'Cyberdiversity' may defeat cyberattacks

NEW YORK, Nov. 26 (UPI) -- Scientists are mimicking the diversity found in Mother Nature in experiments to see if an approach called cyberdiversity can help computer systems fend off malicious attacks by viruses and Internet worms.

In nature, diseases are most devastating when infections encounter monocultures, or swaths of genetically similar individuals, each bearing the same vulnerability to a germ's method of attack. Computer viruses exploit the same flaw on each computer running identical software. Hackers take advantage of standard flaws on many computer software packages via malicious programs called worms, which travel the Internet. One such worm was Code Red, which infected more than 350,000 systems in just 13 hours by exploiting a single, common vulnerability.

Researchers at Carnegie Mellon University in Pittsburgh and the University of New Mexico in Albuquerque -- funded by the National Science Foundation -- are exploring the concept of diversity to help computers resist such infections.

"Instead of having identical releases from a vendor of a commonly used software system, you could have 100 different varieties that function the same, so you wouldn't really know or care which one you had," Carl Landwehr, the NSF officer overseeing the research, told United Press International.

"But if anything attacks the software, it could only affect one version, so an attack would affect only 1 percent of the systems instead of 100 percent," Landwehr said. "I think this work has the promise of finding techniques effective in this respect."

At Carnegie Mellon, "we are looking at computers the way a physician would look at genetically related patients, each susceptible to the same disorder," said CMU researcher Mike Reiter. In a more diverse population, he explained, one member may fall victim to a pathogen or disorder, while another might not have the same vulnerability.

"Adapting this idea in biology in computers may not make an individual computer more resilient to attack, but it aims to make the whole population of computers more resilient in aggregate," said Dawn Song, also at CMU.

One approach -- no doubt controversial -- would be to increase diversity by discouraging the commercial domination of any one technology, such as Microsoft Windows software or Intel hardware. Sun Microsystems, the technology giant in Palo Alto, Calif., has been warning against such monopolies, saying they pose a severe threat to the global economy and to data security.

"Internet Explorer Web browser now accounts for nearly 90 percent of the browser market," the company stated in a recent position paper. "This does not include the similar near-ubiquity of the Windows operating system and Office suite of productivity software, all of which directly connect to the Internet. This means that over 90 percent of computers connected to the Internet share a common exposure to cyber terrorist attacks."

The Sun paper added: "Just as genetic diversity helps protect the human race from being wiped out by a single communicable disease, software diversity all but eliminates the possibility of a single malicious virus affecting all of the world's business, personal and network computers."

The problem with such diversity, Reiter and colleagues noted, is it is expensive to run different operating systems on computers with different designs.

"All facets of system development are multiplied, because each separate unit now has its own design, implementation and testing costs. Also, coordinating diverse components is more difficult," they said in a paper submitted to the Pentagon's Defense Advanced Research Projects Agency.

Earlier approaches toward diversity in software tried developing different versions of the same software by independent teams. The idea was each version would naturally have different sets of vulnerabilities. However, such a manual approach also is costly and laborious.

Instead, the researchers want to develop automated methods that engineer diversity into software.

"Our automated approach has the potential to be more economical," said researcher Stephanie Forrest of New Mexico.

Programs operate on both the interface level and below the interface.

"You can make an analogy with people. Our interfaces are pretty much the same -- ears for speaking, eyes for speaking, and if we're in the same country, chances are we speak the same language," said computer scientist Fred Schneider, director of the Information Assurance Institute at Cornell University in Ithaca, N.Y.

"The interface needs to stay fixed for a program to work in any cooperative fashion," Schneider continued. "What the researchers here propose is diversity below the level of the interface. That kind of diversity we can create automatically. We know various ways of creating equivalent sequences of instructions or equivalent layouts of memory."

The attacks commonly seen today, such as buffer overflows or format string attacks, do not exploit vulnerabilities on the interface level. "All of these attacks are very sensitive to how memory and code are laid out," Schneider explained. Rearranging a program's layout would maintain the same functions while helping to resist mass attacks.

Landwehr said this project hopes to see if automated diversity is feasible. For instance, if there are 100 different version of a software system out there, disseminating software patches to correct any bugs or vulnerabilities could prove challenging.

"This is a very capable team," Landwehr added. "If anybody can identify a way to make it work, I think they have a great chance of doing that."

"I think it's a very promising approach," Schneider, who is not involved in this project, told UPI. "Unless we create diversity, we will see viruses able to compromise significant parts of our networks."

--

Charles Choi covers research for UPI Science News. E-mail sciencemail@upi.com