[E-Lang] defense in depth

Marc Stiegler marcs@skyhunter.com
Wed, 24 Jan 2001 16:29:14 -0700


> An interesting analogy, given the sorry state that the Russian economy
> experienced post introduction of free markets.  Free markets certainly
> made a difference, but calling them a "silver bullet" is questionable.

Calling the Russian economy in the years after the fall of communism a free
market is much like calling a credit card a capability: it leaves out a
couple of crucial little characteristics, characteristics without which you
miss the meat of the mechanism and end up with only the surface appearance
(the credit cards left out the security, and the Russian post-communism
markets left out the property rights).  A better example might be the Polish
and Estonian grocery stores :-)

This is also very similar to the way California deregulated its power
generation: somehow deregulation that imposes on participants a bagful of
new, inconceivably bad laws,  misses the point :-)

> Of course, this additional layer does not come without cost.  But the
> question is to trade off this cost of defense in depth against the
> potential benefits.  It seems that a lot of people in this thread are
> asserting that the additional benefit is zero, which I find hard to
> believe.  Am I misunderstanding what people are saying

The benefit can be positive, negative, or zero, depending on the complexity
of the additional mechanism. As the additional mechanism becomes simpler,
and its relationship to the other security strategies involved becomes more
succinctly definable, it goes from negative (confusing the defenders) to
positive (making it harder for the attackers).

We may be suffering from a disconnect in this conversation with levels of
abstraction as well. On a level of abstraction higher than the bottommost
layer of infrastructure, remember that basic capabilities create the
architectural opportunity for a glorious host of higher-level patterns:
facets, revokable forwarders, sealers, and third party confinements are just
the beginning of a wealth of strategies that have yet to be fully explored.
These patterns meet the criteria of being simple and having succinct
relationships to one another. And no one seems to be disagreeing with my
really bold assertion: that we can make the kernel capability mechanism
perfect.

Given a perfect underlying mechanism, given a cornucopia of higher-level
patterns and architectural opportunities that can be combined in many ways
(including ways that yield defenses in depth), let us explore that
cornucopia a bit before we assert that additional fundamental mechanisms are
required.

This discussion has become way too abstract for my taste, though I'm sure
I'm as much at fault as anyone. So I have a concrete challenge: find a
security flaw in Echat or Edesk, both posted on the Web, and describe a
second mechanism I should have implemented that would have prevented this
flaw from arising, if only I had been smart enough to be a "defense in
depth" kind of guy :-)

To be a truly great counterexample that leaves me tongue-tied with its
excellence, it should be a mechanism that would be easier to implement and
at least as secure as would be the result of adding more capability-based
defenses.

Or start with the stock market code I wrote that markm published somewhere,
upon which I have already placed a so-far-uncollected prize of 10 grams of
e-gold for the first person to breach the security. Starting with the
marketplace, you can earn gold without even completing the challenge (since
the challenge requires not only finding the flaw but explaining a fix :-).

--marcs: