LawMeme LawMeme Yale Law School  
LawMeme
Search LawMeme [ Advanced Search ]
 
 
 
 
Cybersecurity and Vulnerability Scans
Posted by Paul Szynol on Thursday, January 30 @ 20:35:51 EST Computer Crime
Just days after Slammer, the Institute for Information Infrastructure Protection has released a report entitled Cyber Security Research and Development Agenda.

The report discusses source code scanning techniques and suggests, among other things, source code vulnerability scanning software. Just as compilers scan code for errors, in other words, vulnerability scanners would detect security vulnerabilities in syntactically correct code.

The report cursorily describes the methodology: "Current research on source code analysis includes exploration of pattern matching, feature extraction, and code slicing analysis techniques."

This is, generally, an argument in favor of open source.

For "object code," the report reads, "comparative analyses, and disassembly-based techniques are being explored", but reverse engineering, I'm guessing, is likely to produce less accurate results.

Microsoft recently submitted segments of its source code to security screening by national governments, partly to prove that its software is at least as secure as open source software. In principle, Microsoft could subject the entirety of its software to vulnerability scans, and compare the results to similar tests of open source code. Arguably, a security analysis based on robust third party vulnerability scans would produce objective results.

 
Login
Nickname

Password

Don't have an account yet? You can create one. As a registered user you have some advantages like theme manager, comments configuration and post comments with your name.
Related Links
· Cyber Security Research and Development Agenda
· More about Computer Crime
· News by Paul Szynol


Most read story about Computer Crime:
Generalized Spam and Blogs

Options

Printer Friendly Page  Printer Friendly Page

Send to a Friend  Send to a Friend
"User's Login" | Login/Create an Account | 4 comments | Search Discussion
Threshold
  
The comments are owned by the poster. We aren't responsible for their content.

Re: Cybersecurity and Vulnerability Scans (Score: 1)
by mako on Thursday, January 30 @ 21:19:44 EST
(User Info | Send a Message) http://yukidoke.org/~mako/
In principle, Microsoft could subject the entirety of its software to vulnerability scans, and compare the results to similar tests of open source code. Arguably, a security analysis based on robust third party vulnerability scans would produce objective results.

Why would these results be useful? I don't feel like getting into a "automated scans detect more simple bugs in your software than in my software" sort of argument is particularly useful since by the time you've run the scans and released the results, all of those bugs will have been fixed.

Once the tools are freely available, these types of automated scans to detect and fix security bugs will be another step in software production, open or closed.

I always felt that the "free/open source is more secure argument" was both impossible to prove and more useful in creating a false sense of security than real security. A false sense of security after all, is the only kind you can buy.

Audit your code (or use auditted code), monitor your systems, and use common sense.


[ Reply to This ]

Re: Cybersecurity and Vulnerability Scans (Score: 0)
by Anonymous (Name Withheld on Advice of Counsel) on Thursday, January 30 @ 23:36:54 EST
They might, in the very least, enforce shared standards for what qualifies as secure and an objective method for testing the software's success at meeting those standards.


[ Reply to This ]

Re: Cybersecurity and Vulnerability Scans (Score: 1)
by HowardGilbert on Friday, January 31 @ 09:01:04 EST
(User Info | Send a Message) http://www.yale.edu/pclt
In 1965 Yale acquired one of the last pre-modern computers (an IBM 7094). It had a typical unchecked IBM Fortran compiler, but it also had PUFFT (the Perdue University Fast Fortran Translator). When a program ran in PUFFT, the system prevented indexing beyond the end of an array or buffer and most of the other errors that today lead to security exposures.

However, to enforce array bounds, parameter ranges, string ranges, and the like you have only two choices. Either the program must declare the constraints so the language can check and enforce them (Pascal, Ada), or the runtime must allocate only strongly typed dynamic objects so it can enforce access to them (Java, .NET).

The problem is that C is the worst programming language ever invented in which to do this sort of work. Unlike even Fortran, which comes from the dark ages, C has no meaningful declaration of arrays, buffers, or strings and no typing (since arrays, buffers, and strings are all the same thing). The bottom line is that no program can detect if a program is correct or not unless there is specific information in the program about what correct means. Is a+b=24? Well, if I don't tell you what "a" and "b" are, there is no way you can check the calculation for an error.

Security errors are simply program errors that someone has figured how to exploit for to bypass security. Far be it from me to say something bad when a group of universities want to scam money from the government, but the idea of scanning programs to automatically detect bugs in the code has been around since the first program was written. People have been working on this problem for decades, and if there had been any real progress everyone in the industry would know about it. It would be like discovering a way to turn shit into gold.

It would also be a compiler switch. That's what the /warning_level_max option (or its equivalent) is on most compilers. If anyone knew how to do it, it would be part of gcc.

The software profession worked this problem through during the early 1980s and the result was Ada. Nothing is written in Ada today, because companies, universities, and programmers decided it was "too difficult". In the rush to be first to market, companies looked for languages that would bring the code out in the least time, not that would produce the best quality code. Microsoft can be blamed for poor choices, but they were choices made by every other company and made first by universities like Yale that taught programming in the weakest language ever invented.

Hey, if someone can get grant money to work the problem that is great for them. While they are at it, lets develop some software that can take the script for Kangaroo Jack and turn it into Mourning Becomes Electra.


[ Reply to This ]

"User's Login" | Login/Create an Account | 4 comments | Search Discussion
Threshold
  
The comments are owned by the poster. We aren't responsible for their content.


Leges humanae nascuntur, vivunt, moriuntur
Human laws are born, live, and die

All stories, comments and submissions copyright their respective posters.
Everything Else Copyright (c) 2002 by the Information Society Project.
This material may be distributed only subject to the terms and conditions set forth in the Open Publication License, v1.0 or later (the latest version is presently available at http://www.opencontent.org/openpub/).
You can syndicate our news using backend.php