Is software security getting better?

nikitaborisov — Tue, 17 Nov 2009 05:02:18 +0000

Someone I met last week told me something very surprising: he and the people he worked with felt that security, overall, was getting better. The developers and program managers he speaks with feel that things have improved so much that security is becoming less of a priority. This shocked me because it has always felt to me that we’re fighting an uphill battle. There are the constant quotes about how some 2-digit percentage of all desktops were running some form of malware, the stories from my friends about how they have to clean their families’ computers whenever they visit, the barrage of 0-day vulnerabilities, new attacks, new bots, … Can we really say we’re making progress?

I attributed this difference of opinion to the fact that he works for a large software company. From the point of view of making software, and especially a given product, things certainly have gotten better. Tremendous effort has been put into software development processes and tools, as well as the development (and deployment) of new protection mechanisms that help reduce the number of exploitable vulnerabilities. And I can believe that things are finally paying off.

And yet, I find it hard to be optimistic. Despite all this, my usual assumption is that a desktop computer can and will at some point be compromised. When I think about network security these days, my goal has shifted from preventing the bad guys from getting inside to containing the attacks from the supposedly good guys inside who have malware on their PCs. And when writing research papers about decentralized systems, I have to consider an adversary who might commandeer thousands of botnet nodes to attack them (though often I end up leaving robustness to such adversaries to “future work”).

I’m having a hard time resolving this contradiction. Am I just being overly paranoid (goes with the job!)? Or is the level of network threat rising despite improvements in software security (perhaps due to better financial motivation for attackers)? Perhaps it’s just that software security was so bad that now things are simply insecure, rather than ridiculously insecure? (A pot with holes in it is much better at holding water than a sieve, but it still leaks.)

Experiment

nikitaborisov — Wed, 09 Sep 2009 02:47:06 +0000

I decided to perform a small experiment in my Applied Cryptography course. We were discussing additive secret sharing. The basic idea is that, given a secret number , you pick a random share and set the second share . Neither share by itself contains any information about the secret.

I asked the students to each pick a number between 0 and 99 (i.e., in ). I treated the first student’s number as the secret s. The rest of the students had to treat their number as a first share, , and compute based on it. I asked the students to report back the result of the subtraction. Note that none of the students revealed their secret share , so the response should not reveal any information about the secret. Here are the results:

42	82	85
10	25	49
85	43	63
21	87	63
25	1	70

Can you guess what the secret number was?

In case my description was confusing, imagine that the class had four students, Alice, Bob, Carol, and David. Each student picked a random number:

Alice: 61
Bob: 34
Carol: 54
David: 59

We will use Alice’s number as = 61. Then Bob will pick his share as = 34 and compute = 61-34 = 27. Carol will take her own number as = 54, but use the same (Alice’s) , to produce 61-54 = 7. David will do the same thing, obtaining 2. So the report for the table above would be 27, 7, 2. In theory, knowing all these three numbers, you still have no information about Alice’s secret. In practice, you should be able to guess it from the results of the in-class experiment.

Hatswitch Blog

Is software security getting better?

Experiment