Secure Coding mailing list archives

Previous By Date Next
Previous By Thread Next

Efficiency as a negative

From: "Hetrick, Brian" <brian.hetrick () hp com>
Date: Fri, 05 Dec 2003 21:16:10 +0000
One writer noted, in response to a point another had made, that the
proposed solution was inefficient, as if this were a bad thing. I be-
lieve we need to re-think the desire for efficiency.

Open loop control is far more efficient than closed loop control, be-
cause there is no need to obtain and interpret feedback. Despite this,
or perhaps because of this, I suspect most of us would refuse to ride
in a vehicle driven using only open loop control. The drawback of open
loop control is that the slightest perturbation of the environment,
the slightest deviation from the assumed environment, can cause fail-
ure.

Every time we write code using an assumption instead of a run-time
check, we are using open loop control.

Received computer science and software engineering wisdom from the
'40s through the '80s is to minimize redundancy and hence maximize ef-
ficiency. We minimize redundancy by recording information once, rather
than many times; by computing things one way, rather than several; by
designing so that the values presented to a routine are always in
range, rather than checked to ensure they are in range; and so forth.
Yet minimizing redundancy is essentially the same thing as maximizing
risk: every time you replace a check with an assumption, you become
vulnerable to falsification of the assumption.

The minimum redundancy footbridge is exactly strong enough to hold you
as you walk across it. This is, after all, all it needs to do. Until
the day you walk across it with wet, and hence heavier than usual,
shoes. Then, the minimum redundancy footbridge collapses.

As Schneier mentions in, I believe, "Secrets and Lies" (my library is
at home), we already have plenty of fast, insecure programs. We cer-
tainly do not need more.

The computers of today are the supercomputers of yesterday, and the
computers of tomorrow will be the supercomputers of today. Perhaps it
is time to use some of that power as a safety net. In many aspects of
engineering, the concept of a "safety factor" comes into play: if the
guaranteed maximum load on a bridge is 4,000 pounds, you design the
bridge to hold 16,000 pounds, and wonder if a mere 300% safety factor
is enough. Perhaps all our programs should spend a substantial frac-
tion of their time -- say 75% -- making sure their environment is what
they expect.
Previous By Date Next
Previous By Thread Next

Current thread: