[langsec-discuss] composability

Dan Kaminsky dan at doxpara.com
Mon Jan 11 00:40:18 UTC 2016


Security is at least partially composable. For example the very concept of
attack vector analysis (by far the most important but surprisingly least
understood predictor of real world exploitability) requires knowing what's
reachable by what.  Many bugs can only be reached if you're already root,
in which case they create no security differential. Many other bugs are
vastly more serious because they do not have a known secure component
gating access to them, for example the recent route from email to Flash
(and Packager) via winmail.dat.

There are interesting cross layer issues but they're more of an exception;
in general we close off more bugs than we open nesting security layers.

On Friday, January 8, 2016, <dan at geer.org> wrote:

> So far as I know, security is not composable, which is to say
> that there is no reason to expect that the connection of N>1
> known-secure components is itself secure in the aggregate.
>
> But as an honest question, could or would the broad deployment
> of LANGSEC diligence help with that problem of composability?
> My intuition is "yes, it could or would help" but it is only
> intuition, not a deduction.
>
> Were it possible to persuasively show that diligent LANGSEC
> work would help with composability, then the demand for that
> diligence might grow quite strong.
>
> Thinking out loud,
>
> --dan
>
> _______________________________________________
> langsec-discuss mailing list
> langsec-discuss at mail.langsec.org <javascript:;>
> https://mail.langsec.org/cgi-bin/mailman/listinfo/langsec-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.langsec.org/pipermail/langsec-discuss/attachments/20160110/690b15a4/attachment.html>


More information about the langsec-discuss mailing list