Well, I have considered something similar in the past. My objective was slightly different (backwoods vs. vulnerable code), but the reasoning why ít is not as useful idea as it might look will be similar:
1. It cannot prevent some kind of attacks because of covert channels. 2. It can actually lower the level of security. 3. Not as easy to implement. I am not saying it is totally useless. There might be some cases where security benefits outweigt security drawbacks and where this is easy to implement. I cannot name any such case, though. More details about issues: 1. Even when you use two physically separate machines and tinfoil them in various ways (sound isolation, heat isolation, countermeasures against power analysis), you cannot remove all the covert channels. It is hard (though in some special cases possible) to remove timing side channel. But when one computation gives a different result, it can be also some covert channel. Sure, if someone reads logs, she might find something suspicious. Well, it can prevent for example directory traversal attacks if one of the implementations is non-vulnerable or if there is no attack payload that succeeds in both systems. But it can hardly prevent data leak from a RCEd system. 2. One might argue: If it prevents some vulnerabilities, it is better than nothing, isn't it? Well, this is not always the case. If we consider RCE vulnerabilities (where I assume that we cannot prevent data leaks), attacker can choose which system to attack. 3. There are many practical difficulties. I can show some of them on web brbrowser: * There are some random-based protocols, e.g. TLS. Even if they here is the same source for random numbers (unrealistic for some major reasons, e.g. race conditions), two completely different libraries can use it slightly differently and generate different number. In TLS, this would result in two different VMs trying to read/write a different traffic. * Differences in implementation: Different browsers support different ciphersuites and protocols. They will also send a different UserAgent header. Maybes they will render the same pages slightly differently (e.g. even different rounding can affect this). SQL queries might differ slightly, but it is hard to find it out that they are essentially the same. * How would you handle persistent state? Whenever you feel this could be a viable way, ask yourself: Isn't there an even cheaper way for reaching the goal? Regards, Vít Šesták 'v6ak' -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/bc668468-b90d-4fe9-a2b6-ce5da2c241b5%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
