havoc at defuse.ca
Fri Jan 22 00:27:15 UTC 2016
On 01/08/2016 07:19 PM, dan at geer.org wrote:
> So far as I know, security is not composable, which is to say
> that there is no reason to expect that the connection of N>1
> known-secure components is itself secure in the aggregate.
> But as an honest question, could or would the broad deployment
> of LANGSEC diligence help with that problem of composability?
> My intuition is "yes, it could or would help" but it is only
> intuition, not a deduction.
> Were it possible to persuasively show that diligent LANGSEC
> work would help with composability, then the demand for that
> diligence might grow quite strong.
> Thinking out loud,
The essence of the composability problem is that the way we model
systems at a high intuitive level isn't closed under composition. We
have abstract models of what systems A and B behave like, but the
composition A+B's properties cannot be described with the same type of
model. This is usually because the models of A and B we started out with
weren't detailed (close to reality) enough and so the behavior of A+B is
undefined if you only know the models (and not the realities) of A and B
Here's a contrived example to illustrate the point:
System A: Takes a message X and outputs X encrypted with some key K1.
System B: Takes a ciphertext C and outputs C decrypted with some key K2.
If System A is all that exists in the world, everything's fine. I can
encrypt messages and nobody can decrypt them. Kind of useless, but still
fine with regards to security. If System B is all that exists in the
world, everything's still fine. Useless, since no valid ciphertexts
exist in the world, but still fine with regards to security.
But now put System A and System B together in the same world. Is the
result secure? We can't tell! It's impossible to answer that question
from the information I've given you. If K1 and K2 are independent, it's
like they exist in their own separate worlds and everything's fine (and
useless) as before, but if K1 == K2, then anything I encrypt with System
A you can decrypt with System B and security breaks down since I might
falsely believe it's fine to stuff secret messages into System A.
The model I used to describe System A and System B was too abstract, so
you have no way to know if System A+B is secure until I told you more
information about how System A and System B really are.
LangSec could help us formulate a set of security properties that's
closed under composition such that if A and B individually have those
properties then it's efficient to check if the composition A+B also has
those properties. The properties would generalize the "preconditions and
postconditions" pattern to systems that can interact with each other in
A starting point is to find a way to model systems that's closed under
composition. This has been done for quantum systems recently:
I don't know if one has been developed for purely classical systems.
More information about the langsec-discuss