[langsec-discuss] composability

Dan Kaminsky dan at doxpara.com
Mon Jan 11 15:51:52 UTC 2016

We get it. You hate Obama and dislike the government. If you think that
improves anyone's opinion of your engineering guidance I have no idea why.

Beyond toys and platitudes the fundamental question is whether you can
compose systems for security. The experiential reality is that:

a) There are interesting bugs introduced by the leaky abstractions between
b) Most bugs are boring
c) Many, many bugs are rendered irrelevant by stripping attacker's access
to them in the first place
d) That often happens at other layers

For example basically every system you've ever used is vulnerable to
sticking a malicious device on the PCIe bus.  Go ahead, waltz in and do
that.  DMA attacks suck...but the attacker cost sucks more.

Extend to "happens over SSH" and "happens over HTTPS with a pinned cert"
and even just plain old "happens over HTTPS" and what you find looks an
awful like composed access constraints.

On Monday, January 11, 2016, Scott Guthery <sbg at acw.com> wrote:

> Let’s move beyond the software toys and platitudes found in computer
> science classrooms and textbooks and talk about software at scale.
> Pick one of the 30+ ObamaCare connectors at random.  Start with a checkbox
> on the enrollment screen and go all the way through to the 2014 taxable
> income figure stored on an IRS computer somewhere that will be used to see
> if the user qualifies for the silver plan.  How many layers or interfaces
> did you go through? I’ll bet it’s well north of 1,000.
> Am I really to believe that adding another interface to this stack will
> improve security?  Am I to believe that anybody could do a security
> analysis on this stack?  Heck, I don’t even think we could find out how
> many layers there are let alone determine the contribution of each layer
> --- pro or con --- to the overall security of the system.
> We may have to compose systems but it is because of our own lack of
> brain-power.  It has nothing whatsoever to do with security.  The attack
> surface of true concern is the way we think.
> A very good friend of mine called this the Law of Constant Pain.  Whatever
> system we build, we will build it just beyond our ability to understand it
> ... with all the unintended (and painful) consequences.
> Cheers, Scott
> P.S. I hear Dan Geer loud and clear on the dangers of monolithic systems
> but where these systems implement law I think we have special case that
> deserves a more nuanced consideration.  Law is --- or at least is supposed
> to be --- a monolithic system.  Do I believe that the 30+ connectors embody
> a common and uniform implementation of the ObamaCare law?  Do you?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.langsec.org/pipermail/langsec-discuss/attachments/20160111/9ed59ce3/attachment-0001.html>

More information about the langsec-discuss mailing list