Unfalsifiability of security claims
https://www.microsoft.com/en-us/research/wp-content/uploads/2015/09/unfalsifiabilityOfSecurityClaims.pdf [www.microsoft.com]
2018-01-18 19:37
tags:
defense
ideas
opsec
paper
pdf
security
There is an inherent asymmetry in computer security: things can be declared insecure by observation, but not the reverse. There is no observation that allows us to declare an arbitrary system or technique secure. We show that this implies that claims of necessary conditions for security (and sufficient conditions for insecurity) are unfalsifiable. This in turn implies an asymmetry in self-correction: while the claim that countermeasures are sufficient is always subject to correction, the claim that they are necessary is not. Thus, the response to new information can only be to ratchet upward: newly observed or speculated attack capabilities can argue a countermeasure in, but no possible observation argues one out.
This is perhaps a bit too formal to make for an easy read, although the general idea rings true. We pile on advice (particular example: rules for passwords) without fully analyzing what’s necessary or beneficial. The reminder that we may not know which defenses really work seems helpful; the formal proof less so.
source: grugq
Getting compilers right: a reliable foundation for secure software
https://www.microsoft.com/en-us/research/blog/getting-compilers-right-secure-software/ [www.microsoft.com]
2017-06-25 00:52
tags:
c
compiler
compsci
development
programming
security
Compilers are big: most major compilers consist of several million lines of code. Their development is not stale either: every year, each compiler sees thousands of changes. Their sheer size and complexity, plus the pressure to continuously improve compilers, results in bugs slipping through. These compiler bugs may in turn introduce security vulnerabilities into your program.
source: L
Taming Undefined Behavior in LLVM
https://www.microsoft.com/en-us/research/publication/taming-undefined-behavior-llvm/# [www.microsoft.com]
2017-06-25 00:51
tags:
c
compiler
paper
pdf
programming
In this paper we study an aspect of IR design that has received little attention: the role of undefined behavior. The IR for every optimizing compiler we have looked at, including GCC, LLVM, Intel’s, and Microsoft’s, supports one or more forms of undefined behavior (UB), not only to reflect the semantics of UB-heavy programming languages such as C and C++, but also to model inherently unsafe low-level operations such as memory stores and to avoid over-constraining IR semantics to the point that desirable transformations become illegal. The current semantics of LLVM’s IR fails to justify some cases of loop unswitching, global value numbering, and other important “textbook” optimizations, causing long-standing bugs.