Quantifying Cybersecurity Effectiveness of Software Diversity

TL;DR

This paper introduces a framework to quantitatively assess how software diversity impacts network security, revealing that diversity does not always enhance security due to vulnerability distribution.

Contribution

It presents the first systematic framework for modeling and measuring the security effects of network diversity in software systems.

Findings

Diversity does not always improve network security.

Vulnerability distribution critically affects security outcomes.

The framework enables quantitative analysis of software diversity effects.

Abstract

The deployment of monoculture software stacks can cause a devastating damage even by a single exploit against a single vulnerability. Inspired by the resilience benefit of biological diversity, the concept of software diversity has been proposed in the security domain. Although it is intuitive that software diversity may enhance security, its effectiveness has not been quantitatively investigated. Currently, no theoretical or empirical study has been explored to measure the security effectiveness of network diversity. In this paper, we take a first step towards ultimately tackling the problem. We propose a systematic framework that can model and quantify the security effectiveness of network diversity. We conduct simulations to demonstrate the usefulness of the framework. In contrast to the intuitive belief, we show that diversity does not necessarily improve security from a whole-network perspective. The root cause of this phenomenon is that the degree of vulnerability in diversified software implementations plays a critical role in determining the security effectiveness of software diversity.