‘Cyber diversity’ research aims to strengthen security

College campuses and corporate boardrooms aren’t the only places that benefit from diversity — computer networks and the Internet could stand up better to viruses and worms if they relied on more diverse software, according to computer scientists at Carnegie Mellon University and the University of New Mexico.

The scientists are using a $750,000 grant from the National Science Foundation (NSF) to study how cyber diversity can help defend against the scourge of computer viruses and worms, according to the NSF. The NSF, based in Arlington, Va., is an independent government agency that funds scientific research.

Researchers at the two universities will look at ways to change different components of a computer’s software code that are transparent to users, but that introduce a kind of “genetic diversity,” according to a statement from Dawn Song, an assistant professor of computer science at Carnegie Mellon in Pittsburgh. Such changes might not protect any single machine, but could make computer networks and the Internet less prone to outbreaks of computer viruses like Code Red, Slammer and the recent Blaster worms, which spread by exploiting known vulnerabilities in operating systems and software applications, according to Carl Landwehr, program director for the Cyber Trust program at NSF.

“A lot of problems out there on computer systems are aggravated by the fact that a lot of the systems share the same problems,” Landwehr said. “If somebody succeeds in hacking one system, it’s likely that the same technique will work on a whole lot of other systems.”

That phenomenon is analogous to the greater impact of diseases in biologic “monocultures,” because they are large populations of genetically similar organisms, he said. But analogies to biology only go so far.

“Computers are not biologic organisms,” Landwehr said, acknowledging that there are also advantages to having a network made up of computers that use the same software, including better interoperability, centralized management and reduced administrative costs compared with networks made up of a heterogenous mix of systems.

Researchers will consider the affects of the widespread use of a single platform, such as Microsoft’s Windows operating system, but platform diversity is not the subject of the project, he said.

Instead, researchers will look for ways to increase the diversity of computer networks without introducing more development or management overhead. That might include developing ways to automate the introduction of subtle changes in software code or instructions that will result in different instances of the same software, Landwehr said.

Such changes would make it difficult for attackers to know the exact makeup of any single system, he said.

The three-year grant is part of the NSF’s ongoing Cyber Trust program, which funds research into improving how robust computing platforms are in the face of malicious hackers and other attacks, he said.

In addition to looking at ways to increase the diversity of computing environments, NSF has funded research in areas such as secure programming languages and compilers, Landwehr said.

NSF devoted $15 million to such projects in 2002 and expects to spend twice that in 2003, he said. “NSF wants to fund research to affect the long-term health of computer systems,” he said.