Heartbleed and Monocultures
My old friend Dan Geer has an interesting post on Heartbleed (hat tip to Bruce Schneier for spotting it). Dan and Bruce have written before about the dangers of software monocultures. When flaws are widely disseminated that their impact is disastrous when exploited either deliberately or by accident. Some examples that come to mind from an operating system near-monoculture are the Melissa and Love Letter viruses, circa 1999-2000 (email dissemination of an executable virus) and the 2003 SQL Slammer worm. The near ubiquity of Microsoft Windows and, in the case of Slammer, the poor state of patch discipline caused widespread denial of service.
Although the vulnerable version of OpenSSL was nowhere near a monoculture (17% of web servers with trusted certificates were vulnerable on the day the bug was announced), Geer points out that dissemination was wide enough as to have a lot of the characteristics of a monoculture in terms of impact.
When deployment is wide enough, it takes on the misfeatures of monoculture. Heartbleed is instructive; its deployment was not wide enough to be called an Internet-scale monoculture and yet the costs are substantial. What if Heartbleed had been a thoroughgoing monoculture, a flaw that affected not just the server side of a fractional share of merchants but every client as well?
In fact, I think that for many of the major disruptions we've seen, a sub-monoculture critical mass is enough to cause major headaches. In this case, imagine that Microsoft and Apple did not have their own independent cryptography implementations. The impact would have been even worse! First of all, their own web properties, Hotmail, Outlook.com, Live.com, the iTunes store, iCloud, etc, were immune to Heartbleed, Also, a lot of web servers out there run IIS. Imagine if they were vulnerable as well.
Some of the fallout from Heartbleed is interesting. The OpenBSD project has created its own fork, called LibreSSL. They are basically on a bug hunt right now, and once they have a clean code base they also want to secure stable funding for maintenance and porting to other OSs.
The abysmal state of funding of the OpenSSL project has also been the subject of much hand-wringing and gnashing of teeth. A new initiative led by the Linux Foundation seeks to fund underfunded open source projects, starting with OpenSSL
The foundation today is announcing a three-year initiative with at least $3.9 million to help under-funded open source projects—with OpenSSL coming first. Amazon Web Services, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, Qualcomm, Rackspace, and VMware have all pledged to commit at least $100,000 a year for at least three years to the “Core Infrastructure Initiative,” Linux Foundation Executive Director Jim Zemlin told Ars.
Heartbleed was a wake-up call that when a lot of people depend on the security and reliability of a piece of software, somebody is going to have to pay to maintain it. The old adage that there is no free lunch bit us in the behind this month, badly.
About Andy Sherman
Andy Sherman, Eden Technologies’ security practice lead has a PhD in physics from Rensselaer Polytechnic Institute and started his career in the academic world. He then went to AT&T Bell Laboratories where he discovered the power – and hazards – of large distributed computer networks. It was also at Bell Labs, during the early days of the Internet, that Andy became interested in the security problems associated with public networks. From Bell Labs Andy moved to the financial services industry. There he worked on a large range of infrastructure design, deployment, and management projects, but is best known for his 15+ years in information and technology security.