Digg this story   Add to del.icio.us  
The Allure and Curse of Complexity
Jason Miller, 2004-07-01

The curse of complexity is the bane of every security administrator, so UNIX users take your pick: would you like BSD or Linux?

The Microsoft columnists have it easy. Scott Granneman wrote a great article a few weeks back titled Time to Dump Internet Explorer, which (in case you've been living in a cave for the past few weeks) talks about the recent mass exploitation of some un-patched vulnerabilities in Internet Explorer. Eager to come up with something equally as riveting for my fellow UNIX fans, I did a search for vulnerabilities in Lynx, and unfortunately, the latest security-related issue that I could find was reported in December of 2002. An unfair comparison, perhaps, but it does a great job of introducing you something that's called the curse of complexity.

In my last article, Secure by Default, I talked about one of the golden unavoidable truths of information security, that being the fact that all applications are going to have vulnerabilities. I'd like to elaborate.

The number of vulnerabilities present in a particular system is affected by several parameters. One of these parameters is complexity. The more complex a system, the more likely a mistake will be made during the development of the system, which will ultimately result in some undesired effect (read: security vulnerability). This basic rule doesn't really require an in-depth explanation, as it deals with a pretty basic concept.

Fortunately for us, complexity goes against the core philosophy of UNIX. In the words of Doug McIlroy, this is the Unix philosophy: "Write programs that do one thing and do it well. Write programs to work together. Write programs to handle text streams, because that is a universal interface." That being said, complexity appears to be something that's embraced by certain operating systems, and shunned by others.

Windows is easily the most complicated of the three operating system families that I'm most familiar with, those being BSD, Linux, and Windows. Like it or not, it is also the most popular operating system in use today, and fills the roles of both a desktop and server in many different environments. Although I'm not going to say that because Windows is complex, it's popular, I am suggesting that the two have something in common.

People like software that's easy to use, and software that lets them do lots of "stuff". The more "stuff" that they can do, and the easier that it is for them to do it, the better. Windows does a great job of this for most people. The user-interface is mature, and performing a given operation is usually fairly intuitive; most of the "complicated" administrative work that needs to be done on Windows machines can be done by someone with very little understanding of the lower-level technology. In some respects, this is a good thing. But it comes at a price.

Windows is horribly complicated. Internet Explorer, one of the core components of Windows, is also horribly complicated. This complication leads to insecurity, and plenty of real-world examples of this insecurity are available all over the Web. Fixing some of these issues isn't a matter of fixing a few lines of code, but in many cases, redesigning the way the application works. Why does Microsoft not patch some of the issues that are still unfixed in Internet Explorer? Because the complexity of the application makes fixing a lot of these problems, which derive from a complex set of inter-system interactions, a daunting task. I'm not saying this to defend Microsoft, but to demonstrate the problems that complexity brings about.

Now that I've given you a really obvious and easy to understand example, let's stop talking about Windows and get onto the UNIX (and Linux) side of things. Although the difference in the amount of complexity between UNIX-based operating systems is much less pronounced, it's definitely significant.

Complexity in UNIX

All of the BSD operating systems are simple. For the most part, they're streamlined, no-frills, basic vanilla UNIX. They support a generous number of different devices, and of these devices they support, they support well. Third-party application support is equally impressive, with the FreeBSD ports tree holding over 11,000 entries. Administering the system typically involves lots of vi, and a healthy dose of the man pages. It's also licensed with the BSD-license, which as a side note, is clearly less complicated than the GPL.

What more could you ask for? Personally, I can't think of much else. However, I'm far from the majority. When compared with Linux-based operating systems, those systems based on BSD are easily the far less popular of the two.

Linux runs everything. If a vendor supports a UNIX-based operating system, chances are they support Linux. There are drivers for almost anything that you can find that will plug into your computer. There are so many applications, you'll have a hard time picking which one you'd like to use to accomplish a given task.

Two of the most popular GNU/Linux distributions are Mandrake and Red Hat. Although there are probably over a hundred Linux distributions out there (some notably much different than Mandrake or Red Hat), covering all sorts of different levels of complexity, it's interesting to note that the more popular distributions are also the more complicated ones. Both of these distributions offer lots of fancy applications to manage your system, many of which strike a remarkably close resemblance to those provided with Windows. Although in many cases the use of man pages and vi are perfectly allowable alternatives, in some cases, they are not. For some people, this
is a feature, and a well-liked one at that. But what's really happening here is that low-level control is being taken away and replaced with a high-level and newbie-friendly interface.

A majority of the plethora of Linux distributions available involve a lot of complexity. You've got a large number of distributions consisting of a sometimes chaotic patchwork of GPL'ed applications, bundled with distribution-specific tools for managing your system.

This is something you just don't see in the BSD-based operating systems, which are designed around a more simplified (in my opinion) and complete, unified package.

What does this mean? Is more complicated software also more popular? Well, although it's not that simple, it certainly does bear some truth.

Complexity seems to be something of an obsession with computers these days, and although it certainly has it's place, it seems to be accepted in a lot of places where, in my opinion, it's just plain unnecessary.

Take the UNIX application /usr/bin/calendar. I use this program on a daily basis, and it works wonders. I've never had to waste time trying to get it to work correctly, or trying to figure out why it's not working correctly. It just works. There are many other reminder applications out there I'm sure, even feature rich GUI-based applications like Evolution Calendar, but I just don't see the need to over complicate the issue when my problem can be solved quickly and elegantly with a much simpler solution. Don't get me wrong; I'm sure there are people out there who both need and appreciate the
features included in more complicated scheduling software like Evolution, but I'm sure there are many more that are simply causing themselves problems by over complicating the solution to an easily solvable problem.

When it comes to operating systems, I personally prefer BSD for it's clean, unified, simple, and uncomplicated approach. I feel more secure on an operating system that I know well; and the less there is to know, the better (this is probably why I can't stand using Windows). I'm also the minority; Linux has seen an unprecedented amount of growth in previous years, and that could very possibly have something to do with the way the various distributions have learned to embrace the curse of complexity.

If security becomes more difficult to achieve as our software becomes more complicated, then this paints an interesting set of problems for us to overcome in the future. Looking back at operating systems, there are some projects, like BSD, which will try to avoid complexity, while others, such as many of the Linux distributions, will try to find a good balance between complexity and functionality / ease of use.

Complexity is a double-edged sword, and both BSD and Linux wield it differently. One thing, however, remains certain; unlike Windows, we know which way the blade goes.

Jason Miller manages the Focus IDS area for SecurityFocus.
    Digg this story   Add to del.icio.us  
Comments Mode:
Dont forget about Macs!! 2004-07-02
Anonymous (2 replies)
Dont forget about Macs!!...right 2004-07-05
Dont forget about Macs!! 2004-07-06
Anonymous (1 replies)
Dont forget about Macs!! 2004-07-06
Lynx, give me a break. 2004-07-02
Anonymous (2 replies)
Lynx, give me a break. 2004-07-03
Lynx, give me a break. 2004-07-03
The Allure and Curse of Complexity 2004-07-03
Scott Gever (1 replies)
As I see it... 2004-07-03
The Allure and Curse of Complexity 2004-07-07
Aaron Sherman <ajs@ajs.com> (1 replies)
The Allure and Curse of Complexity 2004-07-09
Jason V. Miller (Author)
Depends on the application 2004-07-08
We don't need a complex world 2004-07-12
Everything is complex anyway 2004-07-12
Neeme Reinmets


Privacy Statement
Copyright 2010, SecurityFocus