Usually when I'm talking about LangSec I make sure to say somewhere near
the beginning that it isn't a general theory of exploit mitigation. Why?
We can definitely fix parser bugs. The seven turrets paper describes
exactly how. If the developers do the things in the paper, we won't see
them. But what if the developer forgets to specify something in the
protocol that turns out to be necessary for a security guarantee?
What about other bugs? Well, you have to come up with a workable
definition of badness. Workable, in this case, means specific, amenable
to computational decision, and complete. That's actually incredibly
difficult for many or most practical systems, and it's why even formal
verification doesn't necessarily stamp out software exploitation.
Threat modelling is (still, if it might ever be otherwise) very much a
creative process. It's very difficult to anticipate everything that you
would like your system to not do. We worked on this problem a little
when I was working on Leviathan's product Lotan, and ultimately that
product relies on a list of specific behaviours that correlate to known
techniques for hijacking execution. What happens if what you're looking
for is actually a malicious change to a database? What if you want to
do something even so simple as ensure double-entry bookkeeping is followed?
Formal integrity models like Clark-Wilson, Bell-LaPadula, and Biba begin
this work, but they are little used in practice.
FalconK
On 18/01/2017 19:27, Tony Arcieri wrote:
On Wed, Jan 18, 2017 at 2:12 PM, Taylor Hornby <tay...@defuse.ca
<mailto:tay...@defuse.ca>> wrote:
Less ambitiously, we can ask if complexity theory has anything to say
about simpler aspects of life. One of them is the
attacker-defender arms
race in computer security. [...] Most of us are optimistic for
"silver bullet" discoveries that make doing computer security a LOT
easier [...] I'm curious if part (1) of my thesis really is accurate.
I doubt it, and I say this as a more-than-decade-long fan of "perfect
defense". I don't think perfect defense is possible. I think the
reality is there's a lot of low-hanging fruit that can be addressed by
better methods, but to put it in Ghost in the Shell terms attack
surface is "vast and infinite", and attacks only get better.
I don't see the cat and mouse game going away any time soon, but
perhaps we'll get better at achieving "punctuated equilibrium" where
defenders are able to reach some sort of brief reprieve in certain
classes of attacks and provide extremely strong defenses as a sort of
local maximum. That is, until some paradigm-changing attack comes
crashing down, and forces everyone to rethink their entire approach to
security.
--
Tony Arcieri
_______________________________________________
langsec-discuss mailing list
langsec-discuss@mail.langsec.org
https://mail.langsec.org/cgi-bin/mailman/listinfo/langsec-discuss
_______________________________________________
langsec-discuss mailing list
langsec-discuss@mail.langsec.org
https://mail.langsec.org/cgi-bin/mailman/listinfo/langsec-discuss
