What do you mean I forgot the security?
Is security a science? (I mean specifically computer/Internet security here.) Maybe the question is trivial but sometimes I wonder. The question occurred to me as I was reading a section on cross-site scripting attacks in Ed Skoudis’s excellent book Malware: Fighting Malicious Code, which is the textbook for a class I’m taking. Being a curious sort of guy, I tried it out. I took a prototype web site I had developed for my job and inserted some javascript into a text field, just to see if it would work. It did.
I had the advantage of knowing that I had not included defenses against such an attack in the code because it was a prototype intended to work through a problem, not an actual attempt to build a real live website. It was never going to see real life on the Internet. Well, it seems now that this may not be true. I’ve moved on to other things while that old prototype site has been handed to another programmer to build out into a more complete system. I guess I’d better warn the programmer that he has to include some kind of white listing or tag stripping in the data entry fields before it goes live.
Monday I guess I’ll add it to his backlog. It’s already on mine for the current project (at least, I hope it is!).
This sounds basic, but there’s a deeper question. The prototype site was built using Ruby on Rails, a wonderfully powerful web development language with lots of deep bindings backend magic. I ran a test because I wanted to be certain that Rails did not already handle these issues behind the scenes. I didn’t think it did but it never pays to assume that there’s something Rails does not do.
So what does any of this have to do with science? For openers, science is a process, not an end in itself. Scientific method describes how to enhance konwledge through careful and creative inquiry (Sounds nice when I put it that way doesn’t it? Don’t bother telling me about all the times it doesn’t seem to work. I know). My little test to find a flaw that I was reasonably sure was there wasn’t science. It could have been a preliminary. I could develop a theory of security architectures from that and begin a series of tests of the characteristics of those architectures.
If I had more time (and more skill. And enough money to be able to pursue these little whims. And … never mind), maybe I would create a fork of Rails and build some enhanced security systems in, just to see what would happen (and to spare myself the embarrassment of finding out I overlooked something I shouldn’t have). Would it make much of a difference? Would programmers take advantage of those features if they were added? Or would they turn them off to make life easier? Or would they complain that they were implemented wrong?
If the features were used correctly, would it make a difference, or would crackers (that’s like hackers, except us highly educated security types like to think it’s more accurate) just shift their attention to different attacks or different platforms?
Without solid measurements all we can do is speculate. That brings up another interesting point. If security is a science, I often think it’s a social science. We can measure the relative strength of security against certain types of attacks. We can theorize about the resilience of systems. But everything in security depends on the behavior of people. If the programmer programs in a security measure, or (like me) sloppily leaves it out because of an unreasonable belief it won’t be needed, how does that influence the behavior of other people – both innocent users and hack crackers, alike?
The interesting thing is that computer security, since it involves computers, is rooted in computer science. Data structures and logic and computational complexity are more the order of the day than research design with volunteers. Computer science education is heavily weighted toward the hard sciences, not the social sciences at all. This isn’t just the way the field is, it’s the way the people in the field think. In fact, having always thought of myself as a hard science kind of guy, I’ve tended to think of the social sciences as being not science at all.
Maybe I’ll have to modify that somewhat. Security as social science means being able to model the strengths of weaknesses of a complex system AND how the people interact with it. Like social sciences in general, I don’t think the processes or the results are very mature yet. Not enough rigor and not enough reproducible behavioral data. If anyone can overcome that, it should be us hard-thinking computer geeks science types.
LinkedIn
Technorati Favorites
For an anarchist’s critique of the so-called scientific method, try Paul Feyerabend’s “Against Method.” His basic thesis is that there is no privileged method for getting towards truth, however you define it. Reading tea-leaves or entrails is no more or less justified than the ‘observation-hypothesis-experiment-theory’ process more honored in the breach than the observance. The scientific method is “whatever works.”
More specifically, is there a science behind security? At one extreme, you could argue that the basics of information theory of the fundamental Shannon variety, has scuttled all hopes for a general theory. The trite idea that ‘no security system is perfect’ actually has a depth probably equal to that of the 2nd law of thermodynamics.
At a slightly more pragmatic level, the entire potential science of security probably rests on the P NP conjecture. There was some mild panic when it was proved that primality testing is P, and then people realized that RSA was still safe, since it relied on factorization rather than primality testing. If it turns out P=NP, entropy, evil and anarchy will win quickly, permanently and decisively.
At the most practical level, I think the science of security rests on the axiom that it takes more brains to fix a bug than it does to code the program in the first place. But exploitation probably does not require smarter-than-original-coder status. Add the idea that bugs and exploits can be discovered accidentally (the ‘many eyeballs’ argument, which is basically a Monte Carlo by a crowd of humans in the space of user experience instances…). Result: a practical argument that there is no fundamental theory of security, only temporary wins in battles, and an assured final win for the Dark Side. Here’s a sorta proof by story.
The apocalyptic scenario is this: the smartest guy in the world, X, builds an important program. Call it Skynet (any resemblence to entities real or fictional is purely unintended and coincidental). Nobody is smart enough to find exploits by being smarter than X, but somebody _randomly_ does so, thanks to the many-eyeballs effect. He fat-fingers Skynet into a pathological state of “permanent exploithood”, but since X is the smartest guy in the world, nobody can fix it. Or build a smarter system to control it.
So the Society for Information Security gives up its mission and disbands. They go join the anti-Skynet crusade of a guy named (to pick a name at random) John Connor.
In a sense, the “Singularity” theory people of smarter-than-human AI reason this way. Try the blog of Elizier Yudkowsky at the Singularity institute. The guy developed (and believes in the possibility of) something called “friendly AI.” Haven’t yet parsed his idea much, but he thinks you can get to Skynet without it turning rogue.
Alright, enough BS. That’s actually my long-winded excuse for sloppiness and indiscipline
Remember Newton’s comment about standing on the shoulders of giants? That means that you don’t have to be the smartest guy in the world to produce even more than some other smart guy did. You just need to know how he got to where he did and pick up from there.
That’s science. It’s not “whatever works.” Organized inquiry works better than reading entrails. That’s why reading entrails has mostly fallen in to disfavor (aside from the ickiness factor, I mean). That also leaves out something I vaguely remember hearing about Newton writing that comment in a letter to a hunchback. Apparently, he meant it in a not very nice way. Go figure!
Personally, I think friendly AI is entirely possible, especially once people realize that emotions are not just a drag on logic but also a very effective control mechanism. I LIKE the idea of computers being terrified to hurt humans. I also think it’s very likely that secure AI may be much longer in coming. The prospect of rival Skynets hacking each other is scary.
Ah see, you’ve bought into the big myth. Feyerabend’s big contribution was to actually go back and look at how Galileo, Kepler and others actually worked. Rather than being great examples of the ’scientific method’ they were paragons of bumming around just figuring stuff out anyhow. How you *prove* things to a scientific community is where method comes in, not how you discover it. If you actually look at the processes of big name scientists who achieved a lot, most of them were operating by methods that look no better than entrail-reading… following their nose.
Where they left entrail reading behind is in what they did after stumbling on a key insight of course.
That said though, there is also a bigger effect of science itself becoming something of an entrail-reading religion that delegitimizes other ways of knowing.
The shoulders of a giant thing doesn’t necessarily conflict… IMHO Newton was actually smarter than Galileo and Kepler, that’s why he was able to climb up there. False humility. Einstein was more of a shallow-eyeball bug fixer whose big claim to fame is not smarts but courage to ’see’ differently.
But entropy and complexity accumulate, and in physics, you are now at a point where superstring theory has become something of an unfalsifiable and arcane religion unto itself that you need 10 years of grad school to even learn how to critique (http://www.ribbonfarm.com/2007/07/04/book-reviews-the-trouble-with-physics-not-even-wrong/). By contrast, the basics of relativity take only high school math. So the bar is slowly rising to ‘top’ the last big achievement. It COULD be that physics is already at the human limit, and superstring theory is the final buggy religion that nobody can improve on.
As for friendly AI, yeah, emotions are a a fast-track control mechanism, as us control engineers have been saying for 50 years, and AI people found out only about 10 years ago (the field is called ‘affective’ computing…). But Yudkowsky takes a more axiomatic, Asimov’s laws of robotics type approach I think.
Galileo studied gravity by rolling ball bearings down an incline (IIRC). That’s called an experiment. That’s part of scientific method. There’s no myth in scientific method. Sure, insight is essential but then you have to develop some way of testing it or its not insight, just a guess.
Einstein had the insight that perspective was relative years before he worked out the equations for relativity. He also had the insight that Heisenberg’s uncertainty principle was silly and wasted years trying to prove it. It turns out he was wrong on that one. Solid math beats mere insight every time.
The real myth is that convincing the “scientific community” has anything to do with science. Your example of super string theory is a good one there. The community is convinced that super string theory will explain everything. They have no evidence to support this but they chase it anyway. Why? Because there’s more money to be made in very complex math than in comparatively simple math. And because it’s pretty (if you have the kind of mind that thinks math can be beautiful, anyway).
Entrail reading at its finest! Some day it may actually yield meaningful results. The fact that it hasn’t yet tells me that there’s probably (not definitely, but I think the probability is high) something wrong with the underlying assumptions. Dead ends are a part of science too. But the important part – the part that is hard even for an Einstein – is recognizing when you’ve hit a dead end and being creative enough to think of something else to try.