Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash 94 tok/s
Gemini 2.5 Pro 37 tok/s Pro
GPT-5 Medium 33 tok/s
GPT-5 High 35 tok/s Pro
GPT-4o 92 tok/s
GPT OSS 120B 441 tok/s Pro
Kimi K2 227 tok/s Pro
2000 character limit reached

Fundamental Challenges in Cybersecurity and a Philosophy of Vulnerability-Guided Hardening (2402.01944v5)

Published 2 Feb 2024 in cs.CR and cs.SE

Abstract: Research in cybersecurity may seem reactive, specific, ephemeral, and indeed ineffective. Despite decades of innovation in defense, even the most critical software systems turn out to be vulnerable to attacks. Time and again. Offense and defense forever on repeat. Even provable security, meant to provide an indubitable guarantee of security, does not stop attackers from finding security flaws. As we reflect on our achievements, we are left wondering: Can security be solved once and for all? In this paper, we take a philosophical perspective and develop the first theory of cybersecurity that explains what precisely and fundamentally prevents us from making reliable statements about the security of a software system. We substantiate each argument by demonstrating how the corresponding challenge is routinely exploited to attack a system despite credible assurances about the absence of security flaws. To make meaningful progress in the presence of these challenges, we introduce a philosophy of cybersecurity.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (103)
  1. H. Murphy, “Hackers launch more than 1.2m attacks through log4j flaw,” Financial Times, December 2021.
  2. T. Hunter and G. de Vynck, “The ’most serious’ security breach ever is unfolding right now. here’s what you need to know,” Washington Post, December 2021.
  3. C. A. R. Hoare, “An axiomatic basis for computer programming,” Communications of the ACM, vol. 12, no. 10, p. 576–580, oct 1969. [Online]. Available: https://doi.org/10.1145/363235.363259
  4. ——, “Programs are predicates,” in Proc. of a Discussion Meeting of the Royal Society of London on Mathematical Logic and Programming Languages.   USA: Prentice-Hall, Inc., 1985, p. 141–155.
  5. G. Klein, K. Elphinstone, G. Heiser, J. Andronick, D. Cock, P. Derrin, D. Elkaduwe, K. Engelhardt, R. Kolanski, M. Norrish, T. Sewell, H. Tuch, and S. Winwood, “Sel4: Formal verification of an os kernel,” in Proceedings of the ACM SIGOPS 22nd Symposium on Operating Systems Principles, ser. SOSP ’09.   New York, NY, USA: Association for Computing Machinery, 2009, p. 207–220. [Online]. Available: https://doi.org/10.1145/1629575.1629596
  6. J. Protzenko, B. Parno, A. Fromherz, C. Hawblitzel, M. Polubelova, K. Bhargavan, B. Beurdouche, J. Choi, A. Delignat-Lavaud, C. Fournet, N. Kulatova, T. Ramananandro, A. Rastogi, N. Swamy, C. M. Wintersteiger, and S. Zanella-Béguelin, “Evercrypt: A fast, verified, cross-platform cryptographic provider,” in IEEE Symposium on Security and Privacy.   IEEE, May 2020.
  7. J.-K. Zinzindohoué, K. Bhargavan, J. Protzenko, and B. Beurdouche, “Hacl*: A verified modern cryptographic library,” in Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, ser. CCS ’17.   New York, NY, USA: Association for Computing Machinery, 2017, p. 1789–1806. [Online]. Available: https://doi.org/10.1145/3133956.3134043
  8. N. Swamy, T. Ramananandro, A. Rastogi, I. Spiridonova, H. Ni, D. Malloy, J. Vazquez, M. Tang, O. Cardona, and A. Gupta, “Hardening attack surfaces with formally proven binary format parsers,” in Proceedings of the 43rd ACM SIGPLAN International Conference on Programming Language Design and Implementation, ser. PLDI 2022.   New York, NY, USA: Association for Computing Machinery, 2022, p. 31–45. [Online]. Available: https://doi.org/10.1145/3519939.3523708
  9. X. Leroy, “Formal verification of a realistic compiler,” Communications of the ACM, vol. 52, no. 7, p. 107–115, jul 2009. [Online]. Available: https://doi.org/10.1145/1538788.1538814
  10. J. Kang, Y. Kim, C.-K. Hur, D. Dreyer, and V. Vafeiadis, “Lightweight verification of separate compilation,” SIGPLAN Not., vol. 51, no. 1, p. 178–190, jan 2016. [Online]. Available: https://doi.org/10.1145/2914770.2837642
  11. T. Murray, D. Matichuk, M. Brassil, P. Gammie, T. Bourke, S. Seefried, C. Lewis, X. Gao, and G. Klein, “sel4: From general purpose to a proof of information flow enforcement,” in 2013 IEEE Symposium on Security and Privacy, 2013, pp. 415–429.
  12. P. Kocher, J. Horn, A. Fogh, D. Genkin, D. Gruss, W. Haas, M. Hamburg, M. Lipp, S. Mangard, T. Prescher, M. Schwarz, and Y. Yarom, “Spectre attacks: Exploiting speculative execution,” in 2019 IEEE Symposium on Security and Privacy (SP), 2019, pp. 1–19.
  13. G. Heiser, G. Klein, and T. Murray, “Can we prove time protection?” in Proceedings of the Workshop on Hot Topics in Operating Systems, ser. HotOS ’19.   New York, NY, USA: Association for Computing Machinery, 2019, p. 23–29. [Online]. Available: https://doi.org/10.1145/3317550.3321431
  14. M. Y. Vardi, “Program verification: Vision and reality,” Communications of the ACM, vol. 64, no. 7, p. 5, jun 2021. [Online]. Available: https://doi.org/10.1145/3469113
  15. L. Ren, “Analysis of nakamoto consensus,” Cryptology ePrint Archive, Paper 2019/943, 2019, https://eprint.iacr.org/2019/943. [Online]. Available: https://eprint.iacr.org/2019/943
  16. J. Neu, E. N. Tas, and D. Tse, “The availability-accountability dilemma and its resolution via accountability gadgets,” in Financial Cryptography, ser. Lecture Notes in Computer Science, vol. 13411.   Springer, 2022, pp. 541–559.
  17. ——, “Ebb-and-flow protocols: A resolution of the availability-finality dilemma,” in IEEE Symposium on Security and Privacy.   IEEE, 2021, pp. 446–465.
  18. C. Herley and P. Van Oorschot, “Sok: Science, security and the elusive goal of security as a scientific pursuit,” in Proceedings of the IEEE Symposium on Security and Privacy, ser. S&P 2017, 2017, pp. 99–120.
  19. Y. Kim, R. Daly, J. Kim, C. Fallin, J. H. Lee, D. Lee, C. Wilkerson, K. Lai, and O. Mutlu, “Flipping bits in memory without accessing them: An experimental study of dram disturbance errors,” in Proceeding of the 41st Annual International Symposium on Computer Architecture, ser. ISCA ’14.   IEEE Press, 2014, p. 361–372.
  20. J. Noorman, J. V. Bulck, J. T. Mühlberg, F. Piessens, P. Maene, B. Preneel, I. Verbauwhede, J. Götzfried, T. Müller, and F. Freiling, “Sancus 2.0: A low-cost security architecture for iot devices,” ACM Trans. Priv. Secur., vol. 20, no. 3, jul 2017. [Online]. Available: https://doi.org/10.1145/3079763
  21. I. D. O. Nunes, K. Eldefrawy, N. Rattanavipanon, M. Steiner, and G. Tsudik, “Vrased: A verified hardware/software co-design for remote attestation,” in Proceedings of the 28th USENIX Conference on Security Symposium, ser. SEC’19.   USA: USENIX Association, 2019, p. 1429–1446.
  22. M. Bognar, J. Van Bulck, and F. Piessens, “Mind the gap: Studying the insecurity of provably secure embedded trusted execution architectures,” in 2022 IEEE Symposium on Security and Privacy (SP), 2022, pp. 1638–1655.
  23. S. Cauligi, C. Disselkoen, D. Moghimi, G. Barthe, and D. Stefan, “Sok: Practical foundations for software spectre defenses,” in IEEE Symposium on Security and Privacy (S&P).   IEEE, May 2022.
  24. M. Guarnieri, B. Köpf, J. Reineke, and P. Vila, “Hardware-software contracts for secure speculation,” in IEEE Symposium on Security and Privacy.   IEEE, 2021, pp. 1868–1883.
  25. B. Greenman, S. Saarinen, T. Nelson, and S. Krishnamurthi, “Little tricky logic: Misconceptions in the understanding of ltl,” The Art, Science, and Engineering of Programming, vol. 7, no. 7, pp. 1–37, 2023. [Online]. Available: https://doi.org/10.22152/programming-journal.org/2023/7/7
  26. T. Murray and P. van Oorschot, “Bp: Formal proofs, the fine print and side effects,” in Proceedings of the IEEE Cybersecurity Development, ser. SecDev 2018, 2018, pp. 1–10.
  27. N. Koblitz and A. Menezes, “Critical perspectives on provable security,” Advances in Mathematics of Communications, vol. 13, no. 4, pp. 517–558, 2019. [Online]. Available: /article/id/5d2d9acd-8f7a-4e46-8e4a-dfab9701f215
  28. D. E. Denning, “The limits of formal security models,” https://faculty.nps.edu/dedennin/publications/National%20Computer%20Systems%20Security%20Award%20Speech.htm, 1999, accessed: 2023-03-09.
  29. S. Bratus, M. E. Locasto, M. L. Patterson, L. Sassaman, and A. Shubina, “Exploit programming: From buffer overflows to weird machines and theory of computation,” USENIX ;login:, vol. 36, no. 6, Dec 2011.
  30. R. A. De Millo, R. J. Lipton, and A. J. Perlis, “Social processes and proofs of theorems and programs,” Communications of the ACM, vol. 22, no. 5, p. 271–280, may 1979. [Online]. Available: https://doi.org/10.1145/359104.359106
  31. N. Mouha and C. Celi, “A vulnerability in implementations of sha-3, shake, eddsa, and other nist-approved algorithm,” Cryptology ePrint Archive, Paper 2023/331, 2023, https://eprint.iacr.org/2023/331. [Online]. Available: https://eprint.iacr.org/2023/331
  32. V. D’Silva, M. Payer, and D. Song, “The correctness-security gap in compiler optimization,” in Proceedings of the IEEE Security and Privacy Workshops, ser. LangSec 2015, 2015, pp. 73–87.
  33. M. Böhme, “Tweet,” https://twitter.com/mboehme_/status/1630985423949365254, Feb 2023, accessed: 2022-03-12.
  34. T. Ormandy, “Zenbleed,” https://lock.cmpxchg8b.com/zenbleed.html, accessed: 2021-03-12.
  35. J. R. S. Vicarte, P. Shome, N. Nayak, C. Trippel, A. Morrison, D. Kohlbrenner, and C. W. Fletcher, “Opening pandora’s box: A systematic study of new ways microarchitecture can leak private data,” in Proceedings of the 48th Annual International Symposium on Computer Architecture, ser. ISCA ’21.   IEEE Press, 2021, p. 347–360. [Online]. Available: https://doi.org/10.1109/ISCA52012.2021.00035
  36. T. Dullien, “Security, moore’s law, and the anomaly of cheap complexity,” in Proceedings of the International Conference on Cyber Conflict, ser. CyCon 2018, 2018.
  37. ——, “Weird machines, exploitability, and provable unexploitability,” IEEE Transactions on Emerging Topics in Computing, vol. 8, no. 2, pp. 391–403, 2020.
  38. J. Vanegue, “The weird machines in proof-carrying code,” in Proceedings of the 2014 IEEE Security and Privacy Workshops, 2014, pp. 209–213.
  39. G. Balakrishnan and T. Reps, “Wysinwyx: What you see is not what you execute,” ACM Trans. Program. Lang. Syst., vol. 32, no. 6, aug 2010. [Online]. Available: https://doi.org/10.1145/1749608.1749612
  40. W. Landi, “Undecidability of static analysis,” ACM Lett. Program. Lang. Syst., vol. 1, no. 4, p. 323–337, dec 1992. [Online]. Available: https://doi.org/10.1145/161494.161501
  41. G. Ramalingam, “The undecidability of aliasing,” ACM Trans. Program. Lang. Syst., vol. 16, no. 5, p. 1467–1471, sep 1994. [Online]. Available: https://doi.org/10.1145/186025.186041
  42. F. Cohen, “Computer viruses: Theory and experiments,” Computers & Security, vol. 6, no. 1, pp. 22–35, 1987.
  43. M. Böhme, “Statistical reasoning about programs,” in Proceedings of the 44th International Conference on Software Engineering, ser. ICSE 2022, 2022.
  44. K. Thompson, “Reflections on trusting trust,” Commun. ACM, vol. 27, no. 8, p. 761–763, aug 1984. [Online]. Available: https://doi.org/10.1145/358198.358210
  45. C. Domas, “Breaking the x86 isa,” 2017, https://www.blackhat.com/docs/us-17/thursday/us-17-Domas-Breaking-The-x86-Instruction-Set-wp.pdf.
  46. ——, “God mode unlocked: Hardware backdoors in redacted x86,” 2018, https://www.youtube.com/watch?v=jmTwlEh8L7g&ab_channel=DEFCONConference.
  47. K. Lu and Q. Wu, “On the feasibility of stealthily introducing vulnerabilities in open-source software via hypocrite commits,” 2021.
  48. C. S. Calude and C. Müller, “Formal proof: Reconciling correctness and understanding,” in Proceeding of the 16th Symposium Intelligent Computer Mathematics, ser. Lecture Notes in Computer Science, J. Carette, L. Dixon, C. S. Coen, and S. M. Watt, Eds., vol. 5625.   Springer, 2009, pp. 217–232.
  49. M. N. Mansur, M. Christakis, V. Wüstholz, and F. Zhang, “Detecting critical bugs in smt solvers using blackbox mutational fuzzing,” in Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, ser. ESEC/FSE 2020.   New York, NY, USA: Association for Computing Machinery, 2020, p. 701–712. [Online]. Available: https://doi.org/10.1145/3368089.3409763
  50. D. Winterer, C. Zhang, and Z. Su, “Validating smt solvers via semantic fusion,” in Proceedings of the 41st ACM SIGPLAN Conference on Programming Language Design and Implementation, ser. PLDI 2020.   New York, NY, USA: Association for Computing Machinery, 2020, p. 718–730. [Online]. Available: https://doi.org/10.1145/3385412.3385985
  51. S. Li and Z. Su, “Ubfuzz: Finding bugs in sanitizer implementations,” in Proceedings of the ACM International Conference on Architectural Support for Programming Languages and Operating Systems, ser. ASPLOS ’24, 2024, p. 14.
  52. S. Bhat and H. Shacham, “Formal verification of the linux kernel ebpf verifier range analysis,” Technical Report, 2022, https://sanjit-bhat.github.io/assets/pdf/ebpf-verifier-range-analysis22.pdf. [Online]. Available: https://sanjit-bhat.github.io/assets/pdf/ebpf-verifier-range-analysis22.pdf
  53. S. Scannell, V. Palmiotti, and J. J. L. Jaimez, “Alice in kernel land: Lessons learned from the ebpf rabbit hole,” BlackHat Asia’23, 2023, https://i.blackhat.com/Asia-23/AS-23-Palmiotti-Alice-In-Kernel-Land-wp.pdf. [Online]. Available: https://i.blackhat.com/Asia-23/AS-23-Palmiotti-Alice-In-Kernel-Land-wp.pdf
  54. J. Jia, R. Sahu, A. Oswald, D. Williams, M. V. Le, and T. Xu, “Kernel extension verification is untenable,” in Proceedings of the 19th Workshop on Hot Topics in Operating Systems, ser. HOTOS ’23.   New York, NY, USA: Association for Computing Machinery, 2023, p. 150–157. [Online]. Available: https://doi.org/10.1145/3593856.3595892
  55. T. Dullien, “Keynote @ offensivecon: Why i love offensive work,” https://docs.google.com/presentation/d/1YcBqgccBcdn5-v80OX8NTYdu_-qRmrwfejlEx6eq-4E, 2020, accessed: 2023-03-09.
  56. N. Young and S. Krishnamurthi, “Early post-secondary student performance of adversarial thinking,” in Proceedings of the 17th ACM Conference on International Computing Education Research, ser. ICER 2021.   New York, NY, USA: Association for Computing Machinery, 2021, p. 213–224. [Online]. Available: https://doi.org/10.1145/3446871.3469743
  57. D. Engler, D. Y. Chen, S. Hallem, A. Chou, and B. Chelf, “Bugs as deviant behavior: A general approach to inferring errors in systems code,” in Proceedings of the Eighteenth ACM Symposium on Operating Systems Principles, ser. SOSP ’01.   New York, NY, USA: Association for Computing Machinery, 2001, p. 57–72. [Online]. Available: https://doi.org/10.1145/502034.502041
  58. D. Rosenblum, “A practical approach to programming with assertions,” IEEE Transactions on Software Engineering, vol. 21, no. 1, pp. 19–31, 1995.
  59. H. Marco-Gisbert and I. Ripoll-Ripoll, “Exploiting linux and pax aslr’s weaknesses on 32- and 64-bit systems,” in Blackhat Asia, 2016.
  60. C. Shannon, “Communication theory of secrecy systems,” Bell System Technical Journal,, vol. 28, p. 656–715, Oktober 1949.
  61. D. Pavlovic, “Gaming security by obscurity,” in Proceedings of the ACM New Security Paradigms Workshop, ser. NSPW.   ACM, 2011, pp. 125–140.
  62. S. Jha, S. Gulwani, S. A. Seshia, and A. Tiwari, “Oracle-guided component-based program synthesis,” in Proceedings of the 32nd ACM/IEEE International Conference on Software Engineering, ser. ICSE ’10.   New York, NY, USA: Association for Computing Machinery, 2010, p. 215–224. [Online]. Available: https://doi.org/10.1145/1806799.1806833
  63. G. C. Necula, “Proof-carrying code,” in Proceedings of the 24th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, ser. POPL ’97.   New York, NY, USA: Association for Computing Machinery, 1997, p. 106–119. [Online]. Available: https://doi.org/10.1145/263699.263712
  64. M. Böhme, V.-T. Pham, and A. Roychoudhury, “Coverage-based greybox fuzzing as markov chain,” in Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, ser. CCS ’16.   New York, NY, USA: Association for Computing Machinery, 2016, p. 1032–1043. [Online]. Available: https://doi.org/10.1145/2976749.2978428
  65. M. Leucker and C. Schallhart, “A brief account of runtime verification,” The Journal of Logic and Algebraic Programming, vol. 78, no. 5, pp. 293–303, 2009, the 1st Workshop on Formal Languages and Analysis of Contract-Oriented Software (FLACOS’07). [Online]. Available: https://www.sciencedirect.com/science/article/pii/S1567832608000775
  66. K. Claessen and J. Hughes, “Quickcheck: A lightweight tool for random testing of haskell programs,” SIGPLAN Not., vol. 46, no. 4, p. 53–64, may 2011. [Online]. Available: https://doi.org/10.1145/1988042.1988046
  67. Y. Zhang and A. Mesbah, “Assertions are strongly correlated with test suite effectiveness,” in Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering, ser. ESEC/FSE 2015.   New York, NY, USA: Association for Computing Machinery, 2015, p. 214–224. [Online]. Available: https://doi.org/10.1145/2786805.2786858
  68. K. Serebryany, D. Bruening, A. Potapenko, and D. Vyukov, “Addresssanitizer: A fast address sanity checker,” in Proceedings of the 2012 USENIX Conference on Annual Technical Conference, ser. USENIX ATC’12.   USA: USENIX Association, 2012, p. 28.
  69. G. Agha and K. Palmskog, “A survey of statistical model checking,” ACM Trans. Model. Comput. Simul., vol. 28, no. 1, jan 2018. [Online]. Available: https://doi.org/10.1145/3158668
  70. E. T. Barr, M. Harman, P. McMinn, M. Shahbaz, and S. Yoo, “The oracle problem in software testing: A survey,” IEEE Transactions on Software Engineering, vol. 41, no. 5, pp. 507–525, 2015.
  71. L. Kohnfelder and P. Garg, “The threats to our products,” Microsoft Interface, April 1999.
  72. S. Roth, T. Barron, S. Calzavara, N. Nikiforakis, and B. Stock, “Complex security policy? a longitudinal analysis of deployed content security policies,” in Proceedings of the 27th Network and Distributed System Security Symposium, ser. NDSS’20, 2020. [Online]. Available: https://par.nsf.gov/biblio/10173479
  73. P. T. Devanbu and S. Stubblebine, “Software engineering for security: A roadmap,” in Proceedings of the Conference on The Future of Software Engineering, ser. ICSE ’00.   New York, NY, USA: Association for Computing Machinery, 2000, p. 227–239. [Online]. Available: https://doi.org/10.1145/336512.336559
  74. J. P. Degabriele, K. Paterson, and G. Watson, “Provable security in the real world,” Proceedings of the IEEE Security and Privacy, vol. 9, no. 3, pp. 33–41, 2011.
  75. J. V. Stoep, “Memory safe languages in android 13,” https://security.googleblog.com/2022/12/memory-safe-languages-in-android-13.html, Dec 2022, accessed: 2023-09-01.
  76. M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti, “Control-flow integrity principles, implementations, and applications,” ACM Trans. Inf. Syst. Secur., vol. 13, no. 1, nov 2009. [Online]. Available: https://doi.org/10.1145/1609956.1609960
  77. H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh, “On the effectiveness of address-space randomization,” in Proceedings of the 11th ACM Conference on Computer and Communications Security, ser. CCS ’04.   New York, NY, USA: Association for Computing Machinery, 2004, p. 298–307. [Online]. Available: https://doi.org/10.1145/1030083.1030124
  78. J. Ravichandran, W. T. Na, J. Lang, and M. Yan, “Pacman: Attacking arm pointer authentication with speculative execution,” in Proceedings of the 49th Annual International Symposium on Computer Architecture, ser. ISCA ’22.   New York, NY, USA: Association for Computing Machinery, 2022, p. 685–698. [Online]. Available: https://doi.org/10.1145/3470496.3527429
  79. A. Taylor, B. Nowierski, and K. Hara, “Use-after-freedom: MiraclePtr,” Sep. 2022. [Online]. Available: https://security.googleblog.com/2022/09/use-after-freedom-miracleptr.html
  80. P. Kehrer, “Memory Unsafety in Apple’s Operating Systems,” Jul. 2019. [Online]. Available: https://langui.sh/2019/07/23/apple-memory-safety/
  81. “Queue hardening enhancements,” May 2019. [Online]. Available: https://security.googleblog.com/2019/05/queue-hardening-enhancements.html
  82. A. Gaynor, “Introduction to Memory Unsafety for VPs of Engineering,” Aug. 2019. [Online]. Available: https://alexgaynor.net/2019/aug/12/introduction-to-memory-unsafety-for-vps-of-engineering/
  83. R. Jung, J.-H. Jourdan, R. Krebbers, and D. Dreyer, “Rustbelt: Securing the foundations of the rust programming language,” Proc. ACM Program. Lang., vol. 2, no. POPL, dec 2017. [Online]. Available: https://doi.org/10.1145/3158154
  84. D. Stenberg, “Tweet,” https://twitter.com/bagder/status/1360131939794042884, accessed: 2023-09-01.
  85. I. Goldberg, D. Wagner, R. Thomas, and E. A. Brewer, “A secure environment for untrusted helper applications confining the wily hacker,” in Proceedings of the 6th Conference on USENIX Security Symposium, Focusing on Applications of Cryptography - Volume 6, ser. SSYM’96.   USA: USENIX Association, 1996, p. 1.
  86. V. Costan and S. Devadas, “Intel sgx explained,” Cryptology ePrint Archive, Paper 2016/086, 2016, https://eprint.iacr.org/2016/086. [Online]. Available: https://eprint.iacr.org/2016/086
  87. Y. Juglaret, C. Hritcu, A. Amorim, B. Eng, and B. C. Pierce, “Beyond good and evil: Formalizing the security guarantees of compartmentalizing compilation,” in 2016 IEEE 29th Computer Security Foundations Symposium (CSF).   Los Alamitos, CA, USA: IEEE Computer Society, jul 2016, pp. 45–60. [Online]. Available: https://doi.ieeecomputersociety.org/10.1109/CSF.2016.11
  88. J. Van Bulck, M. Minkin, O. Weisse, D. Genkin, B. Kasikci, F. Piessens, M. Silberstein, T. F. Wenisch, Y. Yarom, and R. Strackx, “Foreshadow: Extracting the keys to the Intel SGX kingdom with transient out-of-order execution,” in Proceedings of the 27th USENIX Security Symposium.   USENIX Association, August 2018, https://foreshadowattack.eu/.
  89. M. Brand, “Virtually unlimited memory: Escaping the chrome sandbox,” https://googleprojectzero.blogspot.com/2019/04/virtually-unlimited-memory-escaping.html, Apr. 2019, accessed: 2023-09-01.
  90. H. Lefeuvre, V. Badoiu, Y. Chen, F. Huici, N. Dautenhahn, and P. Olivier, “Assessing the impact of interface vulnerabilities in compartmentalized software,” in NDSS.   The Internet Society, 2023.
  91. S. Fei, Z. Yan, W. Ding, and H. Xie, “Security vulnerabilities of sgx and countermeasures: A survey,” ACM Comput. Surv., vol. 54, no. 6, jul 2021. [Online]. Available: https://doi.org/10.1145/3456631
  92. A. Nilsson, P. N. Bideh, and J. Brorsson, “A survey of published attacks on intel SGX,” CoRR, vol. abs/2006.13598, 2020.
  93. M. Dellago, D. Woods, and A. Simpson, “Characterising 0-day exploit brokers,” in Proceedings of the 21st Workshop on the Economics of Information Security, ser. WEIS 2022, Jun. 2022.
  94. CoolStar and Tihmstar, “Jailbreaking ios in the postapocalyptic era,” NullCon Goa, 2022.
  95. S. Schechter, “How to buy better testing using competition to get the most security and robustness for your dollar,” in Infrastructure Security, G. Davida, Y. Frankel, and O. Rees, Eds.   Berlin, Heidelberg: Springer Berlin Heidelberg, 2002, pp. 73–87.
  96. A. Musgrave and C. Pigden, “Imre Lakatos,” in The Stanford Encyclopedia of Philosophy, Spring 2023 ed., E. N. Zalta and U. Nodelman, Eds.   Metaphysics Research Lab, Stanford University, 2023.
  97. S. Mergendahl, N. Burow, and H. Okhravi, “Cross-language attacks,” in NDSS.   The Internet Society, 2022.
  98. E. Clarke, O. Grumberg, S. Jha, Y. Lu, and H. Veith, “Counterexample-guided abstraction refinement,” in Computer Aided Verification, E. A. Emerson and A. P. Sistla, Eds.   Berlin, Heidelberg: Springer Berlin Heidelberg, 2000, pp. 154–169.
  99. X. Yang, Y. Chen, E. Eide, and J. Regehr, “Finding and understanding bugs in c compilers,” in Proceedings of the 32nd ACM SIGPLAN Conference on Programming Language Design and Implementation, ser. PLDI ’11.   New York, NY, USA: Association for Computing Machinery, 2011, p. 283–294. [Online]. Available: https://doi.org/10.1145/1993498.1993532
  100. H. Armstrong and M. Bishop, “Uncovering assumptions in information security,” in Proceedings of the WISE4 Forth World Conference on Information Security Education, 2005.
  101. M. Chechik, “On safety, assurance, and reliability: a software engineering perspective (keynote),” in ESEC/SIGSOFT FSE.   ACM, 2022, p. 2.
  102. B. Hawkes, “Exploit equivalence classes,” https://blog.isosceles.com/exploit-equivalence-classes/, Aug. 2023, accessed: 2023-09-01.
  103. I. Beer, “An analysis of an in-the-wild ios safari webcontent to gpu process exploit,” https://googleprojectzero.blogspot.com/2023/10/an-analysis-of-an-in-the-wild-ios-safari-sandbox-escape.html, Oct. 2023, accessed: 2023-10-13.
List To Do Tasks Checklist Streamline Icon: https://streamlinehq.com

Collections

Sign up for free to add this paper to one or more collections.

User Circle Single Streamline Icon: https://streamlinehq.com Sign Up

Summary

  • The paper introduces a vulnerability-guided hardening approach that iteratively improves cybersecurity measures.
  • It identifies key challenges including operationalization gaps, modeling inaccuracies, and an infinite regress of trust.
  • By integrating adversarial testing and counterexample-guided refinement, the study offers actionable strategies for ongoing security hardening.

Guarantees in Software Security: Reasoning Challenges and Research Agenda

The paper "SoK: Guarantees in Software Security" provides a thorough exploration of the inherent challenges and limitations faced when attempting to assure software security. The author, Marcel Böhme, argues that despite numerous advances in security techniques and methodologies, absolute guarantees concerning software security remain elusive. This overview succinctly encapsulates the paper's key insights, contributions, and implications for future research.

The paper begins by scrutinizing the constant interplay between attackers and defenders in software security, likening it to an ongoing "cat and mouse" game. Through a historical lens, the paper delineates the perpetual cycle of vulnerabilities being discovered, addressed, and subsequently bypassed. The critical assertion is that while we can create robust defenses, absolute security is unattainable due to a series of inherent challenges.

Fundamental Challenges

The author provides a detailed taxonomy of challenges hindering absolute security guarantees:

  1. Black Swans in Security Properties: Security properties that need to be maintained often remain unidentified until they are breached. This unpredictability means that new attack vectors can emerge unexpectedly.
  2. Operationalization Challenges: High-level security properties need to be translated into operational definitions that can be measured or observed. This translation often misses nuances, leaving systems vulnerable.
  3. Modeling Gaps: The security claims of a system are usually based on models that abstract the real-world behaviors. This section highlights the inherent discrepancies between these models and operational realities, which can be exploited.
  4. Infinite Regress of Trust: The paper asserts that any security measure's effectiveness will eventually rely on something else being trusted, leading to a potentially infinite regress of dependencies.
  5. Competing Stakeholder Interests: Different stakeholders often have conflicting requirements, such as user experience or performance demands, which might compromise security measures.
  6. Unreasonable Appearance of Security: Systems with few reported vulnerabilities might create a false sense of security, while an absence of incentives to discover and report vulnerabilities could mean undetected issues persist.

Review of Security Approaches

Böhme evaluates the existing landscape of software security methods, categorizing them into provable, detective, preventive, and reactive approaches. Each method has inherent strengths but also significant limitations when examined through the lens of the aforementioned challenges:

  • Provable Security: While formal methods can provide mathematical rigor, they are susceptible to operationalization faults and modeling inaccuracies.
  • Detective Security: This approaches the discovery of vulnerabilities but cannot make universal claims about absence of vulnerabilities due to the inherent nature of non-universal reasoning.
  • Preventive Security: Techniques such as language-based security and threat modeling can mitigate some risks but remain constrained by assumptions in their deployment.
  • Reactive Security: Methods like sandboxing can help mitigate damages but rely on the robustness of the enforcement mechanisms, themselves susceptible to failure.

Implications and Future Directions

Böhme recommends adopting a philosophy akin to the scientific method for assessing software security, proposing a "vulnerability-guided hardening" approach. This includes systematically looking for vulnerabilities after implementation to identify weaknesses in security defenses. By doing so, security methodologies can be iteratively improved, much like the scientific process of hypothesis and experimentation.

A particularly compelling section of the paper is the suggestion for integrating counterexample-guided refinement processes in security proofs, encouraging a program of adversarial testing to validate formal security claims. This aligns with Lakatos's philosophy of mathematical development as an evolutionary process of proof and exception.

Conclusion

This paper leaves an indelible mark on the field by asserting that while absolute security assurance remains an impossibility given the current understanding and technological limitations, embracing the iterative development of security processes can lead to significant enhancements in software security resilience. Böhme's research agenda is a clarion call for the development and adoption of security processes that recognize and incorporate the intrinsic dialectic of security in practice, reinforcing the necessity for continued vigilance and adaptation in the face of evolving threats.

File Document Download Save Streamline Icon: https://streamlinehq.com PDF File Document Download Save Streamline Icon: https://streamlinehq.com Markdown
Dice Question Streamline Icon: https://streamlinehq.com

Follow-up Questions

We haven't generated follow-up questions for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Generate Now

Authors (1)

  1. Marcel Böhme