So - aren't a lot of the Internet security issues errors or omissions in the
IETF standards - leaving things unspecified which get implemented in
different ways - some of which can be exploited due to implementation flaws
(due to specification flaws)?
Mike H.
-
Michael S Hines
[EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Crispin Cowan
Sent: Monday, June 11, 2007 5:50 PM
To: Gary McGraw
Cc: SC-L@securecoding.org; Blue Boar
Subject: Re: [SC-L] Harvard vs. von Neumann
Gary McGraw wrote:
Though I don't quite understand computer science theory in the same way
that Crispin does, I do think it is worth pointing out that there are two
major kinds of security defects in software: bugs at the implementation
level, and flaws at the design/spec level. I think Crispin is driving at
that point.
Kind of. I'm saying that specification and implementation are relative
to each other: at one level, a spec can say put an iterative loop here and
implementation of a bunch of x86 instructions. At another level,
specification says initialize this array and the implementation says for
(i=0; iARRAY_SIZE;i++){ At yet another level the specification says
get a contractor to write an air traffic control system and the
implementation is a contract :)
So when you advocate automating the implementation and focusing on
specification, you are just moving the game up. You *do* change properties
when you move the game up, some for the better, some for the worse. Some
examples:
* If you move up to type safe languages, then the compiler can prove
some nice safety properties about your program for you. It does
not prove total correctness, does not prove halting, just some
nice safety properties.
* If you move further up to purely declarative languages (PROLOG,
strict functional languages) you get a bunch more analyzability.
But they are still Turing-complete (thanks to Church-Rosser) so
you still can't have total correctness.
* If you moved up to some specification form that was no longer
Turing complete, e.g. something weaker like predicate logic, then
you are asking the compiler to contrive algorithmic solutions to
nominally NP-hard problems. Of course they mostly aren't NP-hard
because humans can create algorithms to solve them, but now you
want the computer to do it. Which begs the question of the
correctness of a compiler so powerful it can solve general purpose
algorithms.
If we assumed perfection at the implementation level (through better
languages, say), then we would end up solving roughly 50% of the software
security problem.
The 50% being rather squishy, but yes this is true. Its only vaguely what I
was talking about, really, but it is true.
Crispin
--
Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/
Director of Software Engineering http://novell.com
AppArmor Chat: irc.oftc.net/#apparmor
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org List information,
subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___
