DIMACS Workshop on Software Security

January 6-7, 2003
DIMACS Center, CoRE Building, Rutgers University

Organizers:
Gary McGraw, Cigital, gem@cigital.com
Ed Felten, Princeton University, felten@cs.princeton.edu
Virgil Gligor, University of Maryland, gligor@umd.edu
Dave Wagner, University of California at Berkeley, daw@cs.berkeley.edu
Presented under the auspices of the Special Focus on Communication Security and Information Privacy.

Abstracts:






Steve Bellovin 

Title: We can't write secure programs

Assertion: we cannot, in general, write secure programs.  Security is a 
subset of correctness; correct programming is -- and will remain -- the 
oldest unsolved problem in computer science.  *All* non-trivial 
programs, including firewalls, operating systems, and privileged or 
networked applications, are and will remain insecure.  The challenge to 
security professionals is to design *systems* that will be "secure 
enough", despite the failure of many of the individual components.








Ben Laurie

Title: TCPA and Palladium solve capabilities confinement

A standard problem in distributed capabilities is the confinement 
problem. Once you have given someone a capability, you cannot prevent 
them from giving it to someone else. TCPA and Palladium provide a 
mechanism by which this can be solved. The protocol is left as an 
exercise for the reader, but it involves a private key closely held by 
the TCPA/Palladium hardware, a nonce, and, of course, the capability 
(or, more precisely, its Swiss number).








Jon Pincus

Title: Stop telling me I should be speaking Esperanto!

Every time there's a buffer overrun, everybody shakes their head 
and sighs "if only people didn't program in C and C++ this wouldn't 
be an issue."  It's obvious ... and, equally obviously, if only 
everybody spoke Esperanto, we'd all be able to understand each 
other.  Can we just return to reality here?  Today, virtually 
nobody writes system software (OSs, drivers, databases, web 
servers, browsers) in safe languages; perhaps, just like with 
Esperanto, there are other factors that mean the "obvious right 
answer" isn't actually right in practice.  What will actually 
cause things to change (or, if it's not going to change, what 
should we do instead)?  And since I'm cynical enough to question 
the original Esperantists' assumption that a world language would 
bring us noticeably closer to world peace, why should I believe 
that changing languages will bring us noticeably closer to 
"software security"?







Bill Pugh

Title: It is time to abandon C and C++
 

It is difficult to write reliable and secure code
in C and C++. Instead, any new projects should be performed
in type safe programming languages such as Java, C#,
Cyclone and CCured. While those languages do not eliminate
security problems, they eliminate broad categories of them.
Strong consideration should be given to trying to migrate
security critical components of existing C
and C++ applications to a type safe language.
Papers and slides
DIMACS Homepage
Contacting the Center
Document last modified on May 4, 2004.