From: (Kragen Sitaker)
Date: Fri, 29 Nov 2002 21:44:17 -0500 (EST)
Subject: Re: [e-lang] eyeballs, prizes, EALs, and capdesks

MarcS writes:
> So, as an example of a possible EAL8 rating, you could have:
> "The source code has been disseminated to numerous developers with independent
> interests. We estimate at least 1000 different people have reviewed parts of
> the code. A security bug prize of $1000 has been available for one year and
> has not been collected."
> For EAL9, you could have:
> "The source code has been published on the Web. We estimate at least 5000
> different people have reviewed parts of it. A security prize of $100,000 has
> been available for 18 months and has not been collected."
> I'd feel pretty comfortable with this EAL9 system despite the lack of formal
> proofs. Meanwhile, I'd still feel pretty uncomfortable with a closed source
> EAL7 system where the code can only be seen by a dozen people.

So suppose Lockheed Martin wants this EAL9 rating for, say,  a
software-defined radio system to be used to send programming changes
to cruise missiles in flight, as well as downlinking telemetry data
from the missiles.  Suppose it contains a flaw that a hundred people,
evenly distributed over the globe, know how to fix, and suppose the
flaw enables remote arbitrary code execution.

Jacques is one of these 100 people.   He lives in France, an ally of
the US, but an ally not entirely dependent on US-manufactured
supplies.  He works for Airbus.  He downloads the source code and
happens to find the flaw.

What should Jacques do?  If he collects the $100K, Airbus may censure
him, as may the French government.   Furthermore, the flaw represents a
competitive advantage for French arms merchants, and also for France,
should the US attack it at some time in the future --- unlikely, but
hardly impossible.  Finally, revealing the flaw could damage the
relationship between France and the US, and more significantly,
between Airbus and Lockheed Martin.

So Jacques files a report within Airbus, which is promptly classified
as top-secret. 

Consider Robert, another of these 100 people.  Robert bills $150 an
hour as a security consultant.   Carefully reviewing the
software-defined radio system for flaws would take him six months, and
he would have no guarantee of collecting his winnings --- the software
might contain no security holes, someone else might find them first,
or the contest judges might not agree that the security holes he finds
really are security holes.

This adds up to earnings of possibly $100 an hour, but most likely
nothing.   Robert doesn't have any particular interest in
software-defined radio, so he doesn't even bother to download the
source code to look at it.

One James Poindexter  (not to be confused with the
convicted-and-pardoned felon the US government fired during the 1980s
for funding terrorism in Nicaragua) is another of the 100 people.  He
finds the flaw and sells the information to Iraq for $500,000.  After
the US deploys the system, Iraq kicks the UN inspectors out and
reprograms some American cruise missiles to land in Washington, D.C.

Zooko writes:
> Suppose there is an application that contains 1000 bugs in the beta
> release.  ...  Robby has a 73% of chance of finding a bug that is
> still present in the production release!
> So it seems to me that the game of gaining assurance by finding bugs is a
> sucker's game.

You can't gain assurance by fixing bugs, but you can gain assurance by
looking for them and finding none, or very few,  and you can gain
assurance by proofs of correctness (of various degrees of rigor),
which you can think of as a certain way to look for bugs.

I trust qmail more than sendmail because qmail had very few bugs in
the first place,  while sendmail has been thoroughly audited and

<>       Kragen Sitaker     <>
Edsger Wybe Dijkstra died in August of 2002.  The world has lost a great
man.  See and for details.
e-lang mailing list