RE: [SC-L] Programming languages used for security

[David Crocker]

Peter Amey wrote:


Yes, the posit and verify approach.  We adopted this because we think there
are problems with refining specs into code.  One problem is that there can be
(usually will be) more than one valid way of implementing a spec.  For example,
the spec may make the abstract assertion that a list is ordered.  The
implementation could build an ordered tree structure, write to a buffer that is
periodically quicksorted or even write to a set of temporary files that are
periodically merge sorted.  The design choice may depend on non-functional
requirements such as performance or amount of free memory.  Therefore we don't
see how you can always generate the most appropriate code for the property
ordered.  


You seem to be assuming that there is only one appropriate solution to the
problem and the system cannot be trusted to find it. In reality, there are often
many appropriate solutions and it matters little which one is chosen. In the
example you give, either of the first two solutions would likely be acceptable,
and I think it would be perverse for a code generator to choose the third (i.e.
an external sort on internally-stored data). But I'm not proposing that you
should have to accept whatever the code generator comes up with: if you don't
like the result, the language should provide a way of expressing (in outline at
least) how you want the ordered property to be achieved.


One solution to this is to use very low-levels of specification that avoid the
gap between the abstract concept ordered and the code itself.  This can easily
fall into the trap that the specification language simply becomes code (a
problem with B for example).


You seem to be missing the point that B allows you to specify one abstract
machine that talks about a sequence being ordered and then refine it to
another that talks about sorting a list. B does indeed allow you to write
code-like executable specifications; but it also allows you to write
higher-level abstract specifications. I agree that there may be a temptation for
developers to just write the executable version. This is why in PD we have a
semantic distinction between specification and implementation, and you can't
write an implementation without having a specification to attach it to.

David Crocker, Escher Technologies Ltd.
Consultancy, contracting and tools for dependable software development
www.eschertech.com

RE: [SC-L] Programming languages used for security

[Nick Lothian]

 
 Does anyone have pointers to articles on designing API's so 
 that they are
 easy to use securely?
 

Not specifically related to security, but
http://www.cafeconleche.org/XOM/designprinciples.xhtml#d0e161 is one of the
better things I've seen about designing APIs.

Nick

Re: [SC-L] Risk Analysis: Building Security In #3

[ljknews]

At 5:30 PM -0600 7/12/04, Jared W. Robinson wrote:
I read the paper, and found it interesting. I read the statistic 50
percent of security problems are the result of design flaws. Where does
that number come from? Experience?

I would say it comes from sloppy wording.

At best, the author might discuss 50 percent of security problems
discovered to date
-- 
Larry Kilgallen

Re: [SC-L] Programming languages used for security

[Blue Boar]

ljknews wrote:
The environment with which I am most familiar is VMS, and tradition
is what guides secure interfaces.  Inner mode code _must_ probe any
arguments provided from an outer mode, probe the buffers specified
by descriptors provided, etc.
What do you do when you're handed a bad pointer?
BB