OS Diversity for Intrusion Tolerance: Myth or Reality?
One of the key benefits of using intrusion-tolerant systems is the possibility of ensuring correct behavior in the presence of attacks and intrusions. These security gains are directly dependent on the components exhibiting failure diversity. To what extent failure diversity is observed in practical deployment depends on how diverse are the components that constitute the system. In this paper, the authors present a study with Operating Systems (OS) vulnerability data from the NIST National Vulnerability Database. They have analyzed the vulnerabilities of 11 different OSes over a period of roughly 15 years, to check how many of these vulnerabilities occur in more than one OS. They found this number to be low for several combinations of OSes.