The Standards Blog

Monocultures and Document formats: Dan's Bomb Goes Off

OpenDocument and OOXML

Dan Geer is an extremely well respected security expert.  When he worries about something, people listen.

One of the things he has worried - and warned - about is the danger represented by IT "monocultures" - the situation that arises when everyone uses the same software, for example, and therefore everyone shares the same vulnerability to a computer virus or other security threat. 

Just as the word "virus" has been borrowed from biology and provides an apt and vivid descriptor for its IT analogue, so also does the word monoculture function: think of the consequences of Irish potato blight, or of the wiping out of the American Chestnut tree, which once numbered in the billions in the forests of the American East and is almost extinct as a mature species.

Well, last November, Dan wrote a perspective piece for CNETnews.com, called Massachusetts Assaults Monoculture.  In that article, he wrote:

As a matter of logic alone: If you care about the security of the commonwealth, then you care about the risk of a computing monoculture. If you care about the risk of a computing monoculture, then you care about barriers to diversification. If you care about barriers to diversification, then you care about user-level lock-in. And if you care about user-level lock-in, then you must break the proprietary format stranglehold on the commonwealth. Until that is done, the user-level lock-in will preclude diversification and the monoculture bomb keeps ticking.

As it happens, Dan's bomb went off a few days ago, with the breakout of the "Backdoor.Ginwui" virus, a malicious bit of code that Symantec introduced in an alert as follows: 

It has been reported that Backdoor.Ginwui may be dropped by a malicious Word document exploiting an undocumented vulnerability in Microsoft Word. This malicious Word document is currently detected as Trojan.Mdropper.H.

The fact that Dan's expectation came true can hardly be a source of surprise.  Indeed, the only curious aspect of the fulfilment of his prediction is that it took as long as it did to occur.

The reason, of course, is that hackers like targets that offer the most visible and dramatic results - and the bigger the better.  If that target is unpopular (such as Microsoft), then again, so much the better.  Thus it is that the more successful the software product, the more attractive it becomes.  That's no criticism of Microsoft, or of any other vendor, but one of the regrettable costs of success.

Still, from the end-user point of view, it is an added burden on the value of the product in question.  After all, it's one thing to have a target painted on your back and reap huge profits as a cost of doing business, and quite another to pay a premium price for a dominant product, and share the same risk without offsetting compensation.

It's also not a surprise that something as prosaic as a Word document should become the innocent carrier of a bit of malicious code.  After all, stringent security policies (such as those my firm employs) already block jpegs, zip files and other vehicles known for problem code.  But no one's policies automatically block all Word and Excell files, since those are what - for now at least - most people create, send and read (they do, of course, scan them for known viruses).  This therefore elevates such files not only to the level of ideal vectors, but grants them the status of attractive challenges as well, capable of showcasing the chops of whatever hacker can succeed in employing them to pull off a high-profile assault.

All of which, as regular readers of this blog might assume, leads me to a conclusion that has something to do with ODF - a standard that is already supported by four major products, two of the proprietary persuasion (Sun's StarOffice and IBM's Workplace Managed Client) and two of the  open source (OpenOffice and K Office) variety.

The risk profile between a monoculture and a diverse IT culture such as this is mathematically clear.  By definition, even if ODF compliant products as a group were someday to trade marketplace shares with Microsoft Office, no individual user of any ODF compliant product would share the same degree of risk that every Office user has today, by reason of the fact that she would inhabit an IT culture with a much richer genetic pool.  And no virus is likely to operate at the level of standardization at which these disparate products exist.  As a result, just as a species with a diverse gene pool is likely to be able to withstand the assault of a new disease in far better form than a species of clones, so also would an IT environment based on multiple instantiations of ODF be more resilient than a monoculture of Office users, only more so.

Why more so?  Because in nature, a virus isn't personal.  No malign intelligence creates a natural virus to attack a specific target.  But in the world of hackers, the opposite is the case.

The moral of the Dan's story, as well as the current reality of the Word Backdoor Ginwui virus is therefore clear:  in IT diversity there is safety.

For further blog entries on ODF, click here

subscribe to the free Consortium Standards Bulletin
(and remember to Buy Your Books at Biff's)

 

Comments

Permalink
<p>No one blocks Word/Excel documents?  I'm sorry?  What  security planet are you from?  Are memories really so short?  Macro viruses  have been around as long  as there have been word processors and email. Most sensible people do not accept any kind of Office document through email, in the same way as all other Microsoft files are blocked.</p>
<p>Why? Because they can all contain executable content. This really is not new. </p>
<p>Puleease!</p>

A more simple way of explaining it is that the majority of users at the moment are using a computer with a triangular hole so a triangular virus is going to spread pretty quickly through your organisation and at the same time cost you boat loads of money to put right. But the problem doesn't stop there because I tell you now that the way windows is developed is what is creating many of the openings for virus writers.

Look at Vista for instance...the delays, the unknown problems...its just a gigantic lump of code that is just banged in and, talking from experience, you can half guess that the business heads are leaning on the developers to just "get it out there" so you can put your money on the table and bet that its going to have holes all over the place. Microsoft is in trouble at the moment and they are scrambling in every direction to compete with Google and the Linux platform but they just don't get it?!? I wonder how many top developers are just pissed at working for Microsoft? How many of their top developers are going to leave for greener pastures?

What the article means is:

1) It's unreasonable to accept that you can't open documents sent through the Internet.

2) Open standards mean many independently developed applications can open the same documents, so unless the standard permits creating malicious code (and AFAIK OpenDocument doesn't) a virus designed for one of these apps will have a definitely smaller impact compared with current MS Office macro viruses.

I just can't understand why people feel the need to defend closed formats or the companies that produce them. Closed formats are BAD at so many levels.

Permalink

What I said was that no one automatically _blocks_ all Word and Excell files - but of course everyone scans them.  Problem is, that only catches known viruses, and your spam software still has to be moment by moment up to date.  If we blocked all attached Word files (we're a law firm, and get hundreds of them a day), then we might as well shut down business, because that's how our clients communicate with us today. 

On the other hand, other types of files, such as jpegs, aren't sent to us often by clients, and they're much more likely to carry viruses - known and unknown.  So we don't allow them at all.  If someone gets an email with a zip file attached (not as likely to be dangerous, but still sometimes a problem) or a jpeg that looks real, we have to send it to one of our IT administrators, who checks it out.  If it's legit and clean, he opens it and sends it through.

I've made a change to the text of the blog entry to clarify this.

The point is, that if there were more office suites out there, each would have fewer viruses.  Some of those products might also compete on having superior security features and fewer flaws.  And the open source ones might attract fewer hackers just on principle.

 

Yes, perhaps some reading is in order.

http://isc.sans.org/diary.php?storyid=993

Index to the 25 WMF stories at the SANS Internet Storm Center.

As of December 29th, 2005, this is no longer a hoax.  Due to the radically unexpected way Windows handles images (by magic bytes instead of file extensions), the WMF exploit could arrive with *any* image file extension, not just .wmf or .jpg.  And yes, merely viewing or previewing the exploit on an unpatched system triggers the compromise, no matter what Web browser, mail reader, or image viewer is used.

And it took nothing less than getting slammed in the press for Microsoft to lift a finger about the WMF hole.

Permalink
Functionality is important too. If other office products come out (StarOffice, IBM Workplace & Openoffice are really using the same code to do ODF) there will be minor incompatabilties and quirks in each app.

If they use the same code, wouldn't the vulnerabilities that would normally be avoided in diversity be similar to the monoculture?

I do admit though, that a bioculture is better than a monoculture, but by replacing MSOffice with (Star|Open)Office derivatives that share code, this seems to be allowing the same fate to occur.

I think that it's a matter of degree.  If everyone has the same million lines of code, then the target is huge, with many points of weakness.

OTOH, if everyone has different code, with only a certain percentage of it designed (but in each case different on a line-by-line basis) to conform to the requirements of a specification, you not only have a smaller target, but many different targets at the code level.

-  Andy

Permalink
Well, I almost go for it. But not quite. If ODF, or any standard, includes the ability to correctly and legally (by the standard) encode viruses then EVERY complying implementation, irrespective of source of the implementation, is vulnerable. I think that it must first be established that the standard offers, in and of itself, no opportunity to store and propogate a virus.

In reality, if Microsoft defined their macros such that they could only alter the document and nothing beyond the document, there would be no macro viruses. The fault lies in the definition of the storage format, the very thing that they are trying to standardize. If they succeed, viruses will forever have a home in a standards based document format. Anyone that implements to the standard will have to write the vulnerabilities into their code.

Permalink
Sorry Andy, but the Monoculture storyline was good for a press hit back in the day, but it has not held up to scrutiny. Even some of the loyal Microsoft haters at Slashdot are ripping apart your blog story: [link:]http://it.slashdot.org/article.pl?sid=06/05/24/0238224 Ultimately the analogy has two major failures: 1. You can't patch your crops. If a crop is infected, you lose that crop. No mid- planting genetic modifications allowed. (oh, and BTW, Irish potato famine was caused by a fungus, not a virus, you need to fix that in your post as well) 2. Security is not a silver bullet. As many on slashdot are pointing out, many security tools block unknown Word docs, and that's a good thing. Security is achieved through a virtual stack of elements - at the protocol layer, the network layer, the hardware layer, software, and capping it all, end user education. Even those who agree with the analogy don't take Geer's simplistic, press driven approach. take a look at the work of Dr. Stefanie Forrest, one of the original Comp Sci scholars to use immunology as a model for computing. If you read her work, you'll see her approach is a far more fundamental, low level discussion of using intentional diversity at the programming level. I personally think even she stretches the analogy too far, but at least it's well thought out and researched. Dan Geer’s work is simply a dog that just won’t hunt. Good programmers make secure code, not generalized statements of diversity. Besides, we may not be too far away from the day where ODF is the common standard around the globe; I don't think we want to be fighting this argument with ODF in the crosshairs.

Several issues:
1) who cares if the potato famine was caused by a fungus.  The term 'computer virus' doesn't mean that the only reasonable analogy is with a biological virus.
2) You really can't patch as quickly as you think.  The code base for a major project is measured in millions of lines of code.  You can remove some defects with patches.  But many defects are design defects that require far more than a patch or even recompile with propolice on.  The analogy with biology is pretty clear, you can hope to correct a 'point defect' with gene therapy, but you cannot turn a chimp into a person.  There are limits as to the value of a patch.

Note: By OS, I mean kernel, filesystems, a GUI if present and some applications that give 'basic functionality' like shells, a perl (or VBScript) interpreter, DHCP clients, etc.  In short,  the stuff you get in a Windows install or in a basic Linux distro install.

Personally, I belive that an environment where I have OpenBSD network services (firewall/router, DHCP servers, NTP servers, etc), Solaris database servers, FreeBSD web services and Linux thin-client desktops with access to Windows applications via remote access is much  more secure  than a network of  Windows on both client and server.   This isn't just because I believe that the *nix world has a better security model.  In the *nix world, I have more ability to customize each server to its role.  I don't need a GUI for a web server, its web interface is just fine & I can configure the OS via SSH.  This means that I can cut out millions of lines of potentially buggy code.  In our biology analogy, I can remove genes that I don't need.  This greatly reduces the attack tree against my computers.  For a database server  DirectX is just 24 MB of useless binaries.  But they are 24 MB that can be loaded and attacked by a hacker. 

The flexibility to load exactly what I need for a given service means that  I have less  'monoculture'.  If  I run a  single 'do everything' OS, each service that I offer is vulnerable to every flaw in the OS.  If I can only load the services that each service uses, I have a much leaner OS with many fewer vulnerablities.   Scripting an attack in this environment is much harder than scripting an attack were you can reasonably assume that every server has all sevices needed by any potential user of the  'universal OS'.  I see that as a direct mechanism to support Dan Greer's assertion that monoculture hurts.  Even if I ran Linux (with a common 2.6 kernel) exclusively, I wouldn't have exactly the same OS on each computer.  OpenGL & video drivers are great for clients, but they don't need to be loaded on a server.  With open source, its really not that hard to load only the software that is needed.  This diversity in installed software truely does make the network more secure.

Standards encourage diverse software by allowing multiple programs to work with the same data.  It is the lack of standards that encourages a monoculture.

Consider lug nuts.  If I need to change a tire, the lug nuts can be loosened with a standard socket wrench from any vendor, whether cheap (Wal-mart "road repair" kit), high-quality (Sears Craftsman) or in-between (tire iron that came with the car).

If I want to pull the spare off the outside mount of an SUV, however, one of the lug nuts in use is a proprietary, non-standard "anti-theft" nut.  You need the socket that came with the car, or another from that vendor, to get it off.  There is a security lug-nut monoculture, and if Chevy decides that they'll use low-quality sockets that shatter when used, there will be a corresponding weakness in the system due to that monoculture.

I don't believe anyone here ever said something like "other open standards shouldn't exist". This site is more for pointing out that "[MS Office] OpenXML" isn't such an open standard after all, and that it leaves something to be desired in comparison to the OpenDocument spec (apart from its availability and free use).

You're missing the entire point.  Standards make it possible for many different products to work together, and you can pick between them.  OpenDocument is already supported by many products, including OpenOffice.org and KOffice.  Let's not kid ourselves; selecting Microsoft's "standard" means that you will use Microsoft Office, and nothing else.  The spec is simply a written-down version of its internal data format, not designed for interchange with other office suites.  OpenDocument was designed to support exchange between DIFFERENT office suites. Big difference.


You must differentiate between the software/platform and the document format. An analogy would be the difference between the myriad of automobile manufacturers and the standards mandated by e.g. NHTSA. Sure, we want different vehicle styles and options, but it's necessary to ensure that their controls work in standard ways: the gas and brake pedals are where one expects, the steering wheel makes the car go left when the top of the wheel is moved left, etc. More to the point, light bulbs, antifreeze, oil and transmission fluid, windshield wipers, tires, etc. are pretty much interchangable between different models and brands of vehicles (though there is a certain amount of variation, which might be compared to optimizations for different platforms: desktop, laptop, pda, etc.). jlt1@centurytel.net