((AMBER,一位对更可靠的互联网感兴趣的慈善家,CORAL,一名计算机安全专业人员正在会议酒店一起讨论珊瑚坚称是一个困难而重要的问题:构建“安全”软件的困难。)
琥珀色:So, Coral, I understand that you believe it is very important, when creating software, to make that software be what you call “secure”.
珊瑚:特别是如果它连接到互联网,或者控制金钱或其他贵重物品。但是,是的。
琥珀色:我发现很难相信这必须是计算机科学中的一个单独的话题。通常,程序员需要弄清楚如何使计算机做他们想要的事情。构建操作系统的人们肯定不会希望他们访问未经授权的用户,就像他金宝博官方们不希望这些计算机崩溃一样。为什么一个问题比另一个问题要困难得多?
珊瑚:That’s a deep question, but to give a partial deep answer: When you expose a device to the Internet, you’re potentially exposing it to intelligent adversaries who can find special, weird interactions with the system that make the pieces behave in weird ways that the programmers did not think of. When you’re dealing with that kind of problem, you’ll use a different set of methods and tools.
琥珀色:Any system that crashes is behaving in a way the programmer didn’t expect, and programmers already need to stop that from happening. How is this case different?
珊瑚:Okay, so… imagine that your system is going to take in one kilobyte of input per session. (Although that itself is the sort of assumption we’d question and ask what happens if it gets a megabyte of input instead—but never mind.) If the input is one kilobyte, then there are 28,,,,000possible inputs, or about 102,400or so. Again, for the sake of extending the simple visualization, imagine that a computer gets a billion inputs per second. Suppose that only a googol, 10100,在10个2,400可能的输入会导致系统的行为以某种方式原始设计师不打算。金宝博官方
If the system is getting inputs in a way that’s uncorrelated with whether the input is a misbehaving one, it won’t hit on a misbehaving state before the end of the universe. If there’s an intelligent adversary who understands the system, on the other hand, they may be able to find one of the very rare inputs that makes the system misbehave. So a piece of the system that would literally never in a million years misbehave on random inputs, may break when an intelligent adversary tries deliberately to break it.
琥珀色:So you’re saying that it’s more difficult because the programmer is pitting their wits against an adversary who may be more intelligent than themselves.
珊瑚:这是一种几乎右翼的方式。重要的不是“对手”部分,而是优化部分。有系统的非随机力量强金宝博官方烈选择特定结果,导致系统的部分沿着怪异的执行路径降低并占据意外的状态。如果您的系统从字金宝博官方面上根本没有行为不当模式,那么您是否拥有IQ 140,而敌人拥有IQ 160,这不是一场武器竞争。当怪异的状态以相关的方式选择而不是仅出于意外发生时,就很难建立一个不会进入怪金宝博官方异状态的系统。怪异的选择力可以搜索您自己无法想象的较大状态空间的部分。击败确实需要新技能和不同的思维方式,布鲁斯·施耐(Bruce Schneier)称之为“安全思维方式”。
琥珀色:啊,这种安全心态是什么?
珊瑚:I can say one or two things about it, but keep in mind we are dealing with a quality of thinking that is not entirely effable. If I could give you a handful of platitudes about security mindset, and that would actually cause you to be able to design secure software, the Internet would look very different from how it presently does. That said, it seems to me that what has been called “security mindset” can be divided into two components, one of which is much less difficult than the other. And this can fool people into overestimating their own safety, because they can get the easier half of security mindset and overlook the other half. The less difficult component, I will call by the term “ordinary paranoia”.
琥珀色:普通的偏执狂?
珊瑚:Lots of programmers have the ability to imagine adversaries trying to threaten them. They imagine how likely it is that the adversaries are able to attack them a particular way, and then they try to block off the adversaries from threatening that way. Imagining attacks, including weird or clever attacks, and parrying them with measures you imagine will stop the attack; that is ordinary paranoia.
琥珀色:Isn’t that what security is all about? What do you claim is the other half?
珊瑚:To put it as a platitude, I might say… defending against mistakes in your own assumptions rather than against external adversaries.
Read more »