News
Questioning the Monoculture Argument
- By Mike Gunderloy
- January 19, 2004
In early 2002, a couple of biologists sent a letter to the online publication
Emerging Infectious Diseases. Titled Contagion on the
Internet, the letter draws some parallels between computer viruses and
biological pathogens. Among the arguments the authors make is this one: "The
electronic monoculture that improves communication also increases the risk for
contagion. Predominant use of a single operating system has improved
communication and sharing of electronic data but has also facilitated ready
amplification of virulent programs. As with biological infection, transmission
of computer infection depends on susceptibility of the population. Virus
producers saw an opportunity in the popular preference worldwide for PCs with
Microsoft Windows operating systems. The enormous popularity of these systems,
along with their long-recognized inadequate protection against misuse, made
computer users susceptible."
Recently this letter has drawn some renewed interest in the computer media,
and various people have gone on to condemn the software monoculture, as
exemplified by Microsoft Windows and SQL Server and IIS, as the major problem on
the Internet. Advocates of competing products have seized on this notion to
argue that we need a greater diversity of operating systems and server products
on the Internet to protect it from quickly-spreading worms like MSBlast and SQL
Slammer. Others have suggested that the answer is to encourage deliberate
variations within popular products, so there might be, for example, various
"strains" of IIS, only some of which would be susceptible to any given worm.
It's a seductive argument, and one that gets dressed up with learned
historical references to things like the Morris worm and the Irish Potato
Famine. It's also rubbish.
The problem with analogies are that they can become a comfortable way to
avoid actually thinking about the subject at hand. Monocultures are bad, goes
the reasoning, because the potato famine devastated the Irish population, and
the blight killed all those elms. And Microsoft software is a monoculture.
Therefore, something ought to be done about Microsoft. But, if you think
about it a bit, you'll realize that computers are not potatoes, and software is
not a passive host waiting to be infected. There are at least three places
where this analogy falls down badly.
First, the monoculture argument is not sufficient to explain the devastating
worms that have taken advantage of IIS and SQL Server. Apache serves more Web
sites than IIS these days, and other software (such as BIND and sendmail) is
much more ubiquitous on the Internet than anything Microsoft has produced. Yet
we haven't seen similar worms infecting Apache, BIND, or sendmail (at least, not
yet). Microsoft software is not the target of worms just because there are a lot
of copies of it around. Rather, Microsoft has produced some rather shoddy
software in the past - and all too many smart and malicious people just plain
don't like Microsoft, so they're willing to invest extra effort to find
exploitable holes.
Second, the notion of injecting diversity and variation into the computing
ecosystem is far from the only strategy we can take to deal with malicious code
on the Internet. In the biological world, the potatoes get a blight and that's
it for the potatoes; your only hope is to eat turnips. In the computing world,
SQL Slammer starts spreading and the SQL Server team starts working around the
clock to release a patch. Plus, slow though they've been to execute on it,
Microsoft's developers have come up with strategies for improving the security
of their products. SQL Server "Yukon" will be the next result of thousands upon
thousands of hours of programmer-hours devoted to thinking about and eliminating
vulnerabilities. I think that's a lot more likely to produce a secure product
than some process of random variation.
Finally, diversity within any particular organization is a recipe for
disaster, not for security. Do you really think your IT staff could do a better
job of securing eight different Web servers and five different databases than if
they picked one of each and standardized on them? Security professionals are a
scarce resource, as is the time and energy to keep up on new bugs and patches.
By settling on their own monoculture, from whatever source, IT departments can
make their networks more secure, not less.
Frankly, I doubt the sincerity of most monoculture-in-computing advocates.
Oh, I'm sure they'd like to see an end to the Microsoft monoculture in the
niches where Microsoft is currently dominant. But they don't want to see a
thousand flowers bloom; they want their own preferred software to take over. And
that's not a technical stand, but a political one, no matter how it's
disguised.
About the Author
Mike Gunderloy has been developing software for a quarter-century now, and writing about it for nearly as long. He walked away from a .NET development career in 2006 and has been a happy Rails user ever since. Mike blogs at A Fresh Cup.