[langsec-discuss] Will we ever "solve" security, or prove that we can't?

Watson Ladd watsonbladd at gmail.com
Thu Jan 19 05:30:40 UTC 2017


On Wed, Jan 18, 2017 at 8:22 PM, Chad Brewbaker <crb002 at gmail.com> wrote:
> Defenders have 100% knowledge of their verification coverage. They can put a
> SMT solver in their continuous integration pipeline and flag all code not
> verified for removal.
>
> Restraint in only shipping verified code is the silver bullet.

Verification raises the possibility of specification failures. What is
needed is techniques to ensure meaningful security properties that are
as simple as possible, and using this to give users the properties
they want.

>
> On Jan 18, 2017, at 9:27 PM, Tony Arcieri <bascule at gmail.com> wrote:
>
> On Wed, Jan 18, 2017 at 2:12 PM, Taylor Hornby <taylor at defuse.ca> wrote:
>>
>> Less ambitiously, we can ask if complexity theory has anything to say
>> about simpler aspects of life. One of them is the attacker-defender arms
>> race in computer security. [...] Most of us are optimistic for
>> "silver bullet" discoveries that make doing computer security a LOT
>> easier [...] I'm curious if part (1) of my thesis really is accurate.
>
>
> I doubt it, and I say this as a more-than-decade-long fan of "perfect
> defense". I don't think perfect defense is possible. I think the reality is
> there's a lot of low-hanging fruit that can be addressed by better methods,
> but to put it in Ghost in the Shell terms attack surface is "vast and
> infinite", and attacks only get better.
>
> I don't see the cat and mouse game going away any time soon, but perhaps
> we'll get better at achieving "punctuated equilibrium" where defenders are
> able to reach some sort of brief reprieve in certain classes of attacks and
> provide extremely strong defenses as a sort of local maximum. That is, until
> some paradigm-changing attack comes crashing down, and forces everyone to
> rethink their entire approach to security.
>
> --
> Tony Arcieri
>
> _______________________________________________
> langsec-discuss mailing list
> langsec-discuss at mail.langsec.org
> https://mail.langsec.org/cgi-bin/mailman/listinfo/langsec-discuss
>
>
> _______________________________________________
> langsec-discuss mailing list
> langsec-discuss at mail.langsec.org
> https://mail.langsec.org/cgi-bin/mailman/listinfo/langsec-discuss
>



-- 
"Man is born free, but everywhere he is in chains".
--Rousseau.


More information about the langsec-discuss mailing list