[cap-talk] Any hope in RSA 2008?

[Jed Donnelley]

On 4/4/2008 11:54 AM, Jonathan S. Shapiro wrote:
>> At 06:49 AM 4/4/2008, Mark Miller wrote:
>>> We're on a sinking ship that has been kept afloat by a vigorous
>>> bailing process... After all, bailing is what's worked so far.

The above I think was inadvertently mis attributed to me.
As I've corrected above it was what MarkM wrote.

> Well, no. The boat is still sinking, and there is still no land in
> sight. Bailing has not solved the problem. It has merely delayed the
> drowning.

While I recognize the limits of this metaphor, I agree.  Perhaps
there is a certain amount of preaching to choir on cap-talk.

What I'm trying to do is to leverage cap-talk to find other
receptive audiences.  Are we really so isolated in our
"water tight compartments" approach to improving computer
security/integrity?

>>>> Right.  However, I would think that by now since we've been
>>>> doing what we can for the next three weeks for the last 15 years
>>>> at least and it things haven't gotten better (they've gotten
>>>> worse) then it does seem pretty clear to me that this three
>>>> week horizon process is not making positive progress.
>>> I agree, but that's not the group that this conference is marketing to.
>> Ah, so where is the conference that is marketing to the long
>> term solution group?  Where is that group?  Those are the
>> people I want to talk to.
> 
> There isn't one. The cost of bailing is so high that there is no budget
> left for problem solving.

I think this is where we come in with David Wagner's comments.
I believe that the industry is adequately dealing with the bailing
and patching approach.  To me it seems that the research focus
should be on longer term solutions.  I know at LBL (home
of Bro: http://www.bro-ids.org/ ) I see no evidence of any
longer term research, though bailing efforts like the Bro
work are very much in evidence.

David says, "send more research".  I wonder what has happened
to the research done so far.  E.g. what has the result been
from the CapDesk work?  From the DARPA browser work?  Is that
work getting incorporated into production software?  PLASH?

 From my perspective there is a very strong negative bias
against POLA approaches.  This bias seems, from my experience,
to emanate from the most common university teaching curriculum
from the later 1980s through today, where it has been taught
that POLA approaches were tried and found lacking and so properly
abandoned.  Don't waste your time in that area is the lesson
learned.  As MarkM says, "hardly anyone believes any
alternative is possible."  This is what seems to me so
sad, counter productive, and ultimately destructive.
It might not be so bad if there was a vigorous alternative
with promise being pursued.  It's the lack of same that I'm
lamenting.  Am I wrong in this?

>>> Depends what "the problem" is.
>> "the problem" is poor computer security/integrity that takes
>> heroic effort just to keep it afloat (bailing and patching).
> 
> No. The problem is the installed base of applications that rely on
> unsecurable infrastructure. Well, that and the fact that none of us can
> actively point at a fully working alternative.

I still believe that the ultimate "problem" is the lack of
security/integrity.  That is what InfoWorld ranked as the
#1 all time tech "flop," where they said, "Thirty years into
the personal computer era, and it seems like security is only
getting worse."  Everybody in the industry knows that this
is a serious and embarrassing problem.  It may be that the
installed base of applications that rely on an unsecurable
infrastructure and the lack of fully working alternatives are
barriers to solving the problem, but those technical issues
aren't the problem itself.  Our task as IT professionals is
to find ways to surmount those barriers and solve the problem.

I'm trying to energize forums that will better address the
long term problem than the RSA 2008 conference or the
Usenix Security conference (others?) have.

One problem I see with addressing the longer term problem
is even framing it.  On cap-talk we interact in terms of
the capability paradigm and more generally POLA.  I think
most others see these as technical means to try to address
the longer term problem that have been tried and failed.
If there was even a context to discuss such potential
solutions, it would seem that POLA and more specifically
the capability paradigm could be evaluated against other
potential long term solutions.  Are there any?  Any
proposed?  Is there a context in which such potential
long term solutions are evaluated?

 From what I see of the research community, the context
is defined by the bailing and patching approach.
Much of the focus seems to be on finding holes
(which get patched) and monitoring, blocking,
and recovering from the "water" the holes let in
(bailing).  Where is the context that includes
the POLA (water tight compartments) sort
of engineering approach?  The approach that accepts
that there will be holes and that water will come
aboard, but that we can and should be able to
construct water tight compartments that allow
us to patch and empty out our compartments as
part of a more disciplined engineering approach
as time allows vs. in emergencies when dealing
with sinking ships.

(heh - still pushing the metaphor a bit to see
how it reads).

--Jed  http://www.webstart.com/jed/