Firewall Wizards mailing list archives

Re: Penetration testing via shrinkware

From: Bill_Royds () pch gc ca
Date: Fri, 25 Sep 1998 11:52:37 -0400






 "Stephen P. Berry" <spb () incyte com> wrote:

To:   "Joseph S. D. Yao" <jsdy () cospo osis gov>




This is another one of those moments when I think there ought
to be two separate lists:  firewalls-theory and firewalls-practice.  To
tell the truth, even if there was a schema for formally proving a
system secure (mod whatever process definition of `secure' the
schema posits), I would remain unconvinced of the real-world utility of
such a proof, excepting the possible placebo effect on The Mgmt.

Okay, _ceteris paribus_ it would be nice to know that one box was
provably `secure' whereas some other box is not.  But what does this
actually tell us?  It tells me the same thing when the provably `secure'
whatsit is a firewall as when the whatsit is a cryptosystem---the weak
spot is going to be between the ears or in the pressure-points of the
folks at either end.




  In the middle 80's, I was involved in the development of a supposed
provable programming language called Euclid.
One of the first things we learned from formal analysis was how few
features you could allow in a programming language if you wanted to prove
anything about it. One feature that was forbidden was pointer parameters to
separately compiled functions, since one had to then trust that the
separate function did not modify the data .
Another was dynamically allocated memory without assuming an infinite pool.
Buffer overflow anyone? :-)

Imagine a firewall written in a language that required static memory
assignment and only copy parameters to subroutines. Yes it could be proven
secure, but it wouldn't be useful for real world problems. THere is still a
lot of work going on to help in formally understanding programming, but it
has moved much more into the formal specification field (Z language at
Oxford for example) where one uses it to great advantage to avoid
overlooking things.

A formal specification of a security policy as a basis of a firewall
implementation would provide a framework for testing that would give one
good assurance of security (but not proof), even in a black box situation.
Until we can more formally describe what we want to prove, it is very
difficult to prove it.

Current thread:

Re: encrypting modem, (continued)
- - - Re: encrypting modem iCefoX (Sep 23)
- Re: Penetration testing via shrinkware David Kennedy CISSP (Sep 21)
- Re: Penetration testing via shrinkware John Grillo (Sep 22)
- Re[2]: Penetration testing via shrinkware Richard Christie (Sep 22)
  - Re: Re[2]: Penetration testing via shrinkware Marcus J. Ranum (Sep 23)
    - Re: Penetration testing via shrinkware David Collier-Brown (Sep 24)
    - Re: Re[2]: Penetration testing via shrinkware Perry E. Metzger (Sep 24)
    - Re: Re[2]: Penetration testing via shrinkware Joseph S. D. Yao (Sep 24)
    - Re: Penetration testing via shrinkware David Collier-Brown (Sep 24)
- Re: Re[2]: Penetration testing via shrinkware Matthew_S_Cramer (Sep 24)
- Re: Penetration testing via shrinkware Bill_Royds (Sep 25)