[ nominal delivery draft, 15:30 Friday 30 June 2004 ] [ Dan Geer, affirmative, v Scott Charney, negative ] Q: Is an Operating System Monoculture a Threat to Security? A computing monoculture is a danger, a security danger, a national security danger. It is a danger on principle. It is a danger in practice. It is avoidable and mitigable, but it is neither cheap nor easy to do so if you have to begin from where we are today. I have but minutes to be clear, so I invoke Alexander Pope Men must be taught as if you taught them not; And things unknown proposed as things forgot. In other words, I must make analogy between what you know and what you did not know you already knew. My opponent will do the same -- he is a lawyer and the practice of law is likewise the search for analogies. Computing systems in the large trend towards the same phenomenologic rulespace as biologic systems in the large. We recognize this in our language, e.g., the very word "virus," we recognize it in our strategies, e.g., the application firewall as a semi-permeable membrane, and we recognize it in our command structures, e.g., the idea that some content is toxic and must be subject to filtration. The more we know about the natural world, the more impressive it is. The natural world is the sum of the planet's history. When you talk to a geneticist, when you talk to a bacteriologist, what they will tell you is that they read the genome of this or that species as an historical document. The genome tells you what you have but it also tells you how you got to where you are. It tells you strategies proven correct by the crucible of competition. You discover that gene encoding is not efficient because molecules are cheap while editing is expensive, just as in our world of computing it is cheaper to keep everything than to do selective data deletion. The whole of an organism's history is there and, which is more, that history is compressed -- and I needn't remind any of you how hard it is to compress time. By a different analogy to our world, backward compatibility is how we drag history along with us and it shows: 80% of the labor cost of deploying a new version of Windows is in ensuring backward compatibility. There is an infrastructure in biology just like there is an infrastructure in the doubtless primitive computing of mid-2004. For example, the basic metabolism of the citric acid cycle is common to all life as we know it. This leads to a deep question: Is that cycle the only one that works, is it so cumbersome to invent such a cycle that evolution will produce at most one within the habitibility lifetime of this planet, or are there several all of which save this one were tried and found wanting? That cycle is encoded by the "minimum gene set," the essential instructions that get an infrastructure to run. Those genes are the most protected we have. I won't analogize computing truths from that except to say that working infrastructures are likely to be boiled down to their essence; they will have no unneeded interconnections and nothing about their replication or defense will be sloppy. No life competes at this level. The bacteriologist Trudy Wassenaar shared with me a number of truths; first, immunity is expensive. The greater the fraction of the organism's function that is given over to self-protection from contagion, the more that organism will have to find other survival strategy to pay for that immunity. At the same time, the more advanced the organism, the more it needs immunity both to survive and to replicate because the bigger or longer-lived it is the more it is a target for the evolutionary survival needs of its enemies. The analogy with computing is clear; the bigger and juicier you are, the more predators you will attract. Unless, of course, you live on an isolated island; in an island ecosystem, it is size, not immunity, that matters. Noto bene, the over-arching purpose of any immune response is to localize infection. This is even more important when similarly disposed individuals live in close quarters, where transmission of pathogens is prompt and casual. The location-free characteristic of the Internet makes casual transmission of pathogens the norm as you are in close quarters with every other species and organism. Thus, as we stand here today and as a matter of immune response in the large it is far more important for an enterprise's security plan to focus on egress filtering than ingress. At the same time, immunity has risks of its own. Auto-immune diseases are a danger to anyone with an immune system. The rise in the incidence in rich countries of such diseases as asthma is widely viewed to be correlated with the antiseptic lifestyle that interferes with "priming," early childhood's training of the immune system through exposure to both self and not-self. By analogy, the avalanche of spam overwhelms our computing immune systems with rising false-positive rates thus denying transit to legitimate email. As recent proposals from my opponent's firm amply demonstrate, spam is now engendering a significant auto-immune pathology: spam will extinct anonymous speech far more effectively than any government diktat ever could. In the world of infectious diseases, virulence is appreciated not so much as a measure of danger to the host but as a calibration, an adaptive reaction on the part of the infecting organism. If your body has strong immune reaction to a given pathogen then, to survive, that pathogen must make you cough and sneeze and run as it must get to another host before it dies in you. The analogy with our world is clear, Slammer is a nuisance because it spreads quickly thus to out run our immune response, but what we have more to fear is the slow scan infection that can afford to be symptomless as it is unmolested by our immune system. Some pathogens are opportunistic. Pneumonias often appear in those already in an immunocompromised state, Pneumocystis being the best publicized example. Ever since NIMDA, viri have multiple transmission vectors and always include the back door entry points of other worms and viri already in circulation. With the Witty worm, we even have a direct attack on the immune system of a creative and self-selected subset of the user community, which needs no explanation as to analogy. Though it is not at issue here, the spread of certain kinds of infection inside Microsoft itself is nothing so much as the analogic equivalent of the rapid spread of nosocomial infection in a hospital and, as with a hospital, lockdown quarantine for a time is the only real countermeasure. In the world of epidemiology, which is the study of the spread of disease, there are concepts that so clearly apply to us in our world that they need enumeration more than explanation. The first of these is summed up in the term "herd immunity" which is simply that if the herd is immune above some threshold percentage then no member of the herd is at risk even though some susceptible individuals will remain. Public health practitioners endeavor to determine a number, the Epidemic Prevention Potential, against which they grade vaccination programs. We have a direct example of this; Qualys on the west coast provides scanning services. Their finding is intriguing: Patching -- our analogy to immunization -- follows a half-life decay curve which is to say that for each succeeding half-life interval half of the then unpatched systems will be patched. A half-life curve means that for constant effort you never finish. At the same time, it is widely documented that the interval between announcement of a vulnerability and the appearance of the exploit in the wild is shrinking. Consequently, and just as in public health calculations, the national policy question is whether you can get enough reasonably effective influenza vaccine into enough people between your first warning and when the next novel strain appears. As children have fewer rights and share more fluids, we simply mandate their immunization. An analogy at the level of the Internet and national infrastructure is dauntingly obvious -- should ISPs, the analog of public schools, be required to demand proof of immunization before permitting client entry into their networks? Were one to set out to design a worst case disease, it would have these characteristics: 100% effective transmission, zero delay between infection and infectiousness, long delayed symptoms, and no acquired immunity. This describes to a fault a polymorphic virus working amongst a monoculture of hosts exhibiting the same vulnerabilities. Were one to introduce a new predator species, the prey who had never before seen it are ripe for slaughter, whether we are talking about rabbits harvesting Australian grasslands or the African Clawed Frog harvesting the ponds of Golden Gate Park. It is predators that force prey species to diversify. This describes to a fault what any computing systems planner must today do if he or she is to meet a reliability metric. That our machine rooms are more diverse than our desktops is testimony to this fact. Prior to today and in other venues, my opponent has practiced a counter-claim that I am talking about mutation in a world of chemistry and physics, but that there is a qualitative break between the organic processes of evolution and the world of computers. His main point is that of distinguishing the sentient opponent, such as the average virus writer, from randomly re-bonding amino acid helixes. He argues that flesh and spirit are not the same. While I agree with him that the soul is as real as the sun, he misses the point. Biologic mutation is not random despite the popular sense that it is. What we see in computer viruses is non-random mutation called "directed" mutation based on an intention of success. Selection based on intention is like any other selection and yields the same outcome. Questions of intentionality versus random mutation are ill-conceived. It is true that biologic mutation can be detached from selection whereas this does not seem to be so in computer virus mutation, i.e., computer virus mutation is strongly connected to selection, but when looking at evolution, it does not matter what the selection process is, only that there is one. The net effect of a sentient opponent is thus merely to compress time, which is to say to accelerate the accumulation of selected mutations in the genome. As such, the lessons of biology are perhaps more dear than we imagine. To take the example of mutation closest to you here today, E. coli has a dual function in your gut -- digestion and occupying a niche that if it didn't occupy something worse would. As such, it is in your interest that E. coli not die out even if you take erythromycin or eat something bizarre. As it happens, E. coli mutates at a high rate; perhaps 1% of the total cellular load you carry are mutant. This is diversity at the individual cell level -- it is unlikely that any one insult to your gut would kill all of them and the ones that survived would re-populate as replication is something they do very well, though sloppily. You do not have, in other words, a monoculture despite what you may have thought as even a single-celled animal cannot afford to be a monoculture. For E. coli, diversity is a strategic defense against unanticipatable threats, and it has millions of years of success to show for it. Looking at nature more broadly, ecosystems that persist accumulate diversity over time. It doesn't start out that way, diversity is a result of selection pressure and survival advantage rather than a pre-condition of it. That doesn't mean that one or another species isn't statistically super-abundant, like wildebeest in the Serengeti. Diversity tends to arrive in bursts and often after cataclysms of one sort of another that remove keystone species or entire niches, what Stephen Jay Gould so eloquently called "punctuated equilibria." Ecologists and evolutionary biologists the world over agree: An ecosystem that is low on diversity is unhealthy; an ecosystem that is losing diversity is one that is on a trajectory for collapse, a collapse that accelerates as the end grows near and the efficiency of predation is abetted by the loss of prey diversity. Microsoft has had some verbal support from friends such as Marcus Ranum who argues that there is no monoculture because his Windows box is festooned with gadgets, that gluing on feature after feature and attaching more and more USB cables creates diversity on the ground. Were that true, one should expect that security could be added on as an afterthought, that one could actually patch oneself to safety. As nearly every pro-monoculture writer quotes Ranum, let me do the same; he writes "There is no 'monoculture' here. My system isn't just Windows. My security is effected...by a bewildering combination of default settings, software patch levels, default firewall rules..., browser settings, and antivirus signature sets. We're not in anything like danger of becoming a 'monoculture' unless every system was running the same software load-out, security policy, antivirus product, and patch level. In spite of the dearest wishes of countless system administrators, that simply isn't going to happen!" I need not point out that I am speaking today to countless systems administrators and I dare say it is flatly not their dearest wish to have the sort of monoculture Ranum understands. No, Ranum confuses himself and guillible others by envisioning monoculture as if cloning. Perhaps the Borg did get to him, after all, but it did not get to me and I don't want it to get to you. A monoculture does not imply identicality, it implies going above a critical threshold of common vulnerability, a threshold you may recognize only after you have crossed it. Another prevalent confusion, which in the spirit of charity I will call confusion rather than apologia, is that a protocol can be a monoculture. If you believe that, then you get to call TCP a monoculture and then to argue with me that if monocultures are bad then TCP must be bad and if TCP is bad then why is anything still standing? To accept that argument is to throw the core principles of software engineering right out the door -- what has always worked and will always work is to have loosely coupled modules communicating over well defined interfaces. Of course there can be flaws in protocols -- last year's attacks on SNMP hosts are just such an example. That might even be a monoculture problem, but it isn't SNMP -- it's the mind-numbing complexity of the ASN.1 specification leading to the absurd level of effort to write ASN.1 compilers and the resulting reliance of virtually the entire world on, you guessed it, one ASN.1 compiler, one code base. Those arguing that protocols are monocultures would be wise to understand the root causality of their complaints. It is a core principle of science to seek the simplest explanation of observed facts. The entire purpose of a null hypothesis is to first assert such an hypothesis and then, if you can, to disprove it thereby establishing that the world cannot be as simple as thought. Our null hypothesis today is that lessons learned in the natural world apply in the computing world. Perhaps it can be proved that they do not, but it will require proof and the burden of that proof is on those who would argue that life does not hold lessons for us, that somehow we've invented something that does not follow the same rules as everthing else in the Creation. That is a tall order, and an understatement. And so we come to national security and today's Resolve: Is an operating system monoculture a threat to national security? Unless and until the argument can be made that the lessons of nature do not hold, the answer is a flat "Yes." In the monoculture in which we find ourselves today, the skill to power ratio of the user community is falling fast -- they do not get twice as smart every eighteen months. Amongst the periphery of the Internet, which is where the numeric growth is and where the monoculture is most in evidence, to be secure "takes all the running you can do to keep in the same place." A monoculture of ready prey lessens the skill level needed by predators, and as we stand here it is likely that the world-wide number of virus writers exceeds the corresponding number of anti-virus researchers. This enormous pool of potential attackers creates a pall of smoke over the Internet, like a forest fire upwind. That smokescreen can be felt in various ways, John Quarterman estimates that perhaps 10% of total Internet backbone traffic is scanning. Honeypots record hits within minutes of their appearance on a routable address. Lawrence Berkeley once estimated 40% of their inbound connection requests as attack-related. These are the symptoms of circling predators who need know only one target well as the environment is target-rich. Were the environment to become significantly more diverse, the skill level of attackers would have to be far higher than it is today were they then to retain their present level of access. But in the spirit of calculus, with its infinite sum of infinitesimals, the sum of amateur attacks is a smokescreen in a different sense. That swirl of smoke is more than sufficient to provide a hiding place for those attackers who are threats at a different level. Their scans appear just one more example of scans; the hosts they own appear just one more example of remote exploitation. No, the real issue of the monoculture is more profound. The most advanced societies are those that are most interdependent. We are the most advanced and the most interdependent society the world has. We are, ipso facto, the most vulnerable to disruptions between and amongst those interdependencies. If you are a vulnerability researcher, you take the conservative assumption that when you discover a vulnerability you are not the first to do so. The observant among you will have long since noted that all the global-scale virus events to date have exploited vulnerabilities that were already publicly known. Where, then, are the vulnerabilities that are not publicly known? If not publicly known, they are not publicly patched. It is the unknown vulnerabilities against which we bet when we choose monoculture as the breadth of vulnerability must always be maximal for the unknown vulns. The leak of some of the Win2K source pool this past February resulted, within less than a week, of the discovery of vulnerabilities. Perhaps it was re-discovery, but that would be consistent with the unknown vulnerabilities point in that it is only the public disclosure and repair of a vulnerability that stops the clock. If those vulns, and others, could be found by examining the source, then multiple national laboratories have long-since found those vulns and others. Though unrelated to Windows, the Witty worm is instructive. It appeared less than 48 hours after the vulnerability was disclosed and the quality of the code was almost certainly too good to have been done from a standing start. As such, it appears that this vuln was known to somebody that had a bot net at his disposal as over one hundred simultaneous ignition points heralded its arrival. The better virus writers always leave a new back door. For those pros, the measure of their success is the reduction in the energy cost of penetration between the first visit and the second, and a new back door gives maximum reduction in that cost of second visit. A multi-vector virus sweeping through has the effect of creating a monoculture, of creating a suite of machines who are more alike than they were before because while each may have had one of the ten vulnerabilities this particular virus could use to penetrate, after it has passed through they all have the same vulnerability -- the new backdoor. In other words, the predators have as their prime strategy to make the prey look all alike. Monoculture is again the issue. My opponent will no doubt soon invoke economics by saying that diversity may be good for security but it isn't cheap. I could not agree more -- as with biology, if you think security is expensive, try insecurity. He will say that the buying public drives what his company produces and that to expect anything else is ludicrous. Again, I could not agree more -- the public wants quality to be free, and always has. But I will say what I said last September and reaffirm tonight: All monocultures live on borrowed time. In their Golden Age, they are a pleasure to take up, but afterwards they are a millstone about the neck. Just as the Irish people relied on potatoes and got famine, just as the Southern farmers relied on cotton and got the Boll Weevil, just as Brazilian cocoa farmers are looking at disaster as we sit here today, so, too, are we. We farm data and electrons; are we so vain as to imagine that we are not subject to the "Laws of Nature and of Nature's God?" END [ nominal delivery draft, 17:00 Friday 30 June 2004 ] [ Dan Geer, affirmative, v Scott Charney, negative ] A computing monoculture is a danger, a security danger, a national security danger. It is a danger on principle. It is a danger in practice. It is avoidable and mitigable, but it is neither cheap nor easy to do so if you have to begin from where we are now. In my remarks today I have endeavored to share with reasonable men and women that Nature has without question shown us that monoculture is at best a primitive state or at worst a dying gasp. We have seen that the few truly infrastructural components of life are the common property of all life, and are defended with an unmatched vigor by all life. We have seen that what we call security in computing we would call immune response in life. We have seen that immunity is never cheap but that the more advanced organisms devote a proportionally greater percentage of their life force to it, in proportion to both their size and their longevity. We have seen that juicy targets create a niche that will, without question, be filled by predators and that the variety of predators will itself expand as the supply of prey proves abundant. We have seen that an immune system is operating at two levels, that of protecting the individual and that of protecting the species. At the individual level, it facilitates your survival. At the species level, it keeps the contagion from other individuals. Coincidentally, we have seen that in the natural world an immune system must be trained as it cannot be designed in full, a priori. We have seen that insufficient or poor training engenders auto-immune disorders that are brutal in effect and challenging to quench once ignited. We have already seen examples of auto-immune pathology in the attempt of our political system to react to a rising tide of infection and infectiousness. We have seen that the more virulent the disease the more likely, for a given patient, it is to run its course. At the same time we have seen that diseases with long-delayed symptoms are those to be dreaded most just as they are the ones most likely to spread before detection. We have seen that in Nature pathogens are opportunistic just as much as predators, attackers, or thugs are. We have seen that this opportunism can be borrowed, that pathogens can accumulate mechanism over time and thus have more than one way to infect. We have seen that pathogens exposed to imperfect defenses will ultimately adapt and become resistant to those defenses. We have seen that when in close quarters the immune status of the herd is more telling than the immune status of the individual. We note that our political structures enforce herd immunity amongst school children, the armed forces, and certain workers. We have seen that the tools of epidemiology are easily adapted to our world and, reading those tools backward, we have seen what a worst case disease would look like, finding it eerily like what we deal with in our world on a daily basis. We have seen that survival of a species is to survival of an individual as reliability is to security, and we have breathed a prayer of thanks that our server rooms remain more diverse than our client farms. We have seen that mutation, regardless of its source, produces an opportunity for selection. We have seen that random mutation is less efficient while directed mutation is more, but that it is the existence of selection that drives evolution. We have seen that even single-celled animals strategically bank diversifying mutations against unforeseen and unforseeable attacks, and that they have done so for literal eons. We have seen that evolution is not smooth, and that this or that organism will flourish until such time as something on which it has a critical dependency changes. We have seen that low diversity in an ecosystem is an harbinger for trouble. We have reminded ourselves that the very word "monoculture" means common vulnerabilities rather than identicality. We have seen that when vulnerabilities cannot be identified, the threshold of monoculture can be crossed unnoticed. We have distinguished between implementation and protocol, and we have clarified that it is implementations that are or can be monocultures. We have, by the preponderance of evidence, seen that the lessons of Nature are unmistakable leaving us only the question of whether we will learn them. With humility, we have concluded that Nature is so much bigger than are we that the burden of proof falls to those who deny that Nature is our guide as we move forward in computing. We have palpated the implications of submitting ourselves to Nature's lessons. We have realized just how tired the public is of finding itself in the position of the Red Queen where it "takes all the running you can do to keep in the same place." We have understood that our computing monoculture encourages a high flux of amateur attackers and that though this flux is itself a substantial drag on our society, that flux of amateur attacks inevitably obscures the actions of professionals of whom we should be mortally afraid. We have come to understand that more diversity in our computing base would raise the skill level required to be an attacker thus depressing the numbers of them. Perhaps the pinnacle of our realizations, we have understood that we have the most to lose because we are the most interdependent. We have reluctantly concluded that unknown vulnerabilities are likely to be with us forever, and that they are surely in the hands of the professionals, professionals who are no doubt grateful for the scope of applicability for those vulnerabilities that a monoculture provides. We have even seen that virus writers try to deliver monocultures as their work product. We have remembered history and considered other brushes with monoculture -- all of them coming at the hand of man -- and in so remembering history we have the opportunity to not repeat it. We have met the enemy, and he is us. END