We expect software developers to test their products before shipping them, but we don't require any proof they have done so. If the developer has never executed each potential path through their code, why should we run it as field testers when our desire instead is to be customers who rely on trustworthy products? As customers we should not pay for products that are being tested on us. We should pay for products that have already been tested, and we should be given the results of that testing to use as a tool of security auditing and threat containment. A system of forensic profiling for compiled code would enable numerous countermeasures to the threats that arise today out of the necessity to leave our microprocessors and OS APIs open to arbitrary utilization. These resources can and should be closed to the run-time execution of code that does not have an accompanying forensic profile created by the developer as they carefully tested each logical path through the authentic compiled product. With such a fundamental shift in the way that we receive and use software from developers, rebasing and other techniques to randomize the run-time execution environment would be unnecessary because we would have the tools and the information necessary to reign in our microprocessors and OS APIs. Arbitrary malicious code can cause a CPU to do math, but it can't cause a CPU to do harm unless it is able to communicate with or control a willing victim (such as a device driver). Jason Coombs jasoncat_private
This archive was generated by hypermail 2b30 : Fri Feb 07 2003 - 08:56:45 PST