Check out the new USENIX Web site. next up previous
Next: Host diversity Up: System model Previous: Representing correlated failures


Attribute granularity

Attributes can represent software diversity at many different granularities. The choice of attribute granularity balances resilience to pathogens, flexibility for placing replicas, and degree of replication. An example of the coarsest representation is for a host to have a configuration comprising a single attribute for the generic class of operating system, e.g., "Windows", "Unix", etc. This single attribute represents the potential vulnerabilities of all versions of software running on all versions of the same class of operating system. As a result, replicas would always be placed on hosts with different operating systems. A less coarse representation is to have attributes for the operating system as well as all network services running on the host. This representation yields more freedom for placing replicas. For example, we can place replicas on hosts with the same class of operating system if they run different services. The core $\{H_1, H_3, H_4\}$ in Example 3.1 is an example of this situation since $H_3$ and $H_4$ both run Windows. More fine-grained representations can have attributes for different versions of operating systems and applications. For example, we can represent the various releases of Windows, such as "Windows 2000" and "Windows XP", or even versions such as "NT 4.0sp4" as attributes. Such fine-grained attributes provide considerable flexibility in placing replicas. For example, we can place a replica on an NT host and an XP host to protect against worms such as Code Red that exploit an NT service but not an XP service. But doing so greatly increases the cost and complexity of collecting and representing host attributes, as well as computing cores to determine replica sets.

Our initial work [14] suggested that informed replication can be effective with relatively coarse-grained attributes for representing software diversity. As a result, we use attributes that represent just the class of operating system and network services on hosts in the system, and not their specific versions. In subsequent sections, we show that, when representing diversity at this granularity, hosts in an enterprise-scale network have substantial and sufficient software diversity for efficiently supporting informed replication. Our experience suggests that, although we can represent software diversity at finer attribute granularities such as specific software versions, there is not a compelling need to do so.


Table 1: Recent well-known pathogens.
Worm Form of infection (Service) Platform
Code Red port 80/http (MS IIS) Windows
Nimda multiple: email; Trojan horse versions
Windows using open network shares (SMB:
ports 137-139 and 445); port 80/HTTP
(MS IIS); Code Red backdoors 		Windows
Sapphire port 1434/udp (MS SQL, MSDE) Windows
Sasser port 445/tcp (LSASS) Windows
Witty port 4000/udp (BlackICE) Windows


next up previous
Next: Host diversity Up: System model Previous: Representing correlated failures
Flavio Junqueira 2005-02-17