[Cryptography] Systems Engineering for Safety and Security

Brian Gladman brg at gladman.plus.com
Fri Nov 6 04:20:40 EST 2015


On 06/11/2015 01:26, ianG wrote:

> On 3/11/2015 13:10 pm, Brian Gladman wrote:
>> I am sorry for all this background, but I think it may help in making my
>> main point - that there is a big paradox in the reactions of the safety
>> and security critical communities to the role of programming language
>> choice in building high integrity systems.
> 
> 
> If I may be so bold, there is no paradox.  The reason for the difference
> in approach is founded in information.
> 
> In the safety critical world, we have pretty much universal agreement on
> what is an unsafe thing and what is a safe thing.
> 
> In contrast, in the information security world, we have dozens or even
> hundreds of tribes touting one view of security in conflict with
> another.  There is no agreement, and there is no easy way to find
> agreement, on what means "Secure" and what means "Insecure".
> 
> At least, at the level that is achieved by the safety people.
> 
> Hence... it becomes a battleground of "my view of what security means."
>  This often but not always relates to what I'm selling today.  Either
> way, given the uncertainty, it is appropriate for me to use any argument
> I can to push my view.  And if I like C (or I have a 1mloc code base)
> then C can be written securely, and you'd be daft not to believe me.

At risk of annoying Tamzen, I would like to comment on your observations
(but I have changed the subject accordingly).

At a microscopic level I agree with you that there is enormous
fragmentation in what the information systems community means by
security.  But I dispute that this is true at a macroscopic level where
it is only too obvious to everyone that pretty well all deployed
information systems exhibit routine ongoing security failures that
create serious risks for end users.

For me, the contrast between the situation when seen at microscopic and
macroscopic levels is just another symptom that of the fact that this
community has failed to evolve a systems engineering approach to what it
does (the safety community had evolved a view of safety long before
computers came along so it is not surprising that it is so far ahead in
systems engineering terms).

At a microscopic level it is of course true that secure systems can be
written any language including C. But when we consider this at a
macroscopic level it is clear that the vast majority of information
systems (at least until now) have been written in C and the vast
majority of them have been insecure. Of course, this correlation doesn't
prove causality but given that we continue to use 1960s technology to
build 21st century systems I am not in the least surprised by this.
Where security really matters - in NSA and GCHQ - they are looking at
alternative approaches pioneered by the safety community (see, for
example, http://www.adacore.com/sparkpro/tokeneer).

But because I didn't want to write a thesis, I only focussed my comments
on whether or not a programming language has an impact on achieving
security.  But I was careful to say that this was not by any means the
largest factor, other more important distinctions between the safety and
security communities being:

1. Engineering for safety predates computers by hundreds of years - they
have had much longer to develop a concensus;

2. If an industry is to survive, it has to supply what its customers
want (or think they want) and information systems customers consistently
prefer functionality over security (will this change?);

3. In safety both government and industry want improvements in safety;
in security the governments that matter are ambivalent - they want
security for themselves and insecurity for others.

4. The enormous rate of growth of the information systems industry and
the fact that much early computer science teaching was really only about
programming left many companies with few if any staff with an
understanding of the need for a systems engineering approach.

5. And no doubt many more!

    Brian



More information about the cryptography mailing list