'Biodiverse' Software Could Thwart Hackers' Ability to Spread Viruses

Earth's incredible biodiversity is one big reason that a single, all-consuming virus hasn't wiped everything out. Michael Franz, director of University of California-Irvine's Secure Systems & Software Laboratory, thinks biodiversity can serve as a blueprint for defending against another type of virus: those used for malicious hacking, whether by rogue individuals or state-sanctioned hackers.

Franz said that the critical weakness in exploited software is that a hacker can "take over all of the devices that run [that] software." Most smartphones use either Android or iOS, while most personal computers either run Windows or Mac OS. While there are multiple versions of each, and updates come with a speed that biological evolution could never match, there are still relatively few targets.

Finding new zero-day exploits is only a matter of time, and when found, will affect a broad swath of users. But, with a biodiverse software ecosystem, Franz believes the work of hacking could be made much more difficult.

"Our solution is to make every software program unique, so that hackers have to find different attacks for different targets," said Franz in a UC-Irvine Q+A. "It’s inspired by biology—appropriately so, since biological viruses existed long before the term was applied to computers. The plague wiped out a third of humanity, but it didn’t wipe out everyone because different people have different genetics."

Franz said that in an effort to reduce software errors, his team developed mechanisms that can "potentially create a unique version of every program for every person in the universe." And if every piece of software is unique, finding exploits that hit a lot of users—the ones worth spending time on—becomes more difficult.

In Franz's team mechanisms, "subtly different versions" of the same software are created when users download a piece of software from the cloud, using technology like his group's MultiCompiler, which "automatically generates a unique, but functionally identical version of each Mobile App each time that a downloader requests it." So, if an iPhone user downloads the latest version of Instagram from iTunes, Apple's cloud would generate a slightly dissimilar though "functionally identical" version of Instagram. The idea here is that while some Instagram users' unique software could be hacked, the app couldn't be exploited en masse.

Franz noted that biodiverse software can already be found in the "n-version" programming used in air traffic control, train switching, and electronic voting systems. As previous studies have shown, such multi-version programming, which was initially used to increase reliability, could also be used as a security strategy. Unlike these systems, Franz says his approach is scalable and cheaper to implement, and his team already has a functioning prototype that a few institutions are using.

As intriguing as biodiverse software is, for it to work, it needs to be able to address the fact that we're all still living in just a few software ecosystems. So, perhaps the solution isn't just biodiversity in corporate software products, but more biodiverse software options in the first place.