Quantifying Cybersecurity Effectiveness of Software Diversity
This addresses the cybersecurity problem for software developers and network administrators, providing an incremental step by proposing a framework to measure diversity's effectiveness.
The paper tackles the problem of quantifying the security effectiveness of software diversity, showing through simulations that diversity does not necessarily improve security from a whole-network perspective, with the degree of vulnerability in implementations being a critical factor.
The deployment of monoculture software stacks can cause a devastating damage even by a single exploit against a single vulnerability. Inspired by the resilience benefit of biological diversity, the concept of software diversity has been proposed in the security domain. Although it is intuitive that software diversity may enhance security, its effectiveness has not been quantitatively investigated. Currently, no theoretical or empirical study has been explored to measure the security effectiveness of network diversity. In this paper, we take a first step towards ultimately tackling the problem. We propose a systematic framework that can model and quantify the security effectiveness of network diversity. We conduct simulations to demonstrate the usefulness of the framework. In contrast to the intuitive belief, we show that diversity does not necessarily improve security from a whole-network perspective. The root cause of this phenomenon is that the degree of vulnerability in diversified software implementations plays a critical role in determining the security effectiveness of software diversity.