> -----Original Message-----
> Behalf Of Michael S Hines
> Sent: 30 June 2004 17:00
> Subject: RE: [SC-L] ACM Queue article and security education
> If the state of the art in automobile design had progressed 
> as fast as the
> state of the art of secure programming - we'd all still be 
> driving Model
> T's.  
> Consider-
>   - System Development Methods have not solved the (security) 
> problem -
> though we've certainly gone through lots of them.
>   - Languages have not solved the (security) problem - though we've
> certainly gone through (and continue to go through) lots of them.
>   - Module/Program/System testing has not solved the 
> (security) problem -
> though there has been a plethorea written about system 
> testing (both white
> box and black box).

I agree that we have not solved the problem by the above means but I think it should 
be said that this is due more to the refusal of our industry to make a serious attempt 
to use them than because they have used them and failed.  The reality is that most 
system development still uses ad hoc, informal approaches and inherently insecure and 
ambiguous implementation languages.  Testing cannot make up for these deficiencies 
because of fundamental limitations of coverage etc. see [1,2,3].

There are development approaches, such as the use of formal methods, which have a 
proven track record of success.  They are still being used successfully today.  Yet 
most of our industry is either unaware of them, regards formal methods as some 
academic failure from the 1970s or demands "evidence" (although they never seem to 
need evidence before adopting the latest fashionable fad).

There are languages which are more suitable for the construction of high-integrity 
systems and have been for years.  We could have adopted Modula-2 back in the 1980s, 
people could take the blinkers of prejudice off and look properly at Ada.  Yet we 
continue to use C-derived languages with known weaknesses.  All we hear are appeals to 
better training, tools to help find the stupidities the poor development approaches 
make inevitable and pious hopes that future developments in computer science will 
rescue us.  What we really need is to use the good stuff we already have.

Just to back this random polemic up a bit:  we have just delivered a secure system to 
an important customer which has been independently evaluated to a high level.  Zero 
defects were found.  It was cheaper than the system it replaces.  (Draconian NDAs 
limit what can be said to that unfortunately).  The system was formally specified in 
Z, coded in SPARK and proofs carried out to ensure that it was wholly free from 
run-time errors (and hence from attacks such as buffer overflow) and that essential 
security invariants are maintained.  None of this is bleeding edge technology.  Z has 
been around for ages, SPARK for 14 years.  



1. Littlewood, Bev; and Strigini, Lorenzo: Validation of Ultrahigh Dependability for 
Based Systems. CACM 36(11): 69-80 (1993)
2. Butler, Ricky W.; and Finelli, George B.: The Infeasibility of Quantifying the 
Reliability of
Life-Critical Real-Time Software. IEEE Transactions on Software Engineering, vol. 19, 
1, Jan. 1993, pp 3-12.
3. Littlewood, B: Limits to evaluation of software dependability. In Software 
Reliability and
Metrics (Proceedings of Seventh Annual CSR Conference, Garmisch-Partenkirchen). N.
Fenton and B. Littlewood. Eds. Elsevier, London, pp. 81-110.

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.  The IT Department at Praxis Critical Systems can be contacted at 
This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.

This e-mail has been scanned for all viruses by Star Internet. The
service is powered by MessageLabs. For more information on a proactive
anti-virus service working around the clock, around the globe, visit:

Reply via email to