Whenever you look at the problem of software security, you quickly get the feeling of unseen forces moving in a mysterious and unfathomable way. Why is software insecure? Is there a theory that explains it all?
If you take a look at one of the best known software vulnerabilities, SQL Injection, you immediately get a gut reaction that there is something wrong in principle. You have to wonder why a powerful language like SQL is exposed to the user in the first place.
At this year's 28th Chaos Communication Congress (28C3), Meredith Patterson took this feeling and placed it into the context of computer science. Put simply we are insecure because we give users access to powerful computational facilities right at the UI.
The ideas expressed are part of the new LangSec movement which postulates that:
"The Language-theoretic approach (LANGSEC) regards the Internet insecurity epidemic as a consequence of ad hoc programming of input handling at all layers of network stacks, and in other kinds of software stacks. LANGSEC posits that the only path to trustworthy software that takes untrusted inputs is treating all valid or expected inputs as a formal language, and the respective input-handling routines as a recognizer for that language. The recognition must be feasible, and the recognizer must match the language in required computation power."
This is a particularly interesting idea in the light of the ever growing popularity of the Domain Specific Language. If you give your end user an input mode that is effectively a Turing complete language, then you have to expect them to use it creatively They are likely to find not only in ways you never thought of but in ways that you cannot protect against.
The point, in this case, is that the task of recognizing valid inputs is formally undecidable. If you limit your input syntax to context free, or better a regular expression grammar, then you can build the tools that can filter out the dangerous parts - if you are ready and able to do so. The key is computer science.
The same arguments apply to any protocol which can be considered to be an interface were in this case the user is just another piece of software.
The who idea is well and amusingly put in the presentation. If you watch the video you can't help but come to the conclusion that it is a crime to hand over the keys to the computer by way of a too sophisticated user interaction:
It is very pleasing to discover that the theory of Turing completeness, and language theory in general, might have an application to the practical topic of security, which mostly lacks any sort of theoretical basis. What is really surprising is the way that when you start to think about the vulnerabilities in protocols of all kinds you quickly come to the conclusion that it is true that building in over capable language facilities is the root of the problem. Perhaps all security problems are due to providing too much machinery.
If you would like to follow it up then there are some very good papers and technical reports listed on the LangSec web site.
In a blog post Lennart Poettering, the main force behind the controversial systemd Linux configuration system, explains that any dislike of his software spills over to him personally - and not just ha [ ... ]