Gilmore on the "computer health certificate" plan

Posted Oct 9, 2010 21:32 UTC (Sat) by nevyn (guest, #33129)
In reply to: Gilmore on the "computer health certificate" plan by deepfire
Parent article: Gilmore on the "computer health certificate" plan

the fact that even such a seemingly trivial property of a program, namely whether it terminates or not, is not computable.
If such a trivial property of a program cannot be formally established, what can be said about any kind of security guarantees?

This is not a trivial property. Building codes do not provide anything like that. So, yes, you can certainly say meaningful security related things like, "uses a string library" (for C) or even the more generally "uses certified/verified crypto." or "uses SHA256+ checksums" (indeed there are current govt. stds. which say the later two things). SELinux could and.or firewall rules could also be thought of as analogous to building code.

My main point was that trying to argue to govt. people that "computers shouldn't have anything analogous to building codes" is stupid. Gilmore may well be under the impression that Libertarianism hasn't repeatedly failed, but it's still an exercise in futility to tell non-Libertarian govts. that they have to be Libertarian in specific niche XYZ.

Gilmore on the "computer health certificate" plan

Posted Oct 9, 2010 22:08 UTC (Sat) by brouhaha (subscriber, #1698) [Link] (1 responses)

A building code that says that a load-bearing member has to be of at least a certain size has (in combination with the other rules) a known effect on the safety of the building.

Showing that a program "uses a string library" or "uses SHA256+ checksums" does not demonstrate anything whatsoever about the security of the program.

Gilmore on the "computer health certificate" plan

Posted Oct 12, 2010 12:24 UTC (Tue) by sorpigal (guest, #36106) [Link]

That no such security is demonstrated is no impediment if the nontechnical lawmakers have been told that it is. I have to sign off that my software contains no security vulnerabilities, which I always do despite knowing that I cannot prove it. Someone feels better because I claimed it, and to be fair I do my best that they shall not soon have a need to doubt me. The rule is stupid and useless but still it exists.

I think we're all looking at this backwards. This isn't an attack on non-Windows computing, this is an attack on Windows (and by Microsoft, ironically). I am perfectly at ease with the idea that ISPs check the OS and version of their customers before allowing a connection. If the "secureness" check starts with "Is it Windows?" and assumes security when this is found to be false, then we're in good shape. Of course this isn't Microsoft's intent (they want palladium all over again, an internet where only systems signed by MS can connect to anything and each byte of content can be audited and revoked at will by MS) but with a few gentle nudges we could use it to render the majority of Windows computers useless (that is, non-networkable) which can only be a good thing for their users.

Gilmore on the "computer health certificate" plan

Posted Oct 15, 2010 15:22 UTC (Fri) by dvdeug (guest, #10998) [Link]

You're adding on a big bureaucracy to verify what? Again, a house built to building codes is reasonably likely to stand against a reasonable known set of natural dangers. A building built to code won't fall in an small earthquake. There are no natural dangers that software have to deal with; they have to deal with humans. Great, you've required that you use SHA256+ checksums. You've dealt with one attack vector out of ten thousand. You can not now say that a program written to code won't fall to a human attacker, that you've improved its security significantly. The value of the bureaucracy has to at least equal its costs, and the evidence that you can is shaky.

Gilmore on the "computer health certificate" plan

Posted Oct 16, 2010 1:39 UTC (Sat) by dvdeug (guest, #10998) [Link]

I forgot about a great example of this. There is an Ada Conformity Assessment Test Suite where every Ada compiler can get certified that it correctly supports the Ada standard. It is of course not perfect, but it covers every feature in the standard, and GNAT and I assume every other Ada compiler has the test suite as part of the regular testing for the compiler. Still, there are virtually no certified compilers because the cost of the bureaucracy is more than the value of the certification. It would require Ada Core Technologies to undergo a new certification for every platform they supported every time a new bug fix release of GCC came out. Trying to keep the compiler certified would actually keep more buggy versions of the compiler on the market, as any bugfixes would need recertified.

I think it's noteworthy that few other language communities even have the concept of certification test; there is no official body of tests to test that your C compiler compiles C correctly. This of course calls into question any source code verification that a particular program compiled with that C compiler is secure. And the C library; as a recent problem with FTP programs shows, a problem with the C library can be a problem with your FTP program. So you've going to have to certify the FTP program compiled with a certain C compiler running with a certain exact version of the C library on an exact version of the kernel, all of which are going to have new bugs found, even security holes, and go unfixed because it's too expensive to recertify the new versions.