Typing saves your skin
According to a news item from the U.K. Institution of Engineering and
Technology, a team organised by the SANS Institute analysed 7000 detected
security vulnerabilities from 1996 (the item says “the 7000” but doesn’t say
further how they were identified), and found that 85% of them were caused by
three phenomena:
* Failure to check user input
* Allowing buffer overflows (that is, failing to hinder them)
* Handling integer type checks or overflows incorrectly
SANS spotted an opportunity and put together a course and practical exam
about secure programming, leading to a certificate.
A few observations.
1. Security is not taken as seriously as safety, despite that computer
security problems probably cause more total resource damage than
accidents. I have long believed, with others, that the phenomena in both
areas are similar and thus that similar techniques may be used to assure
systems vulnerable to these sorts of phenomena. Devising a threat model is
very similar to hazard identification, but whereas hazard identification is
partly internationally normed, I suspect that people programming software on
networks, especially WWW-based SW, rarely have anything like a professional
engineering qualification or status and maybe do not feel as bound to
discover and adhere to norms that cover their tasks.
It might help to revise international standards on safety to use the word
“dependability” instead of safety, and to use the “specified loss”
formulation of the notion of accident rather than the “physical injury or
death” formulation, and then security vulnerabilities would be covered. Then
again, rather than leading to a higher standard of programming, this might
instead just serve to lower the standard of argument for dependability to be
found in the required documentation.
2. Working in a strongly-typed programming language would have avoided 85%
of the security vulnerabilities discovered (according to some unspecified
criteria) in 1996.
It is astonishing to me that 47 years after strong typing was invented and
recognised, and after the Turing Award has been presented to such proponents
as Dijkstra, Hoare, Wirth, Dahl, Nygaard and Naur, professionals not using
this technology caused 85% of significant errors in a specific area of
computing. I think it is disgraceful.
One could always hope that things have changed in the last 10 years. But
obviously the SANS Institute doesn’t think so.
3. The social phenomena in program construction are overwhelmingly more
influential than technical progress. Nothing else could account for
phenomenon 2.
[url=http://www.iee.org/oncomms/sector/informationpro/SectionNews/Object/92520512-96A3-7299-40BC84823F900F5F]http://www.iee.org/oncomms/sector/informationpro/SectionNews/Object/92520512-96A3-7299-40BC84823F900F5F[/url]
Post a reply
You must be logged in to post a comment.