
--
Crispin Cowan, Ph.D.
Chief Scientist, WireX http://wirex.com/~crispin/
Security Hardened Linux Distribution: http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html
Just say ".Nyet"
--------------enig4C8C327E162B217EDE49E3EE
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQE+PuP25ZkfjX2CNDARAc5lAJ4tGVlbGh5LO46EwWHcsk2faLH2ywCfYt64
YfhvkMAhiiKTCk17LWL7mxk=
=wA1j
-----END PGP SIGNATURE-----
--------------enig4C8C327E162B217EDE49E3EE--
