Firewall Wizards mailing list archives
Re: Re: Flawed Surveys [was: VPN endpoints]
From: Crispin Cowan <crispin () immunix com>
Date: Wed, 01 Sep 2004 14:42:00 -0700
Tina Bird wrote:
It is wisely said that any discipline with the word "science" in its name is not really a science :)When I'm in a particularly rebellious mood, I like to argue about the entireexistence< of the discipline of >>computer science<< -- what are theunderlying theories and how do you test them?
Less flippantly, the fundamental theorem of computer science is Alan Turing's Halting Problem <http://en.wikipedia.org/wiki/Halting_problem>. At the time (1932) this was just a cute extension to Gödel's Incompleteness Theorem <http://www.miskatonic.org/godel.html>, but with the modest consequence that Turing had to invent computing machines to be able to prove a theorem about the limit of computability.
Ah, but it secretly does :) Turing's Halting problem says that, basically, you cannot have a static analyzer that looks at other programs and their inputs and decides whether they will halt (finish). The *security* consequence is that you cannot have a static analyzer that will look at your software (or your systems) and tell you *definitively* if they are secure. You can only have analyzers that will give you half answers like "it is definitely *insecure*" (here's a known vuln or a sploit), or "this one is secure but that one I can't tell".Little of what I >>do<< now has anything to do with science, although a lot of the skills I use day to day are similar to things I did for my research job.
That in turn leads to a plethora of security problems and half solutions:
* Code audits: use humans to detect programs with vulnerable defects
and close them
* Patch managers: when you learn of a defect, close it ASAP
* Intrusion Detection: I don't trust my systems, so I will try to
detect them going nuts
* Firewalls and Network Intrusion Prevention: I can't tell if it is
safe for my systems to process this kind of input, so I'll block it
* Host Intrusion Prevention: allowing programs to do what they are
supposed to do, and *nothing else*
Thus security is forever a kludge, and we all have lifetime employment
:) But for very well-founded mathematical reasons :)
Crispin, "why yes, I do have a PhD in Computer 'science', what's your point?" :)
-- Crispin Cowan, Ph.D. http://immunix.com/~crispin/ CTO, Immunix http://immunix.com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Flawed Surveys [was: VPN endpoints], (continued)
- Re: Flawed Surveys [was: VPN endpoints] Marcus J. Ranum (Sep 01)
- Re: Flawed Surveys [was: VPN endpoints] Paul D. Robertson (Sep 01)
- Re: Re: Flawed Surveys [was: VPN endpoints] Christopher Hicks (Sep 01)
- Re: Re: Flawed Surveys [was: VPN endpoints] Bruce B. Platt (Sep 01)
- RE: Re: Flawed Surveys [was: VPN endpoints] Tina Bird (Sep 01)
- Re: Re: Flawed Surveys [was: VPN endpoints] Bruce B. Platt (Sep 01)
- RE: Re: Flawed Surveys [was: VPN endpoints] Tina Bird (Sep 01)
- Re: Re: Flawed Surveys [was: VPN endpoints] Bruce B. Platt (Sep 01)
- Wired article on the scientific method Tina Bird (Sep 01)
- Re: Re: Flawed Surveys [was: VPN endpoints] Paul D. Robertson (Sep 01)
- Re: Re: Flawed Surveys [was: VPN endpoints] Crispin Cowan (Sep 01)
- Re: Re: Flawed Surveys [was: VPN endpoints] Adam Shostack (Sep 03)