> -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > Behalf Of Michael S Hines > Sent: 30 June 2004 17:00 > To: [EMAIL PROTECTED] > Subject: RE: [SC-L] ACM Queue article and security education > > > If the state of the art in automobile design had progressed > as fast as the > state of the art of secure programming - we'd all still be > driving Model > T's. > > Consider- > - System Development Methods have not solved the (security) > problem - > though we've certainly gone through lots of them. > - Languages have not solved the (security) problem - though we've > certainly gone through (and continue to go through) lots of them. > - Module/Program/System testing has not solved the > (security) problem - > though there has been a plethorea written about system > testing (both white > box and black box). >
I agree that we have not solved the problem by the above means but I think it should be said that this is due more to the refusal of our industry to make a serious attempt to use them than because they have used them and failed. The reality is that most system development still uses ad hoc, informal approaches and inherently insecure and ambiguous implementation languages. Testing cannot make up for these deficiencies because of fundamental limitations of coverage etc. see [1,2,3]. There are development approaches, such as the use of formal methods, which have a proven track record of success. They are still being used successfully today. Yet most of our industry is either unaware of them, regards formal methods as some academic failure from the 1970s or demands "evidence" (although they never seem to need evidence before adopting the latest fashionable fad). There are languages which are more suitable for the construction of high-integrity systems and have been for years. We could have adopted Modula-2 back in the 1980s, people could take the blinkers of prejudice off and look properly at Ada. Yet we continue to use C-derived languages with known weaknesses. All we hear are appeals to better training, tools to help find the stupidities the poor development approaches make inevitable and pious hopes that future developments in computer science will rescue us. What we really need is to use the good stuff we already have. Just to back this random polemic up a bit: we have just delivered a secure system to an important customer which has been independently evaluated to a high level. Zero defects were found. It was cheaper than the system it replaces. (Draconian NDAs limit what can be said to that unfortunately). The system was formally specified in Z, coded in SPARK and proofs carried out to ensure that it was wholly free from run-time errors (and hence from attacks such as buffer overflow) and that essential security invariants are maintained. None of this is bleeding edge technology. Z has been around for ages, SPARK for 14 years. regards Peter 1. Littlewood, Bev; and Strigini, Lorenzo: Validation of Ultrahigh Dependability for Software- Based Systems. CACM 36(11): 69-80 (1993) 2. Butler, Ricky W.; and Finelli, George B.: The Infeasibility of Quantifying the Reliability of Life-Critical Real-Time Software. IEEE Transactions on Software Engineering, vol. 19, no. 1, Jan. 1993, pp 3-12. 3. Littlewood, B: Limits to evaluation of software dependability. In Software Reliability and Metrics (Proceedings of Seventh Annual CSR Conference, Garmisch-Partenkirchen). N. Fenton and B. Littlewood. Eds. Elsevier, London, pp. 81-110. ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. The IT Department at Praxis Critical Systems can be contacted at [EMAIL PROTECTED] This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com ********************************************************************** ________________________________________________________________________ This e-mail has been scanned for all viruses by Star Internet. The service is powered by MessageLabs. For more information on a proactive anti-virus service working around the clock, around the globe, visit: http://www.star.net.uk ________________________________________________________________________
