Tired Of Security Problems? Change Rules Of Writing Code - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Mobile // Mobile Devices
News
7/30/2012
03:17 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Tired Of Security Problems? Change Rules Of Writing Code

Security researcher Dan Kaminsky says rewriting the rules of computer science is the way to avoid bugs, attacks, and other vulnerabilities.

By changing the way developers fundamentally code, security researcher Dan Kaminsky plans on fixing holes in computer security. During BlackHat and DefCon at the Rio All Suite Hotel and Casino in Las Vegas, Kaminsky spoke to BYTE about how he thinks rewriting the rules of computer science is the way forward to avoid bugs, attacks, and other vulnerabilities.

Kaminsky is best known for finding and fixing a flaw in the Internet's Domain Name System (DNS).

"Dogmatic approaches to computer security are not solving the problems we have. We need new models of programming and engineering because what we are doing isn't working. There's not enough science [being done]," he said.

This week, Kaminsky plans to release an update to a package called Interpolique compiler, which keeps code and data separate. The problem with how things are done now, said Kaminsky, is that developers don't write secure code--they want to mix code and data.

It's not like developers hate security, he said. "They aren't saying they want to leak credit card numbers." So the real question is: why aren't developers coding in a way that prevents problems?

"We have to make things that are useful for developers. We need to respect developers and give them the tools that they need. We know we have security issues with timing," Kaminsky said. "They're the vast majority of vulnerabilities ever written and discovered. We haven't actually fixed them. If we did fix them, they wouldn't still be costing billions of dollars."

The hypothesis of language theoretic security is that security vulnerabilities are the consequences of the languages code is written in, noted Kaminsky. In other words, our biggest problems in security do not revolve around random number generation; they revolve around languages. There are three problems: the inability to authenticate, the inability to write secure code, and the inability to bust the bad guys, he said.

Kaminsky explained that by using clocks in the computer, for example, it stops random number generation from being a viable way to attack computer networks.

"It doesn't matter what code you write, if there are parties in the middle changing or blocking what you sent. Content alteration and blocking is becoming a real thing. Verizon is claiming the first amendment right to rewrite Internet connections. Entire countries are silently blocking Web pages," said Kaminsky.

"[Before] finding out certificates have been changed, we have to find out something had happened. I'm playing the detection game. I want to increase the likelihood that testing actually occurs," Kaminsky said.

By creating underlying technologies, Kaminksy wants to increase the amount of data available, so vulnerabilities can be discovered faster.

"We are operating in a vacuum of information. There are things we are afraid of in security and censorship. Why don't we find out what is happening?"

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Slideshows
Reflections on Tech in 2019
James M. Connolly, Editorial Director, InformationWeek and Network Computing,  12/9/2019
Slideshows
What Digital Transformation Is (And Isn't)
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/4/2019
Commentary
Watch Out for New Barriers to Faster Software Development
Lisa Morgan, Freelance Writer,  12/3/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
The Cloud Gets Ready for the 20's
This IT Trend Report explores how cloud computing is being shaped for the next phase in its maturation. It will help enterprise IT decision makers and business leaders understand some of the key trends reflected emerging cloud concepts and technologies, and in enterprise cloud usage patterns. Get it today!
Slideshows
Flash Poll