Wednesday, April 8, 2009

Monoculture/Heterogeneous Computing and Resource Exploitation

Using the same baseline, configuration, or technologies throughout an industry can reduce costs through ease of maintenance and deployment. It can foster information sharing as all parties involved communicate using the same formats and standards. Within cryptography, using standards and certified products allows others to gain a level of assurance regarding the trustworthiness of an algorithm or product. Reliance on the same computing platform/practices is referred to as monoculture. Despite the benefits of operating within a monoculture, there are a significant number of risks associated with it.

Looking at monocultures in information security from an evolutionary biology perspective, there are significant risks. In terms of evolutionary biology, a monoculture represents a large population which is composed of the same characters and utilizes the same strategies for survival. This represents either a lack of genetic diversity or genetic variability within the population. Genetic diversity represents the number of characters that are present within a population, while genetic variability represents the individual tendency of individual characters to vary from one another. Variation of characters within a population is one of the four conditions that is required for natural selection to operate (Evolution, 3rd Edition by Ridley and Evolutionary Biology, 3rd Edition by Futuyma). Without any variability in a population, it follows that when selection operates on a population it will either select against the entire population or select for the entire population. There is no intermediate state without variability. This does not mean that every selection event will cause the population to go extinct, but the potential for an event exists.

An entire population that is dependent on the same survival strategy is vulnerable to exploitation. If an entity is capable of finding a way to exploit the strategy used, then it has found a method which is capable of exploiting the entire population. If the population of hosts can either be easily accessed by the attacker or the hosts are in frequent contact with on another, the attacker leverages the exploit effectively such that it can spread rapidly through the entire population before a counter measure can be developed. As this entire population is employing the strategies, it can take a significant period of time before the entire population is inoculated against the exploit.

Currently the 'Cavendish' banana population is at risk from the fungus Fusarium oxysporum (i.e. Panama Disease or Agent Green) due the monoculture environment in which it is cultivated. Panama Disease already caused the collapse of the previous 'Gros Michel' crop in the 1960s. Originally the Cavendish banana population was resistant to the Panama Disease, but in 1993 a new strain (referred to as Tropical Race 4) emerged and has since contributed to the collapse of the Cavendish population of bananas in Southeast Asia. This is not the only case of a monoculture impacting a food crop. Previous to the banana monoculture, there was a potato monoculture in Ireland. In the early 1800s, Ireland was dependent on the potato crop to feed their population. Potatoes were essential clones of one another, and eventually the mold Phytophthora infestans exploited and destroyed a majority of the 1845 potato crop and one and a half million of people died from starvation.

Currently there exists a monoculture environment within computing associated with Microsoft Windows operating system; the dominant operating system in the market. A majority of the attacks on the Internet have focused on this operating system, as there is an abundant population which can be exploited.

The alternative to monoculture in information technology is a heterogeneous computing environment where there are different operating systems and applications are in use. The result is a diversified environment in which a single strategy is incapable of compromising the entire environment by exploiting the operating system or applications. Monocultures within the information technology are not just limited to the operating system. The heterogeneous computing environment associated with cell phones and mobile devices is seen as providing protection from malicious software despite their being 3x the number of mobile Internet-capable devices connected to the Internet as compared to computers.

The risks associated with a monoculture are present at all levels of computing where the same resources and standards are used. Monocultures can exist at other levels such as network architectures, office automation applications, email services/clients, web browsers, application/web servers, web application frameworks, and databases. In addition to the possible application level monocultures, hardware and standard/protocol level monocultures exists. Common protocol monocultures found in networking and the Internet include: IP, TCP, HTTP and DNS.

At BlackHat USA 2008, a DNS flaw which had been discovered earlier in the year was released to the general community. This flaw took advantage of the DNS standard and since most implementations followed all of the recommendations in the standard, they were vulnerable to exploitation from this flaw.

Although web applications can differ in their implementation, their reliance on the same back-end database technology (and a lack of input validation) allowed a large number of sites to be compromised by a SQL injection worm. The worm targeted websites which used Microsoft SQL Server as their database.

Monocultures pose a risk to information systems when they exist at any level. A system may have different web browsers deployed in its environment, but if the browsers are all running on the same operating system, exploits can target the operating system and bypass the heterogeneous browser level. As far back as 2004, there have been vulnerabilities announced which can successfully attack the underlying operating system even if different web browsers are interpreting the data.

Applying evolutionary biology to information security with respect to monocultures, it can be seen that relying on an environment of monoculture can be dangerous. Monoculture environments have little genetic variability which allows them to survive selection events, and they are vulnerable to invasion from diseases which can devastate the entire population. The implementation of a heterogeneous computing environment allows an information system more resistance and increases the likelihood of surviving an attack as an attack is not capable of exploiting an architectural or implementation flaw present entire population.