[langsec-discuss] composability

Nils Dagsson Moskopp nils at dieweltistgarnichtso.net
Mon Jan 11 01:20:29 UTC 2016


Dan Kaminsky <dan at doxpara.com> writes:

> Security is at least partially composable. For example the very concept of
> attack vector analysis (by far the most important but surprisingly least
> understood predictor of real world exploitability) requires knowing what's
> reachable by what.  Many bugs can only be reached if you're already root,
> in which case they create no security differential. Many other bugs are
> vastly more serious because they do not have a known secure component
> gating access to them, for example the recent route from email to Flash
> (and Packager) via winmail.dat.
>
> There are interesting cross layer issues but they're more of an exception;
> in general we close off more bugs than we open nesting security
> layers.

Nevertheless, systems become quite complex as people add layer upon
layer, which can invalidate assumptions about the security of single
layers. For example: Double encryption with groups, confused deputies.

>
> On Friday, January 8, 2016, <dan at geer.org> wrote:
>
>> So far as I know, security is not composable, which is to say
>> that there is no reason to expect that the connection of N>1
>> known-secure components is itself secure in the aggregate.
>>
>> But as an honest question, could or would the broad deployment
>> of LANGSEC diligence help with that problem of composability?
>> My intuition is "yes, it could or would help" but it is only
>> intuition, not a deduction.
>>
>> Were it possible to persuasively show that diligent LANGSEC
>> work would help with composability, then the demand for that
>> diligence might grow quite strong.
>>
>> Thinking out loud,
>>
>> --dan
>>
>> _______________________________________________
>> langsec-discuss mailing list
>> langsec-discuss at mail.langsec.org <javascript:;>
>> https://mail.langsec.org/cgi-bin/mailman/listinfo/langsec-discuss
>>
> _______________________________________________
> langsec-discuss mailing list
> langsec-discuss at mail.langsec.org
> https://mail.langsec.org/cgi-bin/mailman/listinfo/langsec-discuss

-- 
Nils Dagsson Moskopp // erlehmann
<http://dieweltistgarnichtso.net>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
URL: <https://mail.langsec.org/pipermail/langsec-discuss/attachments/20160111/fcc66753/attachment.sig>


More information about the langsec-discuss mailing list