Re: [SC-L] bumper sticker slogan for secure software

2006-07-24 Thread mikeiscool
 Sorry, but it is a fact. Yes, you can have provably correct code. Cost
 is approximately $20,000 per line of code. That is what the procedures
 required for correct code cost. Oh, and they are kind of super-linear,
 so one program of 200 lines costs more than 2 programs of 100 lines.

Someone already pointed this out but your numbers here have no basis.
Provide references or something, otherwise they are meaningless.


  This isn't as true and as wide spread as you make it sound. Consider,
  for example, SQL Injection. Assuming I do not upgrade my database,
  and do not change my code and server (i.e. do not change my
  environment at all), then if I have prevented this attack initially
  nothing new will come up to suddenly make it work.

 Indeed, consider SQL injection attacks. They didn't exist 5 years ago,

Prove it.


 because no one had thought of them. Same with XSS bugs.

Again prove it.

I might say that they didn't exist at a given time because apps that
were affected weren't widely deployed. Online BBS's are relatively
new, and that, to my memory, was the first place for XSS bugs.


 What Dana is trying to tell you is that some time in the next year or
 so, someone is going to discover yet another of these major
 vulnerability classes that no one has thought of before. At that point,
 a lot of code that was thought to be reasonably secure suddenly is
 vulnerable.

Right, but if your environment is unchanged and you've looked at all
angles, then you will not be affected. Note that I'm not saying it's
easy, but ..


  Not true; you can call other libraries happily and with confidence if
  you handle the case of them going all kinds of wrong.

 This also is false. Consider the JPG bug that badly 0wned Microsoft
 desktops a while back. It was a bug in an image processing library. You
 try to view an image by processing it with the library, and the result
 is that the attacker can execute arbitrary code in your process. That is
 pretty difficult to defensively program against.

Why?


 Crispin

-- mic
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


Re: [SC-L] bumper sticker slogan for secure software

2006-07-21 Thread Dana Epp
Actually, Brian Shea got the points for emailing me that he knew it was
the system error Access Denied.

An extra 10 points goes to Andrew van der Stock for his explaination
that:

apparently the term originates from radio, where 5x5 means good
reception and good signal strength (in that order). So

0x5

means

- no reception (0)
- good signal strength (5)

ie, we're doing ok at getting our message out, but people aren't  
listening yet. 

That cracked me up. So fitting for this forum.


Regards,
Dana Epp 
[Microsoft Security MVP]
http://silverstr.ufies.org/blog/

-Original Message-
From: mikeiscool [mailto:[EMAIL PROTECTED] 
Sent: Thursday, July 20, 2006 3:25 PM
To: Wall, Kevin
Cc: Dana Epp; SC-L@securecoding.org
Subject: Re: [SC-L] bumper sticker slogan for secure software

 BTW, does anyone besides me think that it's time to put this thread to

 rest?

I do.

But i'm still waiting for my points from dana ...


 -kevin

-- mic

___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


Re: [SC-L] bumper sticker slogan for secure software

2006-07-21 Thread der Mouse
 What is important is that some magic formal tool could say that some
 code in language A, where bug of type k is possible, is not
 equivalent to the version in language B, where type k bugs are
 impossible, ergo you have found a type k bug (in the absence of any
 other bug in that section of code...).

Well, no.  You know that a bug exists.  It could be in one version (you
don't know which one), or it could be in the verifier.

If you assume that the verifier is bug-free, and you assume that the
language-A version is semantically correct, then you know that a bug
exists in the language-B version.  It might be of type k or it might be
of some other type (possibly a type that can exist in language A,
possibly not).  And in any case, you have not found it; you have only
demonstrated its existence.

/~\ The ASCII   der Mouse
\ / Ribbon Campaign
 X  Against HTML   [EMAIL PROTECTED]
/ \ Email!   7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


Re: [SC-L] bumper sticker slogan for secure software

2006-07-21 Thread mikeiscool
On 7/21/06, Dana Epp [EMAIL PROTECTED] wrote:
  yeah.
  but none of this changes the fact that it IS possible to write
 completely secure code.
  -- mic

 And it IS possible that a man will walk on Mars someday. But its not
 practical or realistic in the society we live in today. I'm sorry mic,
 but I have to disagree with you here.

 It is EXTREMELY difficult to have code be 100% correct if an application
 has any level of real use or complexity. There will be security defects.

Why? Why accept this as a fact? It is not a fact. If you put
procedures in place and appropriately review and test you can be
confident.


 The weakest link here is the human factor, and people make mistakes.

Yes they do. So help them to stop it by teaching and testing and reviewing.


 More importantly, threats are constantly evolving and what you may
 consider completely secure today may not be tomorrow when a new attack
 vector is recognized that may attack your software.

This isn't as true and as wide spread as you make it sound. Consider,
for example, SQL Injection. Assuming I do not upgrade my database,
and do not change my code and server (i.e. do not change my
environment at all), then if I have prevented this attack initially
nothing new will come up to suddenly make it work.

If the environment IS changed, however, then of course it's expected
that the program should be reviewed and checked again.


 And unless you wrote
 every single line of code yourself without calling out to ANY libraries,
 you cannot rely on the security of other libraries or components that
 may NOT have the same engineering discipline that you may have on your
 own code base.

Not true; you can call other libraries happily and with confidence if
you handle the case of them going all kinds of wrong.


 Ross Anderson once said that secure software engineering is about
 building systems to remain dependable in the face of malice, error, or
 mischance. I think he has something there. If we build systems to
 maintain confidentiality, integrity and availability, we have the
 ability to fail gracefully in a manner to recover from unknown or
 changing problems in our software without being detrimental to the user,
 or their data.

 I don't think we should ever stop striving to reach secure coding
 nirvana. But I also understand that in the real world we are still in
 our infancy when it comes to secure software as a discipline, and we
 still have much to learn before we will reach it.

Yes, Much to learn. Like the fact that it _is_ reachable if you
believe you can reach it. And, you know, study yoga and live in a
cliff for a few years.


 Regards,
 Dana Epp
 [Microsoft Security MVP]
 http://silverstr.ufies.org/blog/

-- mic
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


Re: [SC-L] bumper sticker slogan for secure software

2006-07-21 Thread John Wilander
I've actually been using a secure software slogan for a few years, both in
teaching and in pitching business. It's taken from Howard and LeBlanc's
book Writing Secure Code:

- Security features are not secure features -

The statement mesmerizes people and aguably needs a necessarily to be
more precise. But it's short and does the trick for me---it separates
adding security functions from trying to secure all functions in the
system (during all phases).

   Regards, John


John Wilander, PhD Student
Computer and Information Sc.
Linkoping University, Sweden
http://www.ida.liu.se/~johwi
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


Re: [SC-L] bumper sticker slogan for secure software

2006-07-21 Thread Mark Graff
There's another point to consider, when talking about whether True Security 
is Possible. And I have to say I've never been happy with the forms I've 
found so far to express it...

Security, in many cases, decays. It's like what we used to call, in the Old 
Days, bit rot. Software that has worked perfectly well for years (that 
is, failures and mistakes have fallen under the threshold of detection) 
suddenly stop working. Often, it's because some element of the environment 
in which the system runs has changed around it. It could be a library that 
the program uses, for instance. I suppose it could be a change in the way 
the software is used, or applied.

So while most software decays in some way while it ages, I seem to observe 
that the security aspect of a program decays faster than the rest of it. 
(This has some analogies in the real world. Some parts of a car, for 
example, wear out faster than the rest. Tires and Brake pads. It's an 
interesting feature of good design, of course, to isolate the effects of 
wear and tear into parts intended to be disposable. But I digress.)

I have therefore often wondered if we should be talking, not about how 
secure a system is, in a static sense, but rather what its security 
half-life is. This is the point of my hoary thought experiment (sorry if 
you've heard this one) in which we prepare a desktop with the latest and 
greatest in the way of anti-virus stuff, firewalls, OS patches, and so 
forth, then spin it down, shrink-wrap it, and put it in a closet. If we take 
it out a year later and spin it up, that system will be less sure--more 
likely to successfully be compromised--than it was when it was spun down. 
How fast security decays will vary, depending mostly on which OS and app 
software it runs and how corrosive, if you will, that part of the overall 
operating landscape (the Internet, say)  is. This reasoning leads me to the 
thought that Mac OS X, for example, is more secure than Windows XP for 
reasons having nothing directly to do with design or implementation, but 
rather pertaining to its very ubiquity. XP, in this sense, is the center of 
the bullseye.

Gee, maybe software systems emanate a modicum of unsecurity gravity, so 
that if you get a great many of them together (that is, if millions and 
millions of people buy the product), security plummets, and declines as the 
square of the distance to True Dead Center of the day's commonplace 
platform. Or, to put it another way, this is why XP sucks.

Well, I said I've never been happy with the way I've expressed this.

-mg-


- Original Message - 
From: [EMAIL PROTECTED]
To: sc-l@securecoding.org
Sent: Friday, July 21, 2006 5:05 AM
Subject: SC-L Digest, Vol 2, Issue 124


 Send SC-L mailing list submissions to
 sc-l@securecoding.org

 To subscribe or unsubscribe via the World Wide Web, visit
 http://krvw.com/mailman/listinfo/sc-l
 or, via email, send a message with subject or body 'help' to
 [EMAIL PROTECTED]

 You can reach the person managing the list at
 [EMAIL PROTECTED]

 When replying, please edit your Subject line so it is more specific
 than Re: Contents of SC-L digest...


 Today's Topics:

   1. Re: bumper sticker slogan for secure software (Pascal Meunier)
   2. Re: bumper sticker slogan for secure software
  ([EMAIL PROTECTED])
   3. Re: bumper sticker slogan for secure software (Florian Weimer)
   4. Re: bumper sticker slogan for secure software (Pascal Meunier)
   5. Re: bumper sticker slogan for secure software (ljknews)
   6. Re: bumper sticker slogan for secure software (Pascal Meunier)
   7. Re: bumper sticker slogan for secure software (ljknews)
   8. Re: bumper sticker slogan for secure software (Dana Epp)
   9. Re: bumper sticker slogan for secure software (John Wilander)


 --

 Message: 1
 Date: Thu, 20 Jul 2006 15:11:06 -0400
 From: Pascal Meunier [EMAIL PROTECTED]
 Subject: Re: [SC-L] bumper sticker slogan for secure software
 To: Gary McGraw [EMAIL PROTECTED], Florian Weimer [EMAIL PROTECTED],
 der Mouse [EMAIL PROTECTED]
 Cc: SC-L@securecoding.org
 Message-ID: [EMAIL PROTECTED]
 Content-Type: text/plain; charset=ISO-8859-1



 On 7/20/06 1:57 PM, Gary McGraw [EMAIL PROTECTED] wrote:

 I'm afraid that's not true.  John Knight has a famous paper that shows 
 that
 design/requirements bugs persist in n-version programming paradigms. 
 I'll let
 the interested people google that one up for themselves.

 gem

 But it's true for stupid bugs like buffer overflows and format string
 vulnerabilities, in which we're still swimming, and the proof is the fact
 that those aren't possible in some languages.  For design/requirements 
 bugs,
 I'm reading:

 Why Are Formal Methods Not Used More Widely?
 John C. Knight Colleen L. DeJong Matthew S. Gibble Lu?s G. Nakano
 Department of Computer Science
 University of Virginia
 Charlottesville, VA 22903

 http://www.cs.virginia.edu/~jck/publications/lfm.97.pdf

Re: [SC-L] bumper sticker slogan for secure software

2006-07-20 Thread mikeiscool
On 7/20/06, Andrew van der Stock [EMAIL PROTECTED] wrote:
 Actually, it is a myth.

 For every non-trivial system, there are business pressures on
 resourcing, deadlines, and acceptable quality (pick any two). Once a
 business has set their taste for risk, it makes no sense to spend say
 $10m on security controls on a product and delay it for six months
 which may only bring in $2m in revenue in total, or none at all if
 the company runs out of money to bring it to market.

 At the moment, most companies neither accept or assign the risk,
 enumerate the risk correctly, nor take adequate steps to eliminate as
 much risk as possible. We need to improve all three aspects. Even in
 a perfect world, there will still be bugs and security defects. Let's
 make sure that the remaining ones are really hard to exploit, and
 when the exploit happens, not much loss occurs.

yeah.

but none of this changes the fact that it IS possible to write
completely secure code.


 thanks,
 Andrew

-- mic
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


Re: [SC-L] bumper sticker slogan for secure software

2006-07-20 Thread Dana Epp
 yeah.
 but none of this changes the fact that it IS possible to write
completely secure code.
 -- mic

And it IS possible that a man will walk on Mars someday. But its not
practical or realistic in the society we live in today. I'm sorry mic,
but I have to disagree with you here.

It is EXTREMELY difficult to have code be 100% correct if an application
has any level of real use or complexity. There will be security defects.
The weakest link here is the human factor, and people make mistakes.
More importantly, threats are constantly evolving and what you may
consider completely secure today may not be tomorrow when a new attack
vector is recognized that may attack your software. And unless you wrote
every single line of code yourself without calling out to ANY libraries,
you cannot rely on the security of other libraries or components that
may NOT have the same engineering discipline that you may have on your
own code base. 

Ross Anderson once said that secure software engineering is about
building systems to remain dependable in the face of malice, error, or
mischance. I think he has something there. If we build systems to
maintain confidentiality, integrity and availability, we have the
ability to fail gracefully in a manner to recover from unknown or
changing problems in our software without being detrimental to the user,
or their data.

I don't think we should ever stop striving to reach secure coding
nirvana. But I also understand that in the real world we are still in
our infancy when it comes to secure software as a discipline, and we
still have much to learn before we will reach it. 


Regards,
Dana Epp
[Microsoft Security MVP]
http://silverstr.ufies.org/blog/

___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


Re: [SC-L] bumper sticker slogan for secure software

2006-07-20 Thread Florian Weimer
* der Mouse:

 Absolute security is a myth.  As is designing absolutely secure
 software.

 I have high hopes in formal methods.

 All formal methods do is push bugs around.  Basically, you end up
 writing in a higher-level language (the spec you are formally verifying
 the program meets).  You are then subject to the bugs present in *that*
 program (the spec) and the bugs present in the compiler (the formal
 verifier).

But people are forced to spend more time with the code, which
generally helps them (in particular smart people) to eradicate bugs.
Another way to achieve the same thing is to freeze the code base and
let it mature over decades, but I don't see the business model for
that.
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


Re: [SC-L] bumper sticker slogan for secure software

2006-07-20 Thread Wall, Kevin
Dana,

Regarding your remarks about writing perfectly secure code...
well put.

And your remarks about Ross Anderson...

 Ross Anderson once said that secure software engineering is about
 building systems to remain dependable in the face of malice, error,
 or mischance. I think he has something there. If we build systems
 to maintain confidentiality, integrity and availability, we have the
 ability to fail gracefully in a manner to recover from unknown or
 changing problems in our software without being detrimental to
 the user, or their data.

remined me of Anderson and Ralph Needham coining the phrase
(hope I'm getting this right) that security is like programming
Satan's computer in the sense that you have an evil extremely
intelligent adversary with unlimited resources and time, etc.
[http://www.cl.cam.ac.uk/ftp/users/rja14/satan.pdf]

So there's a bumper sticker for you:

Security: programming Satan's computer

Of course, it's likely to be misunderstood by most.
(Maybe we could attribute it to SNL's church lady.
Sorry Ross. ;-)

BTW, does anyone besides me think that it's time to put
this thread to rest?

-kevin
---
Kevin W. Wall   Qwest Information Technology, Inc.
[EMAIL PROTECTED]   Phone: 614.215.4788
The reason you have people breaking into your software all 
over the place is because your software sucks...
 -- Former whitehouse cybersecurity advisor, Richard Clarke,
at eWeek Security Summit


This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful.  If you have received this communication 
in error, please immediately notify the sender by reply e-mail and destroy 
all copies of the communication and any attachments.

___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


Re: [SC-L] bumper sticker slogan for secure software

2006-07-20 Thread Pascal Meunier


On 7/20/06 11:58 AM, Florian Weimer [EMAIL PROTECTED] wrote:

 * der Mouse:
 
 Absolute security is a myth.  As is designing absolutely secure
 software.
 
 I have high hopes in formal methods.
 
 All formal methods do is push bugs around.  Basically, you end up
 writing in a higher-level language (the spec you are formally verifying
 the program meets).  You are then subject to the bugs present in *that*
 program (the spec) and the bugs present in the compiler (the formal
 verifier).
 
 But people are forced to spend more time with the code, which
 generally helps them (in particular smart people) to eradicate bugs.
 Another way to achieve the same thing is to freeze the code base and
 let it mature over decades, but I don't see the business model for
 that.

Also, writing it twice with different languages, especially at different
levels of abstraction, makes it less likely that the same bugs will appear
in both.  You can choose the higher level language so that it has great
expressive power exactly for the things that are a pain to capture and
verify (and thus a source of bugs) in the lower-level language.  Last time I
checked, formal methods were even able to catch design errors in some
networking protocols.  But you're right, they are not absolutely perfect
because the tools and operators aren't, etc...  That doesn't mean they can't
help a great deal.  I have great hopes for their usefulness.  Maybe some day
they will help so much that the distinction between what they can produce
and absolutely secure software will become too small to matter.  Whether
we'll still be alive when that happens is another question.

Pascal



___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


Re: [SC-L] bumper sticker slogan for secure software

2006-07-20 Thread Gary McGraw
I'm afraid that's not true.  John Knight has a famous paper that shows that 
design/requirements bugs persist in n-version programming paradigms.  I'll let 
the interested people google that one up for themselves.

gem

company www.cigital.com.
podcast www.cigital.com/silverbullet
book www.swsec.com

 -Original Message-
From:   Pascal Meunier [mailto:[EMAIL PROTECTED]
Sent:   Thu Jul 20 13:54:42 2006
To: Florian Weimer; der Mouse
Cc: SC-L@securecoding.org
Subject:Re: [SC-L] bumper sticker slogan for secure software



On 7/20/06 11:58 AM, Florian Weimer [EMAIL PROTECTED] wrote:

 * der Mouse:
 
 Absolute security is a myth.  As is designing absolutely secure
 software.
 
 I have high hopes in formal methods.
 
 All formal methods do is push bugs around.  Basically, you end up
 writing in a higher-level language (the spec you are formally verifying
 the program meets).  You are then subject to the bugs present in *that*
 program (the spec) and the bugs present in the compiler (the formal
 verifier).
 
 But people are forced to spend more time with the code, which
 generally helps them (in particular smart people) to eradicate bugs.
 Another way to achieve the same thing is to freeze the code base and
 let it mature over decades, but I don't see the business model for
 that.

Also, writing it twice with different languages, especially at different
levels of abstraction, makes it less likely that the same bugs will appear
in both.  You can choose the higher level language so that it has great
expressive power exactly for the things that are a pain to capture and
verify (and thus a source of bugs) in the lower-level language.  Last time I
checked, formal methods were even able to catch design errors in some
networking protocols.  But you're right, they are not absolutely perfect
because the tools and operators aren't, etc...  That doesn't mean they can't
help a great deal.  I have great hopes for their usefulness.  Maybe some day
they will help so much that the distinction between what they can produce
and absolutely secure software will become too small to matter.  Whether
we'll still be alive when that happens is another question.

Pascal



___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php





This electronic message transmission contains information that may be
confidential or privileged.  The information contained herein is intended
solely for the recipient and use by any other party is not authorized.  If
you are not the intended recipient (or otherwise authorized to receive this
message by the intended recipient), any disclosure, copying, distribution or
use of the contents of the information is prohibited.  If you have received
this electronic message transmission in error, please contact the sender by
reply email and delete all copies of this message.  Cigital, Inc. accepts no
responsibility for any loss or damage resulting directly or indirectly from
the use of this email or its contents.
Thank You.


___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


Re: [SC-L] bumper sticker slogan for secure software

2006-07-20 Thread Blue Boar
Gary McGraw wrote:
 And don't forget about the compiler you will no doubt have to use.  Do you 
 trust that?
 
 You might want to read Thompson's classic reflections on trusting trust.  
 www.acm.org/classics/sep95
 
 All your compilers are belong to us.

While that is always a good read, I'm not so sure it's that relevant 
anymore.  There is a LOT of binary analysis going on these days.

BB
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


Re: [SC-L] bumper sticker slogan for secure software

2006-07-20 Thread Florian Weimer
* Pascal Meunier:

 Also, writing it twice with different languages, especially at different
 levels of abstraction, makes it less likely that the same bugs will appear
 in both.

Algorithmic issues such as denial of service attacks through
unbalanced binary trees or hash table collisions are pretty
independent of the programming language and have been observed in many
incarnations.

If you implement the same protocol, it's likely that you end up with
similar bugs.  The DNS compression loop bug was reinvented many times.
The fundamental mismatch in OpenPGP between key certification (key
plus user ID) and key usage (just the key alone) affected many
independently developed implementations.  Chrome spoofing is
ubiquitous in web browsers.  

Most things in this list are implemented in C or C++, but the problems
are at such a high level that it's unlikely that a different choice of
wildly different programming language would make a huge difference.
If you look at lower-level bugs, such as buffer overflows, I hope that
nobody still thinks that multiple code versions help -- just look at
the long list (even after discounting direct code copies) of botched
ASN.1 decoders.

Some protocols are extremly hard to implement correctly, I'm afraid.
(And not all protocols are unnecessarily complex.)
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


Re: [SC-L] bumper sticker slogan for secure software

2006-07-20 Thread Pascal Meunier


On 7/20/06 1:57 PM, Gary McGraw [EMAIL PROTECTED] wrote:

 I'm afraid that's not true.  John Knight has a famous paper that shows that
 design/requirements bugs persist in n-version programming paradigms.  I'll let
 the interested people google that one up for themselves.
 
 gem

But it's true for stupid bugs like buffer overflows and format string
vulnerabilities, in which we're still swimming, and the proof is the fact
that those aren't possible in some languages.  For design/requirements bugs,
I'm reading:

Why Are Formal Methods Not Used More Widely?
John C. Knight Colleen L. DeJong Matthew S. Gibble Luís G. Nakano
Department of Computer Science
University of Virginia
Charlottesville, VA 22903

http://www.cs.virginia.edu/~jck/publications/lfm.97.pdf

and the evidence is that engineers presented with formal specifications were
able to spot many design errors (Validation by inspection was effective).
Therefore if you have a formal, high-level version it can be validated
better, and formal methods give proof that the lower-level code conforms.

I call that all-around better, and I'm hoping for more of it and better ways
to do it.  Now if you order a cat and needed a dog, nobody can help you.

Pascal


 
  -Original Message-
 From:  Pascal Meunier [mailto:[EMAIL PROTECTED]
 Sent: Thu Jul 20 13:54:42 2006
 To: Florian Weimer; der Mouse
 Cc: SC-L@securecoding.org
 Subject: Re: [SC-L] bumper sticker slogan for secure software
 
 
 
 On 7/20/06 11:58 AM, Florian Weimer [EMAIL PROTECTED] wrote:
 
 * der Mouse:
 
 Absolute security is a myth.  As is designing absolutely secure
 software.
 
 I have high hopes in formal methods.
 
 All formal methods do is push bugs around.  Basically, you end up
 writing in a higher-level language (the spec you are formally verifying
 the program meets).  You are then subject to the bugs present in *that*
 program (the spec) and the bugs present in the compiler (the formal
 verifier).
 
 But people are forced to spend more time with the code, which
 generally helps them (in particular smart people) to eradicate bugs.
 Another way to achieve the same thing is to freeze the code base and
 let it mature over decades, but I don't see the business model for
 that.
 
 Also, writing it twice with different languages, especially at different
 levels of abstraction, makes it less likely that the same bugs will appear
 in both.  You can choose the higher level language so that it has great
 expressive power exactly for the things that are a pain to capture and
 verify (and thus a source of bugs) in the lower-level language.  Last time I
 checked, formal methods were even able to catch design errors in some
 networking protocols.  But you're right, they are not absolutely perfect
 because the tools and operators aren't, etc...  That doesn't mean they can't
 help a great deal.  I have great hopes for their usefulness.  Maybe some day
 they will help so much that the distinction between what they can produce
 and absolutely secure software will become too small to matter.  Whether
 we'll still be alive when that happens is another question.
 
 Pascal
 
 
 
 ___
 Secure Coding mailing list (SC-L)
 SC-L@securecoding.org
 List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
 List charter available at - http://www.securecoding.org/list/charter.php
 
 
 
 
 
 This electronic message transmission contains information that may be
 confidential or privileged.  The information contained herein is intended
 solely for the recipient and use by any other party is not authorized.  If
 you are not the intended recipient (or otherwise authorized to receive this
 message by the intended recipient), any disclosure, copying, distribution or
 use of the contents of the information is prohibited.  If you have received
 this electronic message transmission in error, please contact the sender by
 reply email and delete all copies of this message.  Cigital, Inc. accepts no
 responsibility for any loss or damage resulting directly or indirectly from
 the use of this email or its contents.
 Thank You.
 
 
 ___
 Secure Coding mailing list (SC-L)
 SC-L@securecoding.org
 List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
 List charter available at - http://www.securecoding.org/list/charter.php
 



___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


Re: [SC-L] bumper sticker slogan for secure software

2006-07-20 Thread leichter_jerrold
|  Absolute security is a myth.  As is designing absolutely secure
|  software.
|  
|  I have high hopes in formal methods.
|  
|  All formal methods do is push bugs around...
|  
|  But people are forced to spend more time with the code, which
|  generally helps them (in particular smart people) to eradicate bugs
| 
| Also, writing it twice with different languages, especially at different
| levels of abstraction, makes it less likely that the same bugs will appear
| in both.  You can choose the higher level language so that it has great
| expressive power exactly for the things that are a pain to capture and
| verify (and thus a source of bugs) in the lower-level language
But always keep in mind a comment (allegedly, I've never actually
seen this) present at the top of something Don Knuth wrote:

Be careful with this code.  I've only proved
it correct, not actually tested it.

If Don Knuth can say that about code, the rest of us should be very
humble about our correctness proofs.
-- Jerry
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


Re: [SC-L] bumper sticker slogan for secure software

2006-07-20 Thread Pascal Meunier



On 7/20/06 3:46 PM, Florian Weimer [EMAIL PROTECTED] wrote:

 * Pascal Meunier:
 
 But it's true for stupid bugs like buffer overflows and format string
 vulnerabilities, in which we're still swimming, and the proof is the fact
 that those aren't possible in some languages.
 
 Could you name a few such language implementations? 8-)
 
 In most cases, the components that enforces the absence of buffer
 overflows are written in C.
snip

That's irrelevant.  What is important is that some magic formal tool could
say that some code in language A, where bug of type k is possible, is
not equivalent to the version in language B, where type k bugs are
impossible, ergo you have found a type k bug (in the absence of any other
bug in that section of code...).

I know someone is going to ask, why didn't you code it only in language B
then?, to which there can be many different answers, and I don't want to
get into that.


  For design/requirements bugs, I'm reading:
 
 Safety-critical software is a very different beast.  You can make much
 stronger assumptions about the environment.  It's not clear if the
 results apply to software security in open system.
 
 I'm not saying that formal methods have no value.  But I doubt that
 comparisons with projects at completely different
 dollars-per-line-of-code levels give immediate insights.

That's one of the things I'm hoping for:  that more and better formal
methods become more affordable and practical.  Spark, for example,
demonstrated that the costs of some formal methods were much lower than what
people expected, in real projects.  That gives me hope.

Pascal

 


___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


Re: [SC-L] bumper sticker slogan for secure software

2006-07-20 Thread Pascal Meunier



On 7/20/06 3:11 PM, Florian Weimer [EMAIL PROTECTED] wrote:

 * Pascal Meunier:
 
 Also, writing it twice with different languages, especially at different
 levels of abstraction, makes it less likely that the same bugs will appear
 in both.
 
 Algorithmic issues such as denial of service attacks through
 unbalanced binary trees or hash table collisions are pretty
 independent of the programming language and have been observed in many
 incarnations.
 
 If you implement the same protocol, it's likely that you end up with
 similar bugs.  The DNS compression loop bug was reinvented many times.
 The fundamental mismatch in OpenPGP between key certification (key
 plus user ID) and key usage (just the key alone) affected many
 independently developed implementations.  Chrome spoofing is
 ubiquitous in web browsers.
 
 Most things in this list are implemented in C or C++, but the problems
 are at such a high level that it's unlikely that a different choice of
 wildly different programming language would make a huge difference.
 If you look at lower-level bugs, such as buffer overflows, I hope that
 nobody still thinks that multiple code versions help -- just look at
 the long list (even after discounting direct code copies) of botched
 ASN.1 decoders.
 
 Some protocols are extremly hard to implement correctly, I'm afraid.
 (And not all protocols are unnecessarily complex.)
 

It's obvious that if you just translate a bad, complicated algorithm or
protocol from one language to the next, they'll all be bad.  It remains that
sometimes when you make people say something stupid twice they catch on the
second time, especially during code reviews, because they re-express the
code using natural language.  That's why I said, less likely.  It works
with some and not others.

Pascal


___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


Re: [SC-L] bumper sticker slogan for secure software

2006-07-20 Thread ljknews
At 9:46 PM +0200 7/20/06, Florian Weimer wrote:
 * Pascal Meunier:
 
 But it's true for stupid bugs like buffer overflows and format string
 vulnerabilities, in which we're still swimming, and the proof is the fact
 that those aren't possible in some languages.

 Could you name a few such language implementations? 8-)

Ada !

 In most cases, the components that enforces the absence of buffer
 overflows are written in C.

Not in VAX/DEC/Compaq/HP Ada, which is the one that I use.

But the components that enforce the absence of buffer overflows are
not written in Bliss (the language of the Ada RTL for that compiler)
either.  They are in the code that is generated, or the failure to
generate that code because the problem was caught at compile time.
-- 
Larry Kilgallen
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


Re: [SC-L] bumper sticker slogan for secure software

2006-07-19 Thread Pascal Meunier



On 7/18/06 11:45 AM, Dana Epp [EMAIL PROTECTED] wrote:

 Or perhaps less arrogance in believing it won't sink.
 
 Absolute security is a myth. As is designing absolutely secure software.

I have high hopes in formal methods.

 It is a lofty goal, but one of an absolute that just isn't achievable as
 threats change and new attack patterns are found. Designing secure
 software is about attaining a level of balance around software
 dependability weighed against mitigated risks against said software to
 acceptable tolerance levels, while at the same time ensuring said
 software accomplishes the original goal... to solve some problem for the
 user. 
 
 On my office door is a bumper sticker I made. It simply says:
 
 0x5
 
 10 points to the first person to explain what that means.

Since you're at Microsoft I'll bet it's related to RPC Layer returned error
0x5 (Access is denied.) This may happen if host security is not installed.
http://support.microsoft.com/kb/216558/en-us

So it would be an oblique way of referring to host security.  If it was on a
motel-style door-handle card it could also mean do not disturb (send
visitors away with an access denied).  Perhaps, go away if you haven't
secured your system.  Who knows besides you ;)

Pascal

 
 
 Regards,
 Dana Epp 
 [Microsoft Security MVP]
 http://silverstr.ufies.org/blog/
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of SC-L Subscriber Dave
 Aronson
 Sent: Tuesday, July 18, 2006 7:53 AM
 To: SC-L@securecoding.org
 Subject: [SC-L] bumper sticker slogan for secure software
 
 Paolo Perego [mailto:[EMAIL PROTECTED] writes:
 
 Software is like Titanic, pleople claim it was unsinkable. Securing
 is   providing it power steering
 
 But power steering wouldn't have saved it.  By the time the iceberg was
 spotted, there was not enough time to turn that large a boat.  Perhaps
 radar, but that doesn't make a very good analogy.  Maybe a thicker
 tougher hull and automatic compartment doors?
 
 -Dave
 
 
 
 
 ___
 Secure Coding mailing list (SC-L)
 SC-L@securecoding.org
 List information, subscriptions, etc -
 http://krvw.com/mailman/listinfo/sc-l
 List charter available at - http://www.securecoding.org/list/charter.php
 
 ___
 Secure Coding mailing list (SC-L)
 SC-L@securecoding.org
 List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
 List charter available at - http://www.securecoding.org/list/charter.php
 


___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


Re: [SC-L] bumper sticker slogan for secure software

2006-07-19 Thread Andrew van der Stock

Actually, it is a myth.

For every non-trivial system, there are business pressures on  
resourcing, deadlines, and acceptable quality (pick any two). Once a  
business has set their taste for risk, it makes no sense to spend say  
$10m on security controls on a product and delay it for six months  
which may only bring in $2m in revenue in total, or none at all if  
the company runs out of money to bring it to market.


At the moment, most companies neither accept or assign the risk,  
enumerate the risk correctly, nor take adequate steps to eliminate as  
much risk as possible. We need to improve all three aspects. Even in  
a perfect world, there will still be bugs and security defects. Let's  
make sure that the remaining ones are really hard to exploit, and  
when the exploit happens, not much loss occurs.


thanks,
Andrew

On 19/07/2006, at 10:59 AM, mikeiscool wrote:


Absolute security is a myth.


no it isn't. pretending it is a 'myth' is an attempt by sloppy
programmers and designers to explain away the reasons for their
applications failing.




smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


Re: [SC-L] bumper sticker slogan for secure software

2006-07-19 Thread der Mouse
 Absolute security is a myth.  As is designing absolutely secure
 software.

 I have high hopes in formal methods.

All formal methods do is push bugs around.  Basically, you end up
writing in a higher-level language (the spec you are formally verifying
the program meets).  You are then subject to the bugs present in *that*
program (the spec) and the bugs present in the compiler (the formal
verifier).

Formal methods are a useful tool, and have a place.  But they are not a
magic bullet.

/~\ The ASCII   der Mouse
\ / Ribbon Campaign
 X  Against HTML   [EMAIL PROTECTED]
/ \ Email!   7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


[SC-L] bumper sticker slogan for secure software

2006-07-18 Thread SC-L Subscriber Dave Aronson
Paolo Perego [mailto:[EMAIL PROTECTED] writes:

  Software is like Titanic, pleople claim it was unsinkable. Securing is
  providing it power steering

But power steering wouldn't have saved it.  By the time the iceberg was 
spotted, there was not enough time to turn that large a boat.  Perhaps radar, 
but that doesn't make a very good analogy.  Maybe a thicker tougher hull and 
automatic compartment doors?

-Dave




___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


Re: [SC-L] bumper sticker slogan for secure software

2006-07-18 Thread Dana Epp
Or perhaps less arrogance in believing it won't sink.

Absolute security is a myth. As is designing absolutely secure software.
It is a lofty goal, but one of an absolute that just isn't achievable as
threats change and new attack patterns are found. Designing secure
software is about attaining a level of balance around software
dependability weighed against mitigated risks against said software to
acceptable tolerance levels, while at the same time ensuring said
software accomplishes the original goal... to solve some problem for the
user. 

On my office door is a bumper sticker I made. It simply says:

0x5

10 points to the first person to explain what that means. 


Regards,
Dana Epp 
[Microsoft Security MVP]
http://silverstr.ufies.org/blog/

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of SC-L Subscriber Dave
Aronson
Sent: Tuesday, July 18, 2006 7:53 AM
To: SC-L@securecoding.org
Subject: [SC-L] bumper sticker slogan for secure software

Paolo Perego [mailto:[EMAIL PROTECTED] writes:

  Software is like Titanic, pleople claim it was unsinkable. Securing
is   providing it power steering

But power steering wouldn't have saved it.  By the time the iceberg was
spotted, there was not enough time to turn that large a boat.  Perhaps
radar, but that doesn't make a very good analogy.  Maybe a thicker
tougher hull and automatic compartment doors?

-Dave




___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc -
http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php

___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


Re: [SC-L] bumper sticker slogan for secure software

2006-07-18 Thread Andrew van der Stock

Best for older cars...
My other car is a bit more secure

Best for Volvos (or pick another high safety brand):
I wish my finance systems are as safe as this car

Honk if you want secure software

Who has your data? Ask for secure software next time

thanks,
Andrew

smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


Re: [SC-L] bumper sticker slogan for secure software

2006-07-18 Thread Wietse Venema
Dana Epp:
 Or perhaps less arrogance in believing it won't sink.

Absolutely. Here's my $0.02:

secure software fails safely

Any non-trivial piece of software has defects. My challenge is not
to eliminate the last defect, but to make the system safe to use
(for some appropriate definition of safe) in the presence of defects.

Wietse
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


Re: [SC-L] bumper sticker slogan for secure software

2006-07-18 Thread ...
well...
there's no possible definition...
unless programmers start thinking and acting in another way, and who 
commissions the software respect and pays for the real value of it, and 
users understand the value,

Secure Software is an Oxymoron


(there may be a reason why this has moron inside..) 


___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


[SC-L] bumper sticker slogan for secure software

2006-07-17 Thread SC-L Subscriber Dave Aronson
mikeiscool [mailto:[EMAIL PROTECTED] writes:

  The point remains though: trimming this down into a friendly little
  phrase is, IMCO, useless.

One of the common problems in trying to persuade the masses of ANYTHING, be it 
the importance of secure software, the factual or moral correctness of your 
political stances, etc., is how to communicate it so that they will understand 
and receive the message.  You can easily confuse them, bore them, or turn them 
against yourself.  Truly putting it on bumper stickers is likely to be useless, 
but this is a useful exercise in thinking how we could express the concept 
briefly and simply.

Another useful thing would be if all engineers would enroll in Toastmasters, 
but that's another story.  ;-)

-Dave, Governor of Toastmasters Area 63 (District 27)



___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php