Towards Diversity of COTS Software Applications: Reducing Risks of Widespread Faults and Attacks

Recent IT attacks demonstrated how vulnerable consumers andenterprises are when adopting commercial and widely deployed operating systems, software applications and solutions. Diversity in software applications is fundamental to increase chances of survivability to faults and attacks. Current approaches to diversity are mainly based on the development of multiple versions of the same software, their parallel execution and the usage of voting mechanisms. Because of the high cost, they are used mainly for very critical and special cases. We introduce and discuss an alternative method to ensure diversity for common, widespread software applications without requiring additional computational resources. This method takes advantage of the componentisation of modern software solutions and enforces diversity at the installation time, by a random selection and deployment of critical software components. Randomisation criteria are adaptable to feedback gathered from software installations and affect software components' lifecycle. We describe a few encouraging results obtained from simulations.

[1]  Les Hatton,et al.  N-Version Design vs. One Good Version , 1997, IEEE Softw..

[2]  Anup Kumar Ghosh,et al.  Analyzing Programs for Vulnerability to Buffer Overrun Attacks , 1998 .

[3]  Leonid Mokrushin,et al.  Dynamic e-service composition in DySCo , 2001, Proceedings 21st International Conference on Distributed Computing Systems Workshops.

[4]  G. Dahll,et al.  AN INVESTIGATION OF METHODS FOR PRODUCTION AND VERIFICATION OF HIGHLY RELIABLE SOFTWARE , 1979 .

[5]  Pascal Traverse,et al.  AIRBUS A320/A330/A340 electrical flight controls - A family of fault-tolerant systems , 1993, FTCS-23 The Twenty-Third International Symposium on Fault-Tolerant Computing.

[6]  Ivar Jacobson,et al.  The Unified Modeling Language User Guide , 1998, J. Database Manag..

[7]  Peter G. Bishop,et al.  PODS — A project on diverse software , 1986, IEEE Transactions on Software Engineering.

[8]  Richard C. Linger Systematic generation of stochastic diversity as an intrusion barrier in survivable systems software , 1999, Proceedings of the 32nd Annual Hawaii International Conference on Systems Sciences. 1999. HICSS-32. Abstracts and CD-ROM of Full Papers.

[9]  Michael R. Lyu,et al.  Improving the N-version programming process through the evolution of a design paradigm , 1993 .

[10]  M. Mont,et al.  A distributed service, adaptive to trust assessment, based on peer-to-peer e-records replication and storage , 2001, Proceedings Eighth IEEE Workshop on Future Trends of Distributed Computing Systems. FTDCS 2001.

[11]  Bev Littlewood,et al.  Design diversity: an update from research on reliability modelling , 2001 .

[12]  Nancy R. Mead,et al.  Survivable Network Systems: An Emerging Discipline , 1997 .

[13]  Fabio Casati,et al.  An open, flexible, and configurable system for service composition , 2000, Proceedings Second International Workshop on Advanced Issues of E-Commerce and Web-Based Information Systems. WECWIS 2000.

[14]  Marco Casassa Mont,et al.  Trust Services: A Trust Infrastructure for E-Commerce , 2001 .