[langsec-discuss] Will we ever "solve" security, or prove that we can't?

Taylor Hornby taylor at defuse.ca
Wed Jan 18 22:12:03 UTC 2017


I've been thinking a lot about how mathematical results in complexity
theory (NP-completeness and all of that good stuff) help determine what
some aspects of our world are like. Most obviously, life in a world
where we find an algorithm proving "P = NP" is very different from life
in a world where "P != NP".

Less ambitiously, we can ask if complexity theory has anything to say
about simpler aspects of life. One of them is the attacker-defender arms
race in computer security. I've written a blog post on this topic:

https://bqp.io/will-we-ever-solve-the-hard-problem-of-information-security.html

To save you a click, the thesis is (1) Most of us are optimistic for
"silver bullet" discoveries that make doing computer security a LOT
easier, and (2) Although it will be hard, we might be able to *prove*
that no such silver bullets exist.

I'm curious if part (1) of my thesis really is accurate. Do you think
we're heading towards some breakthrough language design, algorithm,
theorem, or whatever that will really change the state of things? Or are
you expecting things to remain just like they are now (costly
vulnerability-mining then patching production systems)? Or maybe your
vision of the future is totally different from either of those options...

Phrased differently, the community's research is obviously making
security better towards some "local optima." What do you think the
theoretical "global optima" is, even if it would take breakthroughs and
decades of waiting for people to stop using the old systems to get there?

-- 
Taylor Hornby


More information about the langsec-discuss mailing list