[langsec-discuss] composability

Michael E. Locasto locasto at ucalgary.ca
Sat Jan 9 02:50:53 UTC 2016

I'm sure there is other work out there, but the topics that the Layered
Assurance Workshop have been examining are of possible interest to your


As I alluded to in a previous message, I think there is a great deal of
potential in modeling the communication between cooperating security
mechanism (in other words: defense-in-depth) from a LangSec perspective.
Communication is after all a type of composition.

Full disclosure: a student and I have been working on a modeling
approach in this vein, and when you apply it to a particular arrangement
of security mechanisms, even though our approach is still rudimentary,
it very nicely explains (or predicts, depending on your perspective) why
unintended side effects might occur or not (our standard talking point
here is running multiple AVs on a single host, but many other scenarios
are good examples, like mixes of IDS, IPS, firewalls, etc.).

To offer an answer your question or rather intuition below, I think the
gain would come not necessary from stronger security mechanisms (in
terms of the protection offered, or greater detection power), but rather
from having more confidence in their correct operation, even under
composition. In some sense, this might be a way to achieve the kind of
practical assurance Brian Snow asks for in [1].

Bottom line, this kind of thinking could help answer the questions (a)
why do I think some arrangement of security mechanisms will help me and
(b) how do I know it won't surprise me?


[1] http://www.acsac.org/2005/papers/Snow.pdf

On 1/8/16 7:19 PM, dan at geer.org wrote:
> So far as I know, security is not composable, which is to say
> that there is no reason to expect that the connection of N>1
> known-secure components is itself secure in the aggregate.
> But as an honest question, could or would the broad deployment
> of LANGSEC diligence help with that problem of composability?
> My intuition is "yes, it could or would help" but it is only
> intuition, not a deduction.
> Were it possible to persuasively show that diligent LANGSEC
> work would help with composability, then the demand for that
> diligence might grow quite strong.
> Thinking out loud,
> --dan
> _______________________________________________
> langsec-discuss mailing list
> langsec-discuss at mail.langsec.org
> https://mail.langsec.org/cgi-bin/mailman/listinfo/langsec-discuss

More information about the langsec-discuss mailing list