Designing Reliable Systems versus Finding Security Holes

At various presentations and also in our research on credit cards I came across approaches for security vulnerability research that are based on tools and techniques for building reliable systems.  I am curious about the relation between the two, and thought maybe a blog is a good venue for people to share some thoughts on the issue.

A couple of examples of what I mean:

– Martin is trying to build a reliable emulator for credit card payment. He works with Leo on proofs for reliability. Martin essentially follows the Praxis software development approach, in a light-weight incarnation. But, as a consequence, he and Leo find security vulnerabilities. Shouldn’t we have used a tool/method that aims at finding security vulnerabilities instead of one that aims at building reliable systems?  Or are these somehow the same?

– We recently had a colloquium guest speaker (recently graduated PhD student) from Glasgow who talked about her research in using safety case description languages to describe case studies for security breaches.  Such use is almost contrary to what the language was defined for, but it seemed to work.

I’m interested in the question whether we use existing dependability/safety techniques for security research because (1) we don’t have better ones yet or because (2) they are the best ones imaginable.  I guess the answer is ‘it depends’, but it struck me as interesting to try to understand this issues more generically and discuss on this blog.  So, please comment.

One thought on “Designing Reliable Systems versus Finding Security Holes

  1. Hi:

    I received a coy of the above blog post, and Feng’s request to me to copy, by email, and replied that way hoping that my reply would thereby reach the blog. It seems not to have so I’ll use this less convenient route to provide a further copy of my reply:

    Hi Feng:

    Let me offer the following:

    Building Reliable Secure Computing Systems out of Unreliable Insecure Components
    Dobson, J.E. and Randell, B.
    In Conference on Security and Privacy, Oakland, USA
    pp 187-193
    IEEE, 1986



Leave a Reply

Your email address will not be published. Required fields are marked *