[langsec-discuss] composability

Rik Farrow rik at rikfarrow.com
Mon Jan 11 23:00:39 UTC 2016


Funny. I had just written a column about why programmers cannot write
secure code:

https://www.usenix.org/publications/login/dec15/farrow

I used Venema and Bernstein as examples of the rare programmers who have
written secure code. And they make extensive use of simple modules, each
running with the minimal amount of privileges needed.

If postfix and qmail are examples of secure code, I think that's a strong
argument against monolithic programs.

As someone else wrote in this thread, there is a limit to the amount of
code a programmer, or group of them, can keep "in their head", and once a
program grows beyond that size, it needs to be broken up for
understandability.

That's not to imagine that you can create layers of insecure code and they
magically become secure.

But having monolithic programs, that have to run with all the privileges
required at any phase of responding to a service, sounds like a recipe for
disaster to me.

LaTeX wasn't written for security, but for typesetting. And the author is a
genius. Note that people have used LaTeX features to execute code on web
sites that exposed the ability to create PDFs from LaTeX.

Rik



On Fri, Jan 8, 2016 at 7:19 PM, <dan at geer.org> wrote:

> So far as I know, security is not composable, which is to say
> that there is no reason to expect that the connection of N>1
> known-secure components is itself secure in the aggregate.
>
> But as an honest question, could or would the broad deployment
> of LANGSEC diligence help with that problem of composability?
> My intuition is "yes, it could or would help" but it is only
> intuition, not a deduction.
>
> Were it possible to persuasively show that diligent LANGSEC
> work would help with composability, then the demand for that
> diligence might grow quite strong.
>
> Thinking out loud,
>
> --dan
>
> _______________________________________________
> langsec-discuss mailing list
> langsec-discuss at mail.langsec.org
> https://mail.langsec.org/cgi-bin/mailman/listinfo/langsec-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.langsec.org/pipermail/langsec-discuss/attachments/20160111/b56d1514/attachment.html>


More information about the langsec-discuss mailing list