[langsec-discuss] Complexity and langsec
Jon Callas
jon at callas.org
Wed Jul 4 17:46:07 UTC 2012
On Jul 4, 2012, at 8:28 AM, Derick Winkworth wrote:
> When I'm reading the langsec papers, I can't help but feel that the
> narrative has a direct relationship with emergence in complex systems.
> It seems to me that as systems become increasingly complex, they
> become increasingly exploitable as you inadvertently create
> expressiveness in the "weird language." This property is an emergent
> property, no?
>
> Am I off-base here?
Not really. You have at least half of it.
Let's go back to some fundamental basics. Propositional calculus is complete, arithmetic is not. If you were solving a logic problem -- ands, ors, nots, etc. -- and you did it in an arithmetic system, you've opened yourself up to the fact that you're using an incomplete system when you could have used a complete one. It might actually be okay, but the person who supports the software after you've moved on will screw it up.
On the other end of things, if you emulate an arithmetic system with propositional calculus, you can't actually solve all the problems you might think you can. You could get problems due to this, because your implementation language is less expressive than your problem domain language.
I'll note that when you're on a computer, the math system is a logic system emulating arithmetic. Overflow/underflow and other security problems exist because you are using a *less* expressive implementation language than your thought language is.
But nonetheless, this carries forward into shooting yourself in the foot because you used regexps to parse s-exps, and so on.
The real problem of a weird language comes from a mismatch of the problem and solution domain as anything else, but of course, nothing is that simple.
Nonetheless, you get it.
Jon
More information about the langsec-discuss
mailing list