RE: ACM Queue article and security education

["Peter Amey" <peter.amey () praxis-cs co uk>]

> -----Original Message-----
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED]
> Behalf Of Michael S Hines
> Sent: 30 June 2004 17:00
> To: [EMAIL PROTECTED]
> Subject: RE: [SC-L] ACM Queue article and security education
>
>
> If the state of the art in automobile design had progressed 
> as fast as the
> state of the art of secure programming - we'd all still be 
> driving Model
> T's.  
>
> Consider-
>   - System Development Methods have not solved the (security) 
> problem -
> though we've certainly gone through lots of them.
>   - Languages have not solved the (security) problem - though we've
> certainly gone through (and continue to go through) lots of them.
>   - Module/Program/System testing has not solved the 
> (security) problem -
> though there has been a plethorea written about system 
> testing (both white
> box and black box).

I agree that we have not solved the problem by the above means but I think it should be said that this is due more to 
the refusal of our industry to make a serious attempt to use them than because they have used them and failed.  The 
reality is that most system development still uses ad hoc, informal approaches and inherently insecure and ambiguous 
implementation languages.  Testing cannot make up for these deficiencies because of fundamental limitations of coverage 
etc. see [1,2,3].

There are development approaches, such as the use of formal methods, which have a proven track record of success.  They 
are still being used successfully today.  Yet most of our industry is either unaware of them, regards formal methods as 
some academic failure from the 1970s or demands "evidence" (although they never seem to need evidence before adopting 
the latest fashionable fad).

There are languages which are more suitable for the construction of high-integrity systems and have been for years.  We 
could have adopted Modula-2 back in the 1980s, people could take the blinkers of prejudice off and look properly at 
Ada.  Yet we continue to use C-derived languages with known weaknesses.  All we hear are appeals to better training, 
tools to help find the stupidities the poor development approaches make inevitable and pious hopes that future 
developments in computer science will rescue us.  What we really need is to use the good stuff we already have.

Just to back this random polemic up a bit:  we have just delivered a secure system to an important customer which has 
been independently evaluated to a high level.  Zero defects were found.  It was cheaper than the system it replaces.  
(Draconian NDAs limit what can be said to that unfortunately).  The system was formally specified in Z, coded in SPARK 
and proofs carried out to ensure that it was wholly free from run-time errors (and hence from attacks such as buffer 
overflow) and that essential security invariants are maintained.  None of this is bleeding edge technology.  Z has been 
around for ages, SPARK for 14 years.  



regards



Peter


1. Littlewood, Bev; and Strigini, Lorenzo: Validation of Ultrahigh Dependability for Software-
Based Systems. CACM 36(11): 69-80 (1993)
2. Butler, Ricky W.; and Finelli, George B.: The Infeasibility of Quantifying the Reliability of
Life-Critical Real-Time Software. IEEE Transactions on Software Engineering, vol. 19, no.
1, Jan. 1993, pp 3-12.
3. Littlewood, B: Limits to evaluation of software dependability. In Software Reliability and
Metrics (Proceedings of Seventh Annual CSR Conference, Garmisch-Partenkirchen). N.
Fenton and B. Littlewood. Eds. Elsevier, London, pp. 81-110.



**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.  The IT Department at Praxis Critical Systems can be contacted at [EMAIL PROTECTED]
This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.
www.mimesweeper.com
**********************************************************************


________________________________________________________________________
This e-mail has been scanned for all viruses by Star Internet. The
service is powered by MessageLabs. For more information on a proactive
anti-virus service working around the clock, around the globe, visit:
http://www.star.net.uk
________________________________________________________________________