Complexity is(nt) Our Enemy

I’ve spent a lot of time over the last few weeks at work on a side-project regarding complexity. Much of this came as I started to work some of the underlying mathematical models around Forcepoint’s “Dynamic Data Protection” – basically, the ability to protect data on the fly, based on the overall risks observed. It’s fun and cool stuff (and really very effective), but by having systems act a little more autonomously, it does make the world a little more complex, and as a long-time security researcher, that is something to pay attention to.

As I began looking into this, everything I ran into online tended to start off with a rather trite statement that “complexity is the enemy of security”, and of course, that’s only partly true – that’s what makes it such a dangerous statement. That part truth is what I’ve been poking at these last few weeks, and so I thought it might make a nice set of things to share online. So, here it is: some of my musings on complexity.

First, I think it’s worth talking a little bit about why the cliché of complexity and security being natural enemies exists. I think it’s fairly obvious: security requires the defender to do everything right. Thus, the more complex the attack surface, the higher the chance that I get something wrong… something that sooner or later an attacker is going to find and take advantage of. So, in that sense, security and complexity are very much in tension.

Let’s make that more concrete.

From a complexity point of view, the systems we’re trying to guard are very complex indeed. Even the chipset inside your computer is not fully understood; the Meltdown and Specter vulnerabilities tell us that we’re not always the greatest at thinking about the consequences of (or even seeing) the complexity that exists in our systems, even just at the chip level. As you open the aperture and zoom out (suddenly I’m thinking of XKCD’s “Powers of One” cartoon - https://xkcd.com/271/. Use a larger number than 1 for best effect…) the complexity of the overall system is mind-boggling. I would put it to you that we haven’t actually understood our computer ecosystem for years or even decades. 

To handle all of this, we tend to take a model-based view of the world. I have a computer, a router, a network. I don’t think (much) about the chipset, the GPU, routing protocols, or the OSI model until I have to. We abstract. It’s not wrong, but it most definitely can lead to security challenges when we fail, by necessity, to simplify and still retain all the nuances of the original system. 

All of this seems to be making the argument that complexity really is the root of all evil and is, in part, responsible for the dismal state of computer security worldwide. However, there’s plenty of evidence to suggest that complexity can also bring more robustness to a system (especially when you zoom all the way out and look at the ecosystem as a whole). Let me give you a straw man example. 

Back in the day, I did some research that was looking at malware contagion on the internet – this was all after the Slammer Worm of 2003. Basically, there was a discussion that the monoculture of Windows was presenting a target for attackers that was unbelievably easy to hit. Find a “wormable” exploit, and voila… instant worldwide contagion. Diversity was touted as the answer. 

The challenge, of course, turned out to be how much diversity you required, and the answer was lots. Lots and lots. Lots and lots and lots. The original vulnerability Slammer used to spread was not particularly widespread, yet the Worm succeeded in causing massive network disruption as its population rapidly grew. Thus, diversity in terms of OS vendors just wasn’t going to cut it. 

This observation spurred further research into things like ASLR to add “artificial diversity” to the system to make it harder to create exploits that worked everywhere. While a full discussion of ASLR and its benefits is well out of the scope for what I want to write about today, the idea was basically a good one. However, it came at the cost of complexity. Suddenly binaries looked different in memory in the name of security. Complexity to the rescue. But isn’t that what we said we didn’t want?

Over the next month or so, I’ll be writing a few thoughts about complexity and how to tame it for our benefit. There’s a paraphrase of Einstein (who never actually, as far as I can tell, said precisely this) which says “Everything should be made as simple as possible, but no simpler.” From a cybersecurity perspective, I’d like to explore that a bit more, to help get my thoughts and ideas clear. I’ll warn you this is a “work in progress stream of consciousness” type of exercise, but I hope you find it thought provoking. My next post will lay the foundation of where I’m going: a discussion of when complexity helps security.