This Article 
 Bibliographic References 
 Add to: 
The Monoculture Risk Put into Context
January/February 2009 (vol. 7 no. 1)
pp. 14-17
Kenneth P. Birman, Cornell University
Fred B. Schneider, Cornell University
Conventional wisdom holds that software monocultures are exceptionally vulnerable to malware outbreaks. The authors argue that this oversimplifies and misleads. An analysis based on attacker reactions likely to be evoked by successive generations of defenses suggests that deploying a monoculture in conjunction with automated diversity is indeed a very sensible defense today.

1. D. Oppenheimer, A. Ganapathi, and D.A. Patterson, "Why Do Internet Services Fail, and What Can Be Done About It?" Proc. 4th Usenix Symp. Internet Technologies and Systems, Usenix Assoc., 2003, pp. 1–16.
2. S. Forrest, A. Somayaji, and D.H. Ackley, "Building Diverse Computer Systems," Proc. 6th Workshop Hot Topics in Operating Systems, IEEE CS Press, 1997, pp. 67–72.
3. S. Bhatkar, D.C. DuVarney, and R. Sekar, "Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits," Proc. 12th Usenix Security Symp., Usenix Assoc., 2003, pp. 105–120.
4. J. Xu, Z. Kalbarczyk, and R.K. Iyer, "Transparent Runtime Randomization for Security," Proc. 22nd Int'l Symp. Reliable Distributed Systems (SRDS 03), IEEE CS Press, 2003, pp. 260–269.
5. M. Chew and D. Song, Mitigating Buffer Overflows by Operating System Randomization, tech. report CMU-CS-02-197, School of Computer Science, Carnegie Mellon Univ., 2002.
6. G.S. Kc, A.D. Keromytis, and V. Prevelakis, "Countering Code-Injection Attacks with Instruction-Set Randomization," Proc. 10th ACM Conf. Computer and Communications Security (CCS 03), ACM Press, 2003, pp. 272–280.
7. E.G. Barrantes et al., "Randomized Instruction Set Emulation to Disrupt Binary Code Injection Attacks," Proc. 10th ACM Conf. Computer and Communications Security (CCS 03), ACM Press, 2003, pp. 281–289.
8. E.G. Barrantes et al., "Randomized Instruction Set Emulation," ACM Trans. Information and System Security, vol. 8, no. 1, 2005, pp. 3–40.
9. E.D. Berger and B.G. Zorn, DieHard: Probabilistic Memory Safety for Unsafe Languages, tech. report 05-65, Dept. of Computer Science, Univ. of Massachusetts Amherst, 2005.
10. H. Shacham et al., "On the Effectiveness of Address-Space Randomization," Proc. 11th ACM Conf. Computer and Communications Security (CCS 04), ACM Press, 2004, pp. 298–307.
11. A.N. Sovarel, D. Evans, and N. Paul, "Where's the FEEB?: The Effectiveness of Instruction Set Randomization," Proc. 14th Usenix Security Symp., Usenix Assoc., 2005, pp. 145–160.

Index Terms:
networked information system security, monoculture, artificial diversity, stack randomization, configuration attack, technology attack, trust attack.
Kenneth P. Birman, Fred B. Schneider, "The Monoculture Risk Put into Context," IEEE Security & Privacy, vol. 7, no. 1, pp. 14-17, Jan.-Feb. 2009, doi:10.1109/MSP.2009.24
Usage of this product signifies your acceptance of the Terms of Use.