[langsec-discuss] Will we ever "solve" security, or prove that we can't?
crb002 at gmail.com
Thu Jan 19 04:22:14 UTC 2017
Defenders have 100% knowledge of their verification coverage. They can put a SMT solver in their continuous integration pipeline and flag all code not verified for removal.
Restraint in only shipping verified code is the silver bullet.
> On Jan 18, 2017, at 9:27 PM, Tony Arcieri <bascule at gmail.com> wrote:
>> On Wed, Jan 18, 2017 at 2:12 PM, Taylor Hornby <taylor at defuse.ca> wrote:
>> Less ambitiously, we can ask if complexity theory has anything to say
>> about simpler aspects of life. One of them is the attacker-defender arms
>> race in computer security. [...] Most of us are optimistic for
>> "silver bullet" discoveries that make doing computer security a LOT
>> easier [...] I'm curious if part (1) of my thesis really is accurate.
> I doubt it, and I say this as a more-than-decade-long fan of "perfect defense". I don't think perfect defense is possible. I think the reality is there's a lot of low-hanging fruit that can be addressed by better methods, but to put it in Ghost in the Shell terms attack surface is "vast and infinite", and attacks only get better.
> I don't see the cat and mouse game going away any time soon, but perhaps we'll get better at achieving "punctuated equilibrium" where defenders are able to reach some sort of brief reprieve in certain classes of attacks and provide extremely strong defenses as a sort of local maximum. That is, until some paradigm-changing attack comes crashing down, and forces everyone to rethink their entire approach to security.
> Tony Arcieri
> langsec-discuss mailing list
> langsec-discuss at mail.langsec.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the langsec-discuss