Engineering Software Diversity: a Model-Based Approach to Systematically Diversity Communications Brice Morin, Jakob Høgenes and Hui Song (SINTEF Digital, Oslo, Norway) Nicolas Harrand and Benoit Baudry (KTH, Stockholm, Sweden) 

Diversity… Really?! 2 "Mass-produced" software == Very large monocultures 

3 Microsoft's implementation of SMB Could have been mitigated with more diversity: a) different implem of SMB, b) other protocols 

4 Diversity-Stability hypothesis: Increased diversity  increased resilience Red Queen hypothesis: Continued adaptation & evolution  sustainability Diversity in space Diversity in time 

Diversity in communications 5 • Few different protocols (HTTP/REST, MQTT, WS, etc) • Few different programming languages, for which stubs needs to be implemented • Many different serializations (binary, JSON, XML), in theory ∞ 

A simple non-diversified protocol 6 m1(a, b, c, d, e) m2(a, b, c) m3(a) Repeat 100 times: 

7 Non-diversified network traffic m1 m2 m3 m1 m2 m3 m1 m2 m3 m1 m2 m3m1 m2 m3 

Where ThingML helps diversity (though not for communications ) • By default, generate code for C/C++, Java, JavaScript, Go  2w-to-2mo to support a new language (1k-10k LoC) • By default, can communicate through MQTT, WS, UDP, etc  2h-to-2d to support a new protocol (100- 1k LoC) Where ThingML support diversity in communications (though very limited by default) • By default, generate 2 (de)serializers (for each supported language) • Binary à la Google Protocol Buffer and JSON 20min-to-2h to write a new (de)serializer (10-1k LoC) • What if you have 1M users and want unique serializations? 40y-to-240y  +10M-1B LoC to be maintained… 8 MDE to Diversify Communications 

Approach Overview 9 ThingML Model Core Core Serial Proto Serial Proto ThingML Model Diversified 

10 

Shuffle parameters 11 payload[2] payload[3] payload[1] 

Shuffle message definition 12 

Duplicate messages 13 

Split messages 14 

All at once? 15 

16 

Measuring diversity in space 17 

Measuring diversity in time 18 

What's the overhead? 19 

Conclusion • Systematic diversification • A perfect use case for MDE! • We applied MDE to the diversification of communications • Significant diversity can be introduced automatically • No overhead at design-time: just specify your API, we take care of the rest • Runtime Overhead is compatible with "mass-produced" software/firmware 20 

Question? 21 https://github.com/SINTEF-9012/thingml-diversifier https://github.com/modelsconf2018/artifact-evaluation/tree/master/morin See https://github.com/TelluIoT/ThingML @bm0rin brice-morin 

Teknologi for et bedre samfunn 

Is that diversity useful? • Note: based on further experiments, not to be found in the paper 24 

25 

26