On Wed, Jan 18, 2017 at 8:22 PM, Chad Brewbaker <[email protected]> wrote: > Defenders have 100% knowledge of their verification coverage. They can put a > SMT solver in their continuous integration pipeline and flag all code not > verified for removal. > > Restraint in only shipping verified code is the silver bullet.
Verification raises the possibility of specification failures. What is needed is techniques to ensure meaningful security properties that are as simple as possible, and using this to give users the properties they want. > > On Jan 18, 2017, at 9:27 PM, Tony Arcieri <[email protected]> wrote: > > On Wed, Jan 18, 2017 at 2:12 PM, Taylor Hornby <[email protected]> wrote: >> >> Less ambitiously, we can ask if complexity theory has anything to say >> about simpler aspects of life. One of them is the attacker-defender arms >> race in computer security. [...] Most of us are optimistic for >> "silver bullet" discoveries that make doing computer security a LOT >> easier [...] I'm curious if part (1) of my thesis really is accurate. > > > I doubt it, and I say this as a more-than-decade-long fan of "perfect > defense". I don't think perfect defense is possible. I think the reality is > there's a lot of low-hanging fruit that can be addressed by better methods, > but to put it in Ghost in the Shell terms attack surface is "vast and > infinite", and attacks only get better. > > I don't see the cat and mouse game going away any time soon, but perhaps > we'll get better at achieving "punctuated equilibrium" where defenders are > able to reach some sort of brief reprieve in certain classes of attacks and > provide extremely strong defenses as a sort of local maximum. That is, until > some paradigm-changing attack comes crashing down, and forces everyone to > rethink their entire approach to security. > > -- > Tony Arcieri > > _______________________________________________ > langsec-discuss mailing list > [email protected] > https://mail.langsec.org/cgi-bin/mailman/listinfo/langsec-discuss > > > _______________________________________________ > langsec-discuss mailing list > [email protected] > https://mail.langsec.org/cgi-bin/mailman/listinfo/langsec-discuss > -- "Man is born free, but everywhere he is in chains". --Rousseau. _______________________________________________ langsec-discuss mailing list [email protected] https://mail.langsec.org/cgi-bin/mailman/listinfo/langsec-discuss
