[langsec-discuss] Will we ever "solve" security, or prove that we can't?
paulburchard at gmail.com
Thu Jan 19 02:29:59 UTC 2017
It is provably difficult or impossible to answer basic questions about what
an arbitrary program will do, unless severe restrictions are placed on the
capability of code. Look back at the archives if you are curious about the
kinds of tradeoffs that can be made.
On Jan 18, 2017 8:51 PM, "Taylor Hornby" <taylor at defuse.ca> wrote:
I've been thinking a lot about how mathematical results in complexity
theory (NP-completeness and all of that good stuff) help determine what
some aspects of our world are like. Most obviously, life in a world
where we find an algorithm proving "P = NP" is very different from life
in a world where "P != NP".
Less ambitiously, we can ask if complexity theory has anything to say
about simpler aspects of life. One of them is the attacker-defender arms
race in computer security. I've written a blog post on this topic:
To save you a click, the thesis is (1) Most of us are optimistic for
"silver bullet" discoveries that make doing computer security a LOT
easier, and (2) Although it will be hard, we might be able to *prove*
that no such silver bullets exist.
I'm curious if part (1) of my thesis really is accurate. Do you think
we're heading towards some breakthrough language design, algorithm,
theorem, or whatever that will really change the state of things? Or are
you expecting things to remain just like they are now (costly
vulnerability-mining then patching production systems)? Or maybe your
vision of the future is totally different from either of those options...
Phrased differently, the community's research is obviously making
security better towards some "local optima." What do you think the
theoretical "global optima" is, even if it would take breakthroughs and
decades of waiting for people to stop using the old systems to get there?
langsec-discuss mailing list
langsec-discuss at mail.langsec.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the langsec-discuss