Secure Coding mailing list archives
Efficiency as a negative
From: "Hetrick, Brian" <brian.hetrick () hp com>
Date: Fri, 05 Dec 2003 21:16:10 +0000
One writer noted, in response to a point another had made, that the proposed solution was inefficient, as if this were a bad thing. I be- lieve we need to re-think the desire for efficiency. Open loop control is far more efficient than closed loop control, be- cause there is no need to obtain and interpret feedback. Despite this, or perhaps because of this, I suspect most of us would refuse to ride in a vehicle driven using only open loop control. The drawback of open loop control is that the slightest perturbation of the environment, the slightest deviation from the assumed environment, can cause fail- ure. Every time we write code using an assumption instead of a run-time check, we are using open loop control. Received computer science and software engineering wisdom from the '40s through the '80s is to minimize redundancy and hence maximize ef- ficiency. We minimize redundancy by recording information once, rather than many times; by computing things one way, rather than several; by designing so that the values presented to a routine are always in range, rather than checked to ensure they are in range; and so forth. Yet minimizing redundancy is essentially the same thing as maximizing risk: every time you replace a check with an assumption, you become vulnerable to falsification of the assumption. The minimum redundancy footbridge is exactly strong enough to hold you as you walk across it. This is, after all, all it needs to do. Until the day you walk across it with wet, and hence heavier than usual, shoes. Then, the minimum redundancy footbridge collapses. As Schneier mentions in, I believe, "Secrets and Lies" (my library is at home), we already have plenty of fast, insecure programs. We cer- tainly do not need more. The computers of today are the supercomputers of yesterday, and the computers of tomorrow will be the supercomputers of today. Perhaps it is time to use some of that power as a safety net. In many aspects of engineering, the concept of a "safety factor" comes into play: if the guaranteed maximum load on a bridge is 4,000 pounds, you design the bridge to hold 16,000 pounds, and wonder if a mere 300% safety factor is enough. Perhaps all our programs should spend a substantial frac- tion of their time -- say 75% -- making sure their environment is what they expect.
Current thread:
- Efficiency as a negative Hetrick, Brian (Dec 05)