Security is at least partially composable. For example the very concept of attack vector analysis (by far the most important but surprisingly least understood predictor of real world exploitability) requires knowing what's reachable by what. Many bugs can only be reached if you're already root, in which case they create no security differential. Many other bugs are vastly more serious because they do not have a known secure component gating access to them, for example the recent route from email to Flash (and Packager) via winmail.dat.
There are interesting cross layer issues but they're more of an exception; in general we close off more bugs than we open nesting security layers. On Friday, January 8, 2016, <d...@geer.org> wrote: > So far as I know, security is not composable, which is to say > that there is no reason to expect that the connection of N>1 > known-secure components is itself secure in the aggregate. > > But as an honest question, could or would the broad deployment > of LANGSEC diligence help with that problem of composability? > My intuition is "yes, it could or would help" but it is only > intuition, not a deduction. > > Were it possible to persuasively show that diligent LANGSEC > work would help with composability, then the demand for that > diligence might grow quite strong. > > Thinking out loud, > > --dan > > _______________________________________________ > langsec-discuss mailing list > langsec-discuss@mail.langsec.org <javascript:;> > https://mail.langsec.org/cgi-bin/mailman/listinfo/langsec-discuss >
_______________________________________________ langsec-discuss mailing list langsec-discuss@mail.langsec.org https://mail.langsec.org/cgi-bin/mailman/listinfo/langsec-discuss
