Is finding security holes a good idea?
Steven M. Bellovin
smb at research.att.com
Mon Jun 14 17:10:48 EDT 2004
In message <40CDB9BC.6000005 at algroup.co.uk>, Ben Laurie writes:
>
>What you _may_ have shown is that there's an infinite number of bugs in
>any particularly piece of s/w. I find that hard to believe, too :-)
>
Or rather, that the patch process introduces new bugs. Let me quote
from Fred Brooks' "Mythical Man-Month", Chapter 11:
The fundamental problem with program administration is that fixing
a defect has a substantial (20-50 percent) chance of introducing
another. So the whole process is two steps forward and one step
back.
Why arene't defects fixed more cleanly? First, even a subtle
defect shows itself as a local failure of some kind. In fact it
often has system-wide ramifications, usually nonobvious. Any
attempt to fix it with minimum effort will repair the local and
obvious, but unless the structure is pure or the documentation
very fine, the far-reaching effects of the repair will be
overlooked. Second, the repairer is usually not the man who wrote
the code, and often he is a junior programmer or trainee.
As a consequence of the introduction of new bugs, program
maintenance requires far more system testing per statement written
than any other programming.
...
Lehman and Belady have studied the history of successive release
in a large operating system. They find that the total number of
modules increases linearly with release number, but that the
number of modules affected increases exponentially with release
number. All repairs tend to destroy the structure, to increase
the entropy and disorder of the system. Less and less effort is
spent on fixing original design flaws; more and more is spent on
fixing flaws introduced by earlier fixes. As time passes, the
system becomes less and less well-ordered. Sooner or later the
fixing ceases to gain any ground. Each forward step is matched by
a backward one.
Etc. In other words, though the original code may not have had an
infinite number of bugs, the code over time will produce an infinite
series....
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list