DIMACS Workshop on Software Security

January 6-7, 2003
DIMACS Center, CoRE Building, Rutgers University

Gary McGraw, Cigital, gem@cigital.com
Ed Felten, Princeton University, felten@cs.princeton.edu
Virgil Gligor, University of Maryland, gligor@umd.edu
Dave Wagner, University of California at Berkeley, daw@cs.berkeley.edu
Presented under the auspices of the Special Focus on Communication Security and Information Privacy.


Steve Bellovin Title: We can't write secure programs

Assertion: we cannot, in general, write secure programs. Security is a subset of correctness; correct programming is -- and will remain -- the oldest unsolved problem in computer science. *All* non-trivial programs, including firewalls, operating systems, and privileged or networked applications, are and will remain insecure. The challenge to security professionals is to design *systems* that will be "secure enough", despite the failure of many of the individual components.

Ben Laurie Title: TCPA and Palladium solve capabilities confinement

A standard problem in distributed capabilities is the confinement problem. Once you have given someone a capability, you cannot prevent them from giving it to someone else. TCPA and Palladium provide a mechanism by which this can be solved. The protocol is left as an exercise for the reader, but it involves a private key closely held by the TCPA/Palladium hardware, a nonce, and, of course, the capability (or, more precisely, its Swiss number).

Jon Pincus Title: Stop telling me I should be speaking Esperanto!

Every time there's a buffer overrun, everybody shakes their head and sighs "if only people didn't program in C and C++ this wouldn't be an issue." It's obvious ... and, equally obviously, if only everybody spoke Esperanto, we'd all be able to understand each other. Can we just return to reality here? Today, virtually nobody writes system software (OSs, drivers, databases, web servers, browsers) in safe languages; perhaps, just like with Esperanto, there are other factors that mean the "obvious right answer" isn't actually right in practice. What will actually cause things to change (or, if it's not going to change, what should we do instead)? And since I'm cynical enough to question the original Esperantists' assumption that a world language would bring us noticeably closer to world peace, why should I believe that changing languages will bring us noticeably closer to "software security"?

Bill Pugh Title: It is time to abandon C and C++

It is difficult to write reliable and secure code in C and C++. Instead, any new projects should be performed in type safe programming languages such as Java, C#, Cyclone and CCured. While those languages do not eliminate security problems, they eliminate broad categories of them. Strong consideration should be given to trying to migrate security critical components of existing C and C++ applications to a type safe language.

Papers and slides
DIMACS Homepage
Contacting the Center
Document last modified on May 4, 2004.