Tired Of Security Problems? Change Rules Of Writing Code - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile // Mobile Devices
03:17 PM
Connect Directly

Tired Of Security Problems? Change Rules Of Writing Code

Security researcher Dan Kaminsky says rewriting the rules of computer science is the way to avoid bugs, attacks, and other vulnerabilities.

By changing the way developers fundamentally code, security researcher Dan Kaminsky plans on fixing holes in computer security. During BlackHat and DefCon at the Rio All Suite Hotel and Casino in Las Vegas, Kaminsky spoke to BYTE about how he thinks rewriting the rules of computer science is the way forward to avoid bugs, attacks, and other vulnerabilities.

Kaminsky is best known for finding and fixing a flaw in the Internet's Domain Name System (DNS).

"Dogmatic approaches to computer security are not solving the problems we have. We need new models of programming and engineering because what we are doing isn't working. There's not enough science [being done]," he said.

This week, Kaminsky plans to release an update to a package called Interpolique compiler, which keeps code and data separate. The problem with how things are done now, said Kaminsky, is that developers don't write secure code--they want to mix code and data.

It's not like developers hate security, he said. "They aren't saying they want to leak credit card numbers." So the real question is: why aren't developers coding in a way that prevents problems?

"We have to make things that are useful for developers. We need to respect developers and give them the tools that they need. We know we have security issues with timing," Kaminsky said. "They're the vast majority of vulnerabilities ever written and discovered. We haven't actually fixed them. If we did fix them, they wouldn't still be costing billions of dollars."

The hypothesis of language theoretic security is that security vulnerabilities are the consequences of the languages code is written in, noted Kaminsky. In other words, our biggest problems in security do not revolve around random number generation; they revolve around languages. There are three problems: the inability to authenticate, the inability to write secure code, and the inability to bust the bad guys, he said.

Kaminsky explained that by using clocks in the computer, for example, it stops random number generation from being a viable way to attack computer networks.

"It doesn't matter what code you write, if there are parties in the middle changing or blocking what you sent. Content alteration and blocking is becoming a real thing. Verizon is claiming the first amendment right to rewrite Internet connections. Entire countries are silently blocking Web pages," said Kaminsky.

"[Before] finding out certificates have been changed, we have to find out something had happened. I'm playing the detection game. I want to increase the likelihood that testing actually occurs," Kaminsky said.

By creating underlying technologies, Kaminksy wants to increase the amount of data available, so vulnerabilities can be discovered faster.

"We are operating in a vacuum of information. There are things we are afraid of in security and censorship. Why don't we find out what is happening?"

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
CIOs Face Decisions on Remote Work for Post-Pandemic Future
Joao-Pierre S. Ruth, Senior Writer,  2/19/2021
11 Ways DevOps Is Evolving
Lisa Morgan, Freelance Writer,  2/18/2021
CRM Trends 2021: How the Pandemic Altered Customer Behavior Forever
Jessica Davis, Senior Editor, Enterprise Apps,  2/18/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Flash Poll