Major software packages such as operating systems could
be secured through code auditing and formal verification - but it
may take as long as 50 years before this is possible, Joanna
Rutkowska, chief executive ofInvisible Things
Lab, told Gartner's London IT Security Summit
on 17 September.
Rutkowska, a Polish researcher who founded the Warsaw-based
security consultancy earlier this year, said that such techniques
are already workable for small pieces of software, but the likes of
web browsers and e-mail clients are too large, and it may take 10
to 50 years for this to change.
In a keynote speech, she told the audience that many security
problems are due to technology, rather than the "stupid users" who
usually get the blame.
"Fixing the problem of stupid users does not solve everything. I
want technology that will allow me, as a savvy user, to feel
secure," and this is not available.
Rutkowska said that
Microsoft's Vista is
"significantly better" quality than previous versions of the
Windows operating system, but that even its use of new security
techniques has not protected it fully. She gave the example of the
ANI bug, which uses animated cursors. This evaded Microsoft's
"fuzz" attempts to find errors in this process by sending random
input, as the process had not been tuned to find such an error.
It also by-passed "stack protection", which aims to protect core
processes, as it was not in use for the function for performance
reasons, and a memory randomisation technique, aimed at confusing
hackers, which turned out to be easy to predict.
She said that protection can turn out to be useless against a
changed threat: the Internet Explorer browser in Vista aims to stop
outsiders changing user data, but does not stop them reading it, so
it fails to tackle data theft.
Rutkowska said that she believes prevention functionality will
have to be built with the co-operation of operating system
providers: "I do not believe prevention could be provided
effectively by third parties," she told the conference, adding that
such external suppliers "are using tricks and hacks" to provide
products.
These articles first appeared on the website of
Infosecurity magazine.