4

This question was derived from my off-topic questioning here: Does Centralisation Decrease the Probability but Increase the Damage of Exploits?

Like before, I suspect this may be overly abstract as a question. But the excellent responses to my previous question proved me wrong before.

One of the tenets of security seems to be that if something is overcomplicated, the probability of exploiting increases. For example, if an OS has many corner-cases with the permissions system, it'll probably be easier to bypass. If code involves the juggling of pointers and offsets, it'll be more likely to be exploitable via a buffer overflow than a Python script.

Simplicity, however, implies homogeneity. After all, it's simpler to secure fewer OSes, maintain fewer antimalware solutions, and patch fewer applications.

Diversity on a site -- such as a diversity of OSes, security packages, and applications -- is obviously less simple to maintain, thus more likely to fatigue the sysadmins and hide corner cases. However, diversity is also more likely to stop malware spreading due to environment incompatibilities, and if a system-dependent failure hits, it'll leave the other systems unscathed.

TL;DR: It seems that simplicity is key to security, especially security via correctness. However, diversity reduces the impact of system-dependent malware or failures. Which approach do those securing sites lean towards on the average case? (Whatever on earth an 'average case' in this situation would be.)

Community
  • 1
Louis Jackman
  • 463
  • 2
  • 10
  • TL:DR is not too long but overall the question like your other is quite vague. You elude to correctness which makes me think you are talking provable security - all quite confusing. I also note you did not honor anyone with a check mark on your last generalization question. Surprised this question is allowed. – zedman9991 Jul 16 '13 at 12:28
  • I tend to wait a few days before accepting answers; I find that accepting straight away leads to the occasional missing of better answers that may be made later. I mean 'security by correctness' in contrast to 'by obscurity' and 'by isolation'. As in, attempting to ensure a system's security via analysis, which is obviously more reliable if the system is simpler. – Louis Jackman Jul 16 '13 at 18:49
  • 1
    Perhaps if you could provide a model/example simple system that does something useful. To me the suggestion is unrealistic and contains serious holes such as overlooking the fact that Python is written in C thus is not a solution to buffer overflow but rather a way to make programming simpler. – zedman9991 Jul 16 '13 at 19:35
  • That's a good point about Python. OK, I'll give an example: assume there's a site with a range of OSes across the board. Further assume that this OS variation isn't necessary for compatibility reasons, it's just varied for its own sake. Now, the firewall running on their XP systems is different to PF running on their OpenBSD systems that itself is different to their Window 7 systems' built-in firewall. Furthermore, some are sharing their files across an Ext3 filesystem via FTP whilst other departments are using NFS. This range of systems is more diverse; assuming Window 7's built in [...] – Louis Jackman Jul 16 '13 at 20:06
  • [...] firewall has a vulnerability exposed, the OpenBSD and Windows XP systems probably won't be affected. However, maintaining these three OSes with their respective firewalls is much trickier, thus the sysadmin is more likely to make mistakes than if they were maintaining a single OS and firewall configuration. So in some ways it's **less** secure too. It's this tradeoff that I'm wondering about. Sorry about this post length! :) – Louis Jackman Jul 16 '13 at 20:08

1 Answers1

4

One of the tenets of security seems to be that if something is overcomplicated, the probability of exploiting increases.

...

Simplicity, however, implies homogeneity. After all, it's simpler to secure fewer OSes, maintain fewer antimalware solutions, and patch fewer applications.

You're overloading the word "simplicity". You're using it to mean both "free of complication" and "having few parts".

A system can be both diverse and free of complication. Complication arises through the interaction and interdependence of many parts, and diverse systems need not be overly interdependent. By adherence to consistent interfaces and standards, pieces become interchangeable without requiring them to be uniform.

Think of automobiles, for example. We have literally thousands of varieties, each different by varying degrees. Different fuels, different sizes, different manufacturers, different purposes. But if I learn how to drive a Toyota, my knowledge immediately transfers to a Nissan or a Saab. Steering wheel, gas pedal, brake pedal; I can figure it out in seconds. It's simple.

As for diversity: If one morning all cars made by Hyundai stopped working, it'd be a problem but not an insurmountable disaster. If ceramic brakes were one morning found to be unsafe, people could switch them out for metal ones. The cost isn't zero, but the system survives.

tylerl
  • 82,665
  • 26
  • 149
  • 230