[langsec-discuss] composability

Dan Kaminsky dan at doxpara.com
Mon Jan 11 01:22:17 UTC 2016


On Sunday, January 10, 2016, Nils Dagsson Moskopp <
nils at dieweltistgarnichtso.net> wrote:

> Dan Kaminsky <dan at doxpara.com <javascript:;>> writes:
>
> > Security is at least partially composable. For example the very concept
> of
> > attack vector analysis (by far the most important but surprisingly least
> > understood predictor of real world exploitability) requires knowing
> what's
> > reachable by what.  Many bugs can only be reached if you're already root,
> > in which case they create no security differential. Many other bugs are
> > vastly more serious because they do not have a known secure component
> > gating access to them, for example the recent route from email to Flash
> > (and Packager) via winmail.dat.
> >
> > There are interesting cross layer issues but they're more of an
> exception;
> > in general we close off more bugs than we open nesting security
> > layers.
>
> Nevertheless, systems become quite complex as people add layer upon
> layer, which can invalidate assumptions about the security of single
> layers. For example: Double encryption with groups, confused deputies.


Indeed, lack of binding between layers creates all sorts of issues (and is
the primary source of these bugs, ultimately). That being said, way better
than nothing.


>
> >
> > On Friday, January 8, 2016, <dan at geer.org <javascript:;>> wrote:
> >
> >> So far as I know, security is not composable, which is to say
> >> that there is no reason to expect that the connection of N>1
> >> known-secure components is itself secure in the aggregate.
> >>
> >> But as an honest question, could or would the broad deployment
> >> of LANGSEC diligence help with that problem of composability?
> >> My intuition is "yes, it could or would help" but it is only
> >> intuition, not a deduction.
> >>
> >> Were it possible to persuasively show that diligent LANGSEC
> >> work would help with composability, then the demand for that
> >> diligence might grow quite strong.
> >>
> >> Thinking out loud,
> >>
> >> --dan
> >>
> >> _______________________________________________
> >> langsec-discuss mailing list
> >> langsec-discuss at mail.langsec.org <javascript:;> <javascript:;>
> >> https://mail.langsec.org/cgi-bin/mailman/listinfo/langsec-discuss
> >>
> > _______________________________________________
> > langsec-discuss mailing list
> > langsec-discuss at mail.langsec.org <javascript:;>
> > https://mail.langsec.org/cgi-bin/mailman/listinfo/langsec-discuss
>
> --
> Nils Dagsson Moskopp // erlehmann
> <http://dieweltistgarnichtso.net>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.langsec.org/pipermail/langsec-discuss/attachments/20160110/6552d580/attachment.html>


More information about the langsec-discuss mailing list