November 27, 2020

Monoculture Debate: Geer vs. Charney

Yesterday the USENIX Conference featured a debate between Dan Geer and Scott Charney about whether operating-system monoculture is a threat to computer security. (Dan Geer is a prominent security expert who co-wrote last year’s CCIA report on the monoculture program, and was famously fired by @Stake for doing so. Scott Charney was previously a cybercrime prosecutor, and is now Microsoft’s Chief Security Strategist.)

Geer went first, making his case for the dangers of monoculture. He relied heavily on an analogy to biology, arguing that just as genetic diversity helps a population resist predators and epidemics, diversity in operating systems would help the population of computers resist security attacks. The bio metaphor has some power, but I thought Geer relied on it too heavily, and that he would have been better off talking more about computers.

Charney went second, and he made two main arguments. First, he said that we already have more diversity than most people think, even within the world of Windows. Second, he said that the remedy that Geer suggests – adding a modest level of additional diversity, say adopting two major PC operating systems with a 50/50 market share split – would do little good. The bad guys would just learn how to carry out cross-platform attacks; or perhaps they wouldn’t even bother with that, since an attack can take the whole network offline without penetrating a large fraction of machines. (For example, the Slammer attack caused great dislocation despite affecting less than 0.2% of machines on the net.) The bottom line, Charney said, is that increasing diversity would be very expensive but would provide little benefit.

A Q&A session followed, in which the principals clarified their positions but no major points were scored. Closing statements recapped the main arguments.

The moderator, Avi Rubin, polled the audience both before and after the debate, asking how many people agreed with each party’s position. For this pupose, Avi asked both Geer and Charney to state their positions in a single sentence. Geer’s position was that monoculture is a danger to security. Charney’s position was that the remedy suggested by Geer and his allies would do little if anything to make us more secure.

Pre-debate, most people raised their hands to agree with Geer, and only a few hands went up for Charney. Post-debate, Geer got fewer hands than before and Charney got more; but Geer still had a very clear majority.

I would attribute the shift in views to two factors. First, though Geer is very eloquent for a computer scientist, Charney, as an ex-prosecutor, is more skilled at this kind of formalized debate. Second, the audience was more familiar with Geer’s arguments beforehand, while some may have been hearing Charney’s arguments for the first time; so Charney’s arguments had more impact.

Although I learned some things from the debate, my overall position didn’t change. I raised my hand for both propositions, both pre- and post-debate. Geer is right that monoculture raises security dangers. Charney is also right that the critics of monoculture don’t offer compelling remedies.

This is not to say that the current level of concentration in the OS market is optimal from a security standpoint. There is no doubt that we would be more secure if our systems were more diverse. The most important step toward diversity would be to ensure true competition in software markets. Consumers have an incentive to switch to less-prevalent technologies in order to avoid being attacked. (See, e.g., Paul Boutin’s endorsement in Slate of the Mozilla Firefox browser.) In a properly functioning market, I suspect that the diversity problem would take care of itself.

(See also my previous discussion of the monoculture issue.)

Comments

  1. Let’s suppose we got to a place where the market was 1/3 Microsoft, 1/3 Macintosh, and 1/3 Linux. Now suppose a worm is developed which only attacks one of these three operating systems, but is devastatingly effective and captures virtually 100% of those systems, using them as a basis to DDOS the entire Internet.

    As you point out, current attacks have been extremely disruptive even with a tiny percentage of machines. With these kinds of attacks, you don’t need to take down 100% of the machines to take down the net. You only need a few percent. Beyond that point, it doesn’t make any real difference in either how fast the worm spreads or how effective it is.

    It seems to me that in the situation above, we are actually three times more vulnerable than we are today, because now a flaw in any one of the three architectures is enough to bring the net to its knees. It will be three times easier for attackers to find such a hole if they can succeed with any of three different OSs.

    Now, you might say that we would be better off, because at least we could still use 2/3 of the machines. But use them for what? Without effective internet connectivity, more and more our computers will be useless. Looking 10 or 20 years down the road we are going to be dependent on network connections for all but the most basic activities.

    What we really need to do is to work on improving the security of the operating systems that have the highest degree of popularity, which is exactly what is happening, with the upcoming SP2 release of Windows XP. Doing this will do far more to improve security than moving towards a situation where we are vulnerable to flaws in a much larger number of designs.

  2. Cypherpunk,

    Your argument is essentially an improved version of an argument that Scott Charney used. Your argument shows, I think, that a modest level of diversity might make us more vulnerable to DDoS attacks (whether the attacks are deliberate or are side-effects of the spread of an attack). It would probably make us a bit less vulnerable to attacks that try, e.g., to wipe machines’ hard disks.

    You’re right that all of this looks like a second-order effect. The biggest problem is that none of the OS contenders has anywhere near the level of security we really want.

  3. I also was there. Afterwards, I realized that fire is a more useful analogy than infection. There are biological analogs, e.g. the relationship between biodiversity and fire ecology; manufacturing analogs, e.g. more or less flammable products; and maintenance and use analogs, e.g. firebreaks and firewalls.

    You can consider a relative flammability rating for OS’s (e.g. Linux might be flammability 3, MS Windows 3.11 flammability 10). You can teach that add-ons and modifications affect flammability. You can teach the proper use and limitations of things like firewalls and firebreaks. The Internet connections stretch the analogy, but it is a kind of flammable connection between locations.

    The analogy breaks down in that there are many kinds of security strengths and flaws, not the simpler temperature and chemical relationships that control the spread of fire. But the infection analogy is flawed in other ways.

    It may also help more with the general public and legal understanding. Product flammability and its proper management is far more widely understood than infection or security management. People can understand the simplification that Windows is highly flammable and Microsoft is making changes to reduce its flammability. It is a reasonably accurate initial framework from which security related differences can then be explained. It also gets across the concept that security is a continuum, just like flammability, and that security has potentially significant tradeoffs. After all, most people accept a degree of flammability in their life and do not live in a home made only of metal and stone. Instead you manage flammability.

  4. A better response to Charney’s argument may be as follows:

    1) Although the large number of potential combinations of Windows versions and patches may appear to provide diversity, the Windows security model does not evolve rapidly. It’s slow evolution is the primary contributor to the Microsoft platform’s vulnerability to attacks. And Microsoft’s business interests currently compell them to minimalize changes to the security model of their operating systems.

    2) For reason (1) above, what a break in monoculture offers is competion between security models. When security researchers focus on raw “bug counts”, they are measuring the wrong thing. They should be measuring effectiveness at preventing classes of vulnerabilities.

    3) If one continues to evaluate the effectiveness of security efforts in terms of raw bug count, it is quite possible that Charney’s second point is right. However, Charney’s second argument completely breaks down if one believes that thriving competition between security models might result in more effective security innovation due to the competition. Since I believe in this principle, I think Charney’s statements are marketing spew.

  5. The monoculture argument is an extremely interesting thought exercise and an extremely simplistic scenario in reality, where there are many security options available and in use today that could limit the effect of any attack. (For example, I believe it was Andy Ellis of Akamai at Usenix Security ’03 who said that on average there are something like 12 hops between any two points on the Internet – 12 places to control/restrict/filter traffic). Considering that any attack is immediately translated into packets, slicing, dicing, and ginsu-ing the network provides ample opportunities for security, with assists from quarantining, firewalls, IDS/IPS, etc…

    Re: Quarantining – Howard Schmidt brought up the notion of “car inspections” for PCs at a recent Qualys conference – a great idea in my opinion – one that doesn’t smack of class warfare like the Internet “driver’s license”. Just think, it could be regulated in real-time by the ISPs – got a junker/compromised PC, can’t get on the ‘Net.

    The paper itself was a bit topsy-turvy anyway – consider that it made the argument that at some point patching makes software less secure, yet as a remedy Microsoft should make its source code readily available to external sources. Either contradictory or… interested in putting MS out of business.

    Btw, through all of this, I think the underlying notion of “security” is interesting – I think “availability of the Internet” is a reasonable interpretation. As surely as diversity would make the Internet more secure/available (which I will stipulate but not yet concede) we make the success of individual attacks much more likely (lesser-skilled programmers, more lines of code, more components, more bugs // same number of hackers/code reviewers, fewer worms, more targeted attacks). I am generally more concerned about individual, targeted attacks against my high-value resources than I am the worldwide rash of Code Red.

    Back to monoculture – I believe there are something like 90 million unique IPs on the ‘Net on average, with a total population of 600 million or so possible “users”. Does anyone know how many naked Windows systems there are on the ‘Net at any given time? or over time? I would love to know that number, which would be a much clearer indicator of whether the ‘Net could possibly be taken down by them. Even more interesting may be how many nodes Cisco routers manage on the ‘Net – a much more concerning scenario in my opinion given that they are more likely to be dispersed throughout the cloud rather than at the (more easily controllable) edge.

    More on monoculture (from 11/03 column in Information Security Magazine):
    http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss205_art449,00.html

    All this said, Microsoft software is still a problem to individual enterprises (even though MS gave us exactly what we wanted but it wasn’t what we needed). My solution to poor coding: Software Security Data Sheets for all developers that identify all services, APIs, shared libraries, resources used, security configurations, etc.. (what else should be here?) that 1) identify how a software application interacts in its environment; and 2) provides a ‘policy’ in system format that could be imported into a host-IPS solution (or whatever) and enforced immediately. Every developer should be able to define how his/her system interacts with its environment (shouldn’t they?). Certainly, there are third party tools available to tell you most of this stuff…

  6. Dan Geer says:

    Thank you, Ed, for writing this up.

    On the chance it is useful to other readers who might not have been present, you can pick up my delivery texts verbatim at these addresses

    http://www.std.com/~geer/geer.debate.open.30vi04.txt
    http://www.std.com/~geer/geer.debate.close.30vi04.txt

    I might note that this was not a debate in the proper sense — Mr. Charney and I were not permitted to cross-examine each other as any formal debate would have required. In addition, the question was narrow and explicit:

    [ Is an Operating System Monoculture a Threat to Security? ]

    Mr. Charney’s main thrust was efffectively to stipulate that it was a danger thus to convert the question to whether I offered an alternative. Had we been able to cross-exam, I would have pursued this, of course. I am glad for Mr. Charney’s stipulation as the Resolve appears thus confirmed.

    What those who attended would have heard were some responses about actual first research results in this area of introducing an artificial diversity, e.g., from Forrest’s group at U New Mexico (per-machine randomization of instruction sets, damping DOS through bandwidth throttling, etc.). If this blog is the place to have an extended and extensive discussion of this entire area, I am willing and able.

    –dan

  7. Cassandra says:

    One theory of why life forms evolved sexual reproduction was to increase disease resistance, to keep the genes mixed up, so all members of a species would not be killed by the same disease or parasite at the same time.

    The monoculture problem is not entirely separable from the unregulated monopoly that produces it, but owing to blanket warranty disclaimers, MS has little or no motivation to actually serve its customers, since they conquered you by force and own you lock stock & barrel. Oh, you’re dying of diseases? Pity.

    No way is DDOS equivalent to having my hard drive wiped! All risks and costs must be broken out. Disinfecting machines, user down time, restoring from stale backups, patching, firewalls, subscriptions to anti-virus programs (that don’t find trojans, spyware, or ADS malware). Where’s the risk analysis? Without a taxonomy of all risks and costs, and how monoculture and its remedies impact them, the ‘debate’ will remain vapid.

    I would not be surprised to wake up and read that 60% of all PCs had their HD’s overwritten, causing say $500+ billion in damage. We corporate captives, held in chains by MS, who are at risk of being wiped out by these many plagues and diseases, must foreswear allegiance to false gods, and put faith in whatever model will produce the most security evolution and diversity the fastest.

    Right now we’re a bunch of sitting ducks, like Dodo Birds, who will become extinct as soon as some hacker takes off the gloves and unleashes a true doomsday worm (or a family of them). Don’t you find it amazing that that hasn’t already happened?