Generic Software is an attack avenue

As you may or may not know, one quite big hack went through the media lately, Solar Wind[0][1].

Rather than jumping on the bandwagon, I like to share a thought about it. Part of this attack was possible because of a quite generic software solution. By generic, I mean to say that the software, was used everywhere. How widely was the software used that we consider it to be generic? Even Microsoft has used it and has been therefore affected[2] by it. When a software solution is that widely in use, it becomes an attack vector.

The iPhones contrast

I like to make a comparison to the situation. I think of the iPhone because it shares the same problem here. Apple puts a lot of effort into making it reasonably secure. This comparison depends on how your threat model is looking. But when software becomes so similar on so many devices, it is easier for an attacker. He only needs to find a single vulnerability to exploit the entry ecosystem potentially.

All iPhones are operated with quite a similar software stack, leading to a situation where a single exploit can work on almost all devices. Of course, there are variations within the different device generations. Despite Apple’s effort, they’re having difficulty keeping software regression at bay, which causes older flaws that were exploitable to work on newer devices and releases again.

It is funny to see that the fractured market that Android resembles becomes an advantage now. To put this into an example: We tried to build an exploit of the well-known StageFright vulnerability because the Android ecosystem was built with different environments including varying versions oflibc, causing our exploit-code to go awry quickly¹. The point I’m here is that diversity in software adds complexity in the exploit creation. It’s more effort for someone than in an ecosystem that is not as homogeneous as Apple’s ones.

To remove the iPhone out of this example, we could use a forest instead. When we have only one type of tree, it becomes massively vulnerable to bugs, viruses, and any malicious actor (including humans!). When different types of trees are present within the forest, it becomes harder for an invading actor to take over the entire forest.

Conclution

Would a more diverse software landscape be better? Most likely not. We should take into account that the risk of exploitation becomes higher with generic software. This fact needs to be reflected by the threat model.

This type of risk is not a problem for everyone. Most people will not care about it and will be most likely be okay with it. It is interesting for everyone who needs to consider this as a valid risk.

Diversification could be a quite interesting approach to mitigate that risk. However, it could also lead to just too many more vulnerable software systems. It is vital to understand that this not one size fits it all solution, but a pattern.

so far,
akendo

[0] https://www.schneier.com/blog/archives/2020/12/russias-solarwinds-attack.html
[1] https://www.nytimes.com/2020/12/14/us/politics/russia-hack-nsa-homeland-security-pentagon.html
[2] https://msrc-blog.microsoft.com/2020/12/31/microsoft-internal-solorigate-investigation-update/