Secure software may take 50 years, says Rutkowska

Major software packages such as operating systems could be secured through code auditing and formal verification - but it may take as long as 50 years before this is possible, Joanna Rutkowska, chief executive of Invisible Things Lab, told Gartner's London IT Security Summit on 17 September.

Major software packages such as operating systems could be secured through code auditing and formal verification - but it may take as long as 50 years before this is possible, Joanna Rutkowska, chief executive of Invisible Things Lab, told Gartner's London IT Security Summit on 17 September.

Rutkowska, a Polish researcher who founded the Warsaw-based security consultancy earlier this year, said that such techniques are already workable for small pieces of software, but the likes of web browsers and e-mail clients are too large, and it may take 10 to 50 years for this to change.

In a keynote speech, she told the audience that many security problems are due to technology, rather than the "stupid users" who usually get the blame.

"Fixing the problem of stupid users does not solve everything. I want technology that will allow me, as a savvy user, to feel secure," and this is not available.

Rutkowska said that Microsoft's Vista is "significantly better" quality than previous versions of the Windows operating system, but that even its use of new security techniques has not protected it fully. She gave the example of the ANI bug, which uses animated cursors. This evaded Microsoft's "fuzz" attempts to find errors in this process by sending random input, as the process had not been tuned to find such an error.

It also by-passed "stack protection", which aims to protect core processes, as it was not in use for the function for performance reasons, and a memory randomisation technique, aimed at confusing hackers, which turned out to be easy to predict.

She said that protection can turn out to be useless against a changed threat: the Internet Explorer browser in Vista aims to stop outsiders changing user data, but does not stop them reading it, so it fails to tackle data theft.

Rutkowska said that she believes prevention functionality will have to be built with the co-operation of operating system providers: "I do not believe prevention could be provided effectively by third parties," she told the conference, adding that such external suppliers "are using tricks and hacks" to provide products.

Read more on Antivirus, firewall and IDS products

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close