Secure Coding mailing list archives
Harvard vs. von Neumann
From: crispin at novell.com (Crispin Cowan)
Date: Tue, 12 Jun 2007 11:41:07 -0700
Steven M. Christey wrote:
On Mon, 11 Jun 2007, Crispin Cowan wrote:Kind of. I'm saying that "specification" and "implementation" are relative to each other: at one level, a spec can say "put an iterative loop here" and implementation of a bunch of x86 instructions.I agree with this notion. They can overlap at what I call "design limitations": strcpy() being overflowable (and C itself being overflowable) is a design limitation that enables programmers to make implementation errors. I suspect I'm just rephrasing a tautology, but I've theorized that all implementation errors require at least one design limitation. No high-level language that I know of has a built-in mechanism for implicitly containing files to a limited directory (barring chroot-style jails), which is a design limitation that enables a wide variety of directory traversal attacks.
I thought that the Java 2 security container stuff let you specify file accesses? Similarly, I thought that Microsoft .Net managed code could have an access specification? AppArmor provides exactly that kind of access specification, but it is an OS feature rather than a high level language, unless you want to view AA policies as high level specifications.
If we assumed perfection at the implementation level (through better languages, say), then we would end up solving roughly 50% of the software security problem.The 50% being rather squishy, but yes this is true. Its only vaguely what I was talking about, really, but it is true.For whatever it's worth, I think I agree with this, with the caveat that I don't think we collectively have a solid understanding of design issues, so the 50% guess is quite "squishy." For example, the terminology for implementation issues is much more mature than terminology for design issues.
I don't agree with that. I think it is a community gap. The academic security community has a very mature nomenclature for design issues. The hax0r community has a mature nomenclature for implementation issues. That these communities are barely aware of each other's existence, never mind talking to each other, is a problem :)
One sort-of side note: in our "vulnerability type distributions" paper [1], which we've updated to include all of 2006, I mention how major Open vs. Closed source vendor advisories have different types of vulnerabilities in their top 10 (see table 4 analysis in the paper). While this discrepancy could be due to researcher/tool bias, it's probably also at least partially due to development practices or language/IDE design. Might be interesting for someone to pursue *why* such differences occur.
Do you suppose it is because of the different techniques researchers use to detect vulnerabilities in source code vs. binary-only code? Or is that a bad assumption because the hax0rs have Microsoft's source code anyway? :-) Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering http://novell.com AppArmor Chat: irc.oftc.net/#apparmor
Current thread:
- Harvard vs. von Neumann, (continued)
- Harvard vs. von Neumann Crispin Cowan (Jun 10)
- Harvard vs. von Neumann David Crocker (Jun 11)
- Harvard vs. von Neumann der Mouse (Jun 11)
- Harvard vs. von Neumann David Crocker (Jun 11)
- Harvard vs. von Neumann Gary McGraw (Jun 11)
- Harvard vs. von Neumann ljknews (Jun 11)
- Harvard vs. von Neumann Crispin Cowan (Jun 11)
- The Specifications of the Thing Michael S Hines (Jun 12)
- The Specifications of the Thing Steven M. Christey (Jun 12)
- Harvard vs. von Neumann Steven M. Christey (Jun 12)
- Harvard vs. von Neumann Crispin Cowan (Jun 12)
- Harvard vs. von Neumann Blue Boar (Jun 12)
- Harvard vs. von Neumann Steven M. Christey (Jun 12)
- What's the next tech problem to be solved in software security? Kenneth Van Wyk (Jun 10)
- What's the next tech problem to be solved in softwaresecurity? McGovern, James F (HTSC, IT) (Jun 11)
- What's the next tech problem to be solved in softwaresecurity? Gary McGraw (Jun 11)