[EROS-Arch] Re: [E-Lang] Re: Interaction Design for End-UserSecurity

Mark S. Miller markm@caplet.com
Thu, 05 Apr 2001 07:54:51 -0700 

At 06:52 AM Thursday 4/5/01, Jonathan S. Shapiro wrote:
>Nothing's ever perfect.

Very bad slogan, especially in this context.  It lends support to the most 
dangerous common misunderstanding about computer security: that it's always 
necessarily vulnerable to the next yet cleverer hacker.

In fact, many things in computer security may be perfect.  What usually 
cannot be perfect is our knowledge of whether they're perfect.  For example, 
at some point the EROS kernel may be perfectly secure.  However, its absence 
of bugs doesn't give us knowledge that it has no bugs.  Just lack of 
knowledge of bugs over increasing periods of time, leading to increasing 
confidence.

EROS itself is software.  Software, like logic, exists in a mathematical 
world in which perfection is possible, though knowledge of perfection is 
damned difficult.  Does NP == P?

However, to be useful and give real security, this mathematical world must 
be embedded in the physical world.  Software must be run on digital logic 
diagrams, which again are mathematical abstractions where perfection is 
possible.  But these must be run on messy analog electronic hardware like 
transistors.  This embedding in physical substance is where perfection, even 
perfection we don't know we've achieved, starts to look really hard to 
reach.  The above scenarios are hard largely because they involve this 
physical world.

We share an unprovable belief that physical substance is itself perfectly 
described by pure mathematical abstraction called laws of physics.  It may 
be the case, but we have no way to obtain knowledge that it is the case, or 
what precisely these laws of physics are.  However, over time we have 
reasons to believe we're working with ever better guesses.  Unfortunately, 
our current best guesses, with its quantum uncertainty, its tantalizing 
possibility of an exponential speedup for some search problems, and most of 
all its pervasive non-locality, lead to almost nothing but despair that a 
perfectly secure embedded of secure software in physical substance can be 
achieved.

However, we've been thinking hard about this for no more than a few decades, 
so this despair is premature.  Just as logic designers have invented design 
rules that give us confidence in the integrity of our embedding of the 
digital logic gate in solid state electronics, by giving our uncertainty a 
wide enough berth, we may yet develop broader design rules for containing 
the messiness that physics currently hands us.

To return to the example at hand, if we were trying to build a true opaque 
box, in which all unencrypted sensitive information exists only inside the 
tamper detecting shell, this would seem to work if such a shell is 
achievable.  Drexler and I once went through an exercise of trying to 
conceive of opaque box designs that could be build with current technology 
that could withstand a nanotech attack.  One design has a large cloud or 
bubble chamber (I don't remember which -- I'm not the physics guy) between 
the outer and inner parts of the shell, and the computer itself magnetically 
suspended within the inner shell.  The cloud or bubble chamber is constantly 
monitored by optical sensors on the inner shell for signs of intrusion by 
something substantially larger than an individual particle.  When it thinks 
it's detected one, it sets off the explosives, destroying the computer as 
well as any escaping intruders carrying sensitive information.

Now this was never critically examined, and it has certain, ahem, 
practicality problems.  But it may be a perfect physical embedding.  We 
couldn't think of a workable attack on it.


        Cheers,
        --MarkM