Infreemation

Code Vulnerabilities – a physics, semantics, or engineering problem?

Anyone who uses a personal computer (or who reads the paper) is aware that PCs are highly susceptible to a raft of problems that fall into the domain of “computer security”. Even my parents know that computers need to be patched frequently and are aware (first hand!) that these patches can cause problems. I think it is fair to say that computer vulnerabilities are a serious problem, perhaps now achieving parity with the reliability problems experienced in the 90’s when my parents had to deal with BSODs. But now instead of losing their data the old way and having to redo their work, they risk losing data to a stranger who doesn’t even need to break into their home.

Some fine points!

Adam recently wrote about some of the finer points of code vulnerabilities arguing convincingly for better reporting and furthermore affirming that reporting is important; this second post written in response to Pete Lidstrom’s “The folly of vulnerability seeking.”

On initial read of Pete’s article I was became quite confused about his message, perhaps in part because I am not a security professional. I could have sworn he advocates calling off concerted efforts to hunt for code vulnerabilities. I’ve never been a huge fan of “security by obscurity” since this approach makes it somewhat more likely that the bad guys, who are aware of at least some of the things that the vendor doesn’t want me to know or worry about, will have more weapons do do me harm.

On second read however, I honed in on the compelling argument that it is simply impossible to find all (or perhaps most) security vulnerabilities. This is a wakeup call to the infosec industry fighting an unwinnable war. Perhaps it is time to change tactics and bring the battle to another front. We seem to spend a lot of effort on bandaid fixes (patches) for the symptoms (vulnerabilities) but spend less time investigating their root causes.

Why so many darn vulnerabilities?

Why are code vulnerabilities the rule rather than the exception? Here are some suggestions off the top of my head (standard blogger’s disclaimer):

• real-world coding is more art than engineering (and hey, we all make mistakes!)
• coders don’t have the proper tools (which favour functionality over security)
• computing architectures are a mess (we need a new architecture)
• there is something fundamental about the physics of information such that no amount of engineering will eliminate vulnerabilities
• it is a semantic problem (one man’s vulnerability is another man’s feature!)

I won’t pretend to be able to go further than this but I hope I will get some suggestions from the audience on this question!

At the end of the day if I am forced into “security by obscurity,” in making any further decisions I will favour “security by rarity” or in other words: avoiding Internet Explorer!