"Bumper sticker" definition of secure software

[crispin at novell.com (Crispin Cowan)]

mikeiscool wrote:
> On 7/17/06, Crispin Cowan <crispin at novell.com> wrote:
> > "supposed to" goes to intent.
> I don't know. I think there is a difference between "this does what
> it's supposed to do" and "this has no design faults". That's all I was
> trying to highlight.
The difference between "supposed to", "design flaw", and "implementation
flaw" is entirely dependent on your level of abstraction:

    * Executive: "build a thingie that lets good guys in and keeps bad
      guys out."
    * Director: "build an authentication engine that uses 2-factor
      tokens to authenticate users and only then lets them in."
    * Manager: "use OpenSSL and this piece of glue to implement that
      2-factor thingie."
    * Coder: "main() { ..." :)

Errors can occur at any level of translation. When it does something
"surprising", then the guy at the top can claim that it wasn't
"supposed" to do that, and if you dig hard enough, you will discover
*some* layer of abstraction where the vulnerability violates the upper
intent, but not the lower intent. Hence the bug.

Some example bugs at each level:

    * Executive: forgot to specify who is a "good guy"
    * Director: Forgot to provide complete mediation, so the attacker
      could bypass the authenticator.
    * Manager: the glue thingie allowed proper authentication tokens,
      but also allowed tokens with a string value of 0.
    * Coder: "gets(token); ..."

Crispin

-- 
Crispin Cowan, Ph.D.                      http://crispincowan.com/~crispin/
Director of Software Engineering, Novell  http://novell.com
     Necessity is the mother of invention ... except for pure math