[langsec-discuss] Will we ever "solve" security, or prove that we can't?
snackypants at gmail.com
Thu Jan 19 07:04:33 UTC 2017
The state of the art is well below the state of the art. :) That is, there
are many problems for which we know decent or even good solutions, and have
known of them for a long time, but for social, political, economic,
interpersonal, or personal reasons, we can't adopt the solutions. (I've
talked about examples in various blog posts and talks and stuff.)
So I don't spend much time thinking about formal methods, post-quantum
crypto, and other such fancy things. (I'm too dumb to understand that stuff
anyway.) First let's use what type systems/crypto/OS primitives/et c. we
already have. Basic stuff. I have a feeling that the craving for fancy
magic would lessen if we could get the basics nailed down.
By the time we finally nail down the basics, some of the fancy magic will
have materialized, as it has been gradually doing all along. (Compare the
evolution of type systems in practical languages from BCPL to Rust; or the
evolution from old-timey lint to a modern day clang with all the warnings
turned on; or from the first fuzzer to modern ASan/TSan/UBSan. We actually
have delightfully fancy stuff! Now go use it! :) )
And of course, the most effective technique at our disposal is sheer
white-knuckled simplicity. Although that's the one we have the least hope
of applying, it should always be the first one we try.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the langsec-discuss