Secure Coding mailing list archives

Cost of provably-correct code (was: bumper sticker slogan for secure software)

From: dcrocker at eschertech.com (David Crocker)
Date: Fri, 21 Jul 2006 22:57:17 +0100

Crispin Cowan wrote on 21 July 2006 18:45:

Yes, you can have provably correct code. Cost is approximately $20,000 per line
of code. That is what the "procedures" required for correct code cost. Oh, and
they are kind of super-linear, so one program of 200 lines costs more than 2
programs of 100 lines.
<<

To arrive at that cost, I can only assume that you are referring to a process in
which all the proofs are done by hand, as was attempted for a few projects in
the 1980s. We current achieve automatic proof rates of 98% to 100% (using PD),
and I hear that Praxis also achieves automatic proof rates well over 90% (using
Spark) these days. This has brought down the cost of producing provable code
enormously.

You are perhaps also including the cost of verifying the object code against the
source code. Although this is sometimes a requirement in the safety-critical
software world, I think it unlikely to be necessary for all but a very few
secure applications, assuming a mature compiler is used.

Indeed, consider SQL injection attacks. They didn't exist 5 years ago, because
no one had thought of them. Same with XSS bugs. Same with printf format string
attacks. All of them are examples of processing user input without validation,
but they are all really big classes of such, and they were discovered to occur
in very large numbers in common code.

What Dana is trying to tell you is that some time in the next year or so,
someone is going to discover yet another of these major vulnerability classes
that no one has thought of before. At that point, a lot of code that was thought
to be reasonably secure suddenly is vulnerable.
<<

I agree, a new class of vulnerability may well be discovered. However, if the
code was specified and developed so as to be provably correct, then it is highly
likely that immunity to a new class of attack can be expressed by adding
additional formal requirements, allowing an immediate evaluation of where in the
design and implementation the vulnerabilities (if any) lie.

David Crocker, Escher Technologies Ltd.
Consultancy, contracting and tools for dependable software development
www.eschertech.com

Current thread:

bumper sticker slogan for secure software, (continued)
- - bumper sticker slogan for secure software Pascal Meunier (Jul 20)
    - bumper sticker slogan for secure software Florian Weimer (Jul 20)
    - bumper sticker slogan for secure software Pascal Meunier (Jul 20)
    - bumper sticker slogan for secure software der Mouse (Jul 20)
    - bumper sticker slogan for secure software ljknews (Jul 20)
    - bumper sticker slogan for secure software John Wilander (Jul 21)
- bumper sticker slogan for secure software leichter_jerrold at emc.com (Jul 20)
- bumper sticker slogan for secure software Dana Epp (Jul 20)
- bumper sticker slogan for secure software mikeiscool (Jul 20)
  - bumper sticker slogan for secure software Crispin Cowan (Jul 21)
    - Cost of provably-correct code (was: bumper sticker slogan for secure software) David Crocker (Jul 21)
    - Cost of provably-correct code (was: bumper sticker slogan for secure software) der Mouse (Jul 22)
    - Cost of provably-correct code Crispin Cowan (Jul 23)
    - bumper sticker slogan for secure software mikeiscool (Jul 23)
- bumper sticker slogan for secure software Mark Graff (Jul 21)
  - security half-life and critical mass securecoding2dave at davearonson.com (Jul 21)