U.S. funds study of tech monocultures

The National Science Foundation says it will pay $750,000 to two universities for studying how diversifying information systems and software could help fend off future cyberattacks.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
2 min read
The National Science Foundation has granted $750,000 to two universities to study how diversifying information systems and software could help fend off future cyberattacks, the agency said Tuesday.

The study, proposed by Carnegie Mellon University and the University of New Mexico almost a year ago, will seek to identify commonalities in software that could be used as the

Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.

basis for attacks. Such common vulnerabilities would point to a computer "monoculture"--a population so homogeneous that a single threat could destroy it.

"We are looking at computers the way a physician would look at genetically related patients, each susceptible to the same disorder," Mike Reiter, a professor of electrical and computer engineering and computer science at Carnegie Mellon, said in a statement. "In a more diverse population, one member may fall victim to a pathogen or disorder while another might not have the same vulnerability."

Massive digital epidemics--such as the Code Red, Slammer and MSBlast worms--have infected hundreds of thousands of computer systems, leaving scientists to wonder if worse is in store for the Internet.

The focus on computer monocultures is not new. In fact, the project echoes themes addressed in a controversial paper submitted by seven well-known security researchers, who warned that Microsoft's dominance in software could make possible a cyberattack that would be catastrophic for corporations. The paper, published by a Microsoft opponent, had been dismissed by some of the software giant's supporters as partial and based on weak science.

However, the monoculture issue has many historical antecedents outside of the computer industry and has been studied in other software engineering projects, according to the National Science Foundation announcement.

Earlier attempts at using diversity to hamper the spread of Internet threats used multiple development teams for the same software project, assuming that different teams would make different mistakes. That was expensive, the Carnegie Mellon and University of New Mexico researchers noted.

The researchers intend to create an application that could generate diversity in key aspects of software programs, thus making the same vulnerability less effective as a means of attack against the population as a whole.

"Our automated approach has the potential to be more economical and could introduce more diversity into computer systems," Stephanie Forrest, professor of computer science at the University of New Mexico, said in a statement.

The research could be good for Microsoft. In the end, the techniques the academic researchers develop could help the software giant and other organizations break up their monocultures without losing market share.