Why does my computer get viruses and why are all these data breaches happening? I have been thinking about that too, and then I remembered an old idea called software diversity.
Software diversity is the idea, just like in bio-diversity, where there are many different software titles to achieve the same objective. For example, under a diverse biome of software, there would be many different kinds of word processing, operating systems, mail server programs etc., instead of a few to choose from.
Why is that important? Computer hackers are not going to waste time trying to figure out a diverse target that they have no information on.
With a diverse software biome, the attack vector is severely disrupted, and any successful attack would have to have inside information about the system and be targeted—the shot gun approach would no longer be valid and that would drive up the expense considerably so much the hackers would move on to something else instead of your computer.
The moral of the story:
If you want to protect your computer from viruses use an operating system that many people do not use. Use mail services that are smaller in size. Use on prem software that is not main stream, and support the vendor to keep them in business. Keep the software as varied as much as possible.
I have a humorous, short analogy that talks about Software Diversity.
Definitions for short analogy:
Tomatoes: Homogeneous software. The same software installed on millions and millions of computers around the world
Slime Mold: Bad Guy—Would be evil Computer Hacker—Looking to make your computing life miserable by using viruses and zero-day exploits on your computer system—because they can
Biological Controls: Firewalls and antivirus
Analogy:
So, let’s say the human race only existed on tomato plants, roots and all. We love tomatoes.
We write letters with them, build houses, run our cars, manufacture, and make electricity all with tomatoes. Our very existence is based on the tomato.
However, a slime mold has evolved to like tomatoes as well. The whole crop of tomatoes has been devoured, leaving nothing for us humans, but a slimy stinky mess. The sweet aroma of tomatoes ripening out in the field is gone.
We have tried using biological controls, for decades. It’s insanity, we keep doing the same thing over and over again expecting a different result, but the slime mold keeps eating our tomatoes because all the tomato plants are the same. The slime mold keeps adapting to our biological controls.
Now, if we were more diverse and liked to eat things other than tomatoes, the slime mold might never have evolved, and devastated humanity as we know it in my analogy. However, because there were so many tomatoes, the slime mold was probably a future inevitability that could not have been foreseen when we made the decision to eat tomatoes and only tomatoes.
Young Admin:
When I was a young admin, I used to think that using whatever is in the operating system is a must, because when you do that, it cuts down on issues with software conflicts and crashing systems. The goal was to be as homogeneous as possible.
But over the years, I see that having homogeneous software is a bad thing. Just like the human race only eating tomatoes.
The hacks that are happening:
- Crypto-ware infections
- Corporate applications servers
- Network management software
It is not the fault of the admins that secure the systems. They are engaged in a-symmetrical war fare, and the real blame is to be assigned to the inception of the design process; everything must be the same and economic forces pushing to the Darwinian lack of software diversity. When there are millions of copies of a software distributed worldwide, all built the same, hackers have the advantage.
They can pick apart a copy of the software title and spend weeks or months looking at a copy that is relatively the same from desktop to desktop, at their leisure.
What do we do?
This is really an academic discussion. Things are the way they are for a reason; however, the issue of Software Diversity is very real, and it must change.
The network defense layers are not working. If they were, you would not see billions of dollars in losses every year. The network admins are on the end of a losing battle the day they took the job of protecting the data and the network.
It made sense to make everything the same for interoperability purposes. So the developers can create software to go with the hardware – however, now we have, the unintended byproduct of the billions of dollars in losses, due to market forces and software uniformity.
Maybe we don’t need many software titles to choose from? Maybe, diversity is within the software its self? If manufactures produce a thousand different code variants within software titles, the permutations of installs alone will produce the software diversity we need to make the attack process so complex the hackers give up.
When the manufacture puts out an update, it’s like a fractal the diversity grows and becomes more complicated, and becomes more difficult to hack. The consumer does not care what the code looks like just as long as the title works like it should.
I had programming courses in graduate school, and what struck me was everyone had their version of code, different, that worked and carried out the assignment intended.
Why can’t we implement an AI that will produce different code for these handful of titles and produce our software diversity this way? If we can send robotic probes out of the solar system, we can figure this out.
The key to getting the attacks on the global computer systems to stop is to make them so very expensive to execute the hackers apply their skill set to more useful endeavors, and the answer on how we get them to do that is through software diversity.
Because software hacks are so inexpensive to produce, due to the lack of diversity, creating software variations make it more expensive to footprint a variable target.
So, if economics has a lot to do with the situation, let’s use the same market forces against the hackers. Use AI against them to create software diversity by creating many code variants within a software title.
Reference: https://ieeexplore.ieee.org/document/6956570