[langsec-discuss] Will we ever "solve" security, or prove that we can't?
Falcon Darkstar Momot
falcon at iridiumlinux.org
Thu Jan 19 04:28:37 UTC 2017
Usually when I'm talking about LangSec I make sure to say somewhere near
the beginning that it isn't a general theory of exploit mitigation. Why?
We can definitely fix parser bugs. The seven turrets paper describes
exactly how. If the developers do the things in the paper, we won't see
them. But what if the developer forgets to specify something in the
protocol that turns out to be necessary for a security guarantee?
What about other bugs? Well, you have to come up with a workable
definition of badness. Workable, in this case, means specific, amenable
to computational decision, and complete. That's actually incredibly
difficult for many or most practical systems, and it's why even formal
verification doesn't necessarily stamp out software exploitation.
Threat modelling is (still, if it might ever be otherwise) very much a
creative process. It's very difficult to anticipate everything that you
would like your system to not do. We worked on this problem a little
when I was working on Leviathan's product Lotan, and ultimately that
product relies on a list of specific behaviours that correlate to known
techniques for hijacking execution. What happens if what you're looking
for is actually a malicious change to a database? What if you want to
do something even so simple as ensure double-entry bookkeeping is followed?
Formal integrity models like Clark-Wilson, Bell-LaPadula, and Biba begin
this work, but they are little used in practice.
On 18/01/2017 19:27, Tony Arcieri wrote:
> On Wed, Jan 18, 2017 at 2:12 PM, Taylor Hornby <taylor at defuse.ca
> <mailto:taylor at defuse.ca>> wrote:
> Less ambitiously, we can ask if complexity theory has anything to say
> about simpler aspects of life. One of them is the
> attacker-defender arms
> race in computer security. [...] Most of us are optimistic for
> "silver bullet" discoveries that make doing computer security a LOT
> easier [...] I'm curious if part (1) of my thesis really is accurate.
> I doubt it, and I say this as a more-than-decade-long fan of "perfect
> defense". I don't think perfect defense is possible. I think the
> reality is there's a lot of low-hanging fruit that can be addressed by
> better methods, but to put it in Ghost in the Shell terms attack
> surface is "vast and infinite", and attacks only get better.
> I don't see the cat and mouse game going away any time soon, but
> perhaps we'll get better at achieving "punctuated equilibrium" where
> defenders are able to reach some sort of brief reprieve in certain
> classes of attacks and provide extremely strong defenses as a sort of
> local maximum. That is, until some paradigm-changing attack comes
> crashing down, and forces everyone to rethink their entire approach to
> Tony Arcieri
> langsec-discuss mailing list
> langsec-discuss at mail.langsec.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the langsec-discuss