Mobile // Mobile Devices
News
7/30/2012
03:17 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Tired Of Security Problems? Change Rules Of Writing Code

Security researcher Dan Kaminsky says rewriting the rules of computer science is the way to avoid bugs, attacks, and other vulnerabilities.

By changing the way developers fundamentally code, security researcher Dan Kaminsky plans on fixing holes in computer security. During BlackHat and DefCon at the Rio All Suite Hotel and Casino in Las Vegas, Kaminsky spoke to BYTE about how he thinks rewriting the rules of computer science is the way forward to avoid bugs, attacks, and other vulnerabilities.

Kaminsky is best known for finding and fixing a flaw in the Internet's Domain Name System (DNS).

"Dogmatic approaches to computer security are not solving the problems we have. We need new models of programming and engineering because what we are doing isn't working. There's not enough science [being done]," he said.

This week, Kaminsky plans to release an update to a package called Interpolique compiler, which keeps code and data separate. The problem with how things are done now, said Kaminsky, is that developers don't write secure code--they want to mix code and data.

It's not like developers hate security, he said. "They aren't saying they want to leak credit card numbers." So the real question is: why aren't developers coding in a way that prevents problems?

"We have to make things that are useful for developers. We need to respect developers and give them the tools that they need. We know we have security issues with timing," Kaminsky said. "They're the vast majority of vulnerabilities ever written and discovered. We haven't actually fixed them. If we did fix them, they wouldn't still be costing billions of dollars."

The hypothesis of language theoretic security is that security vulnerabilities are the consequences of the languages code is written in, noted Kaminsky. In other words, our biggest problems in security do not revolve around random number generation; they revolve around languages. There are three problems: the inability to authenticate, the inability to write secure code, and the inability to bust the bad guys, he said.

Kaminsky explained that by using clocks in the computer, for example, it stops random number generation from being a viable way to attack computer networks.

"It doesn't matter what code you write, if there are parties in the middle changing or blocking what you sent. Content alteration and blocking is becoming a real thing. Verizon is claiming the first amendment right to rewrite Internet connections. Entire countries are silently blocking Web pages," said Kaminsky.

"[Before] finding out certificates have been changed, we have to find out something had happened. I'm playing the detection game. I want to increase the likelihood that testing actually occurs," Kaminsky said.

By creating underlying technologies, Kaminksy wants to increase the amount of data available, so vulnerabilities can be discovered faster.

"We are operating in a vacuum of information. There are things we are afraid of in security and censorship. Why don't we find out what is happening?"

Comment  | 
Print  | 
More Insights
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Must Reads Oct. 21, 2014
InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and trends on InformationWeek.com
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.