> Security requires *assurance* -- the ability to clearly and
> concisely state the risks the program creates and how they are
> addressed. Wherever possible, a program's security should come from
> its *design* rather than its implementation.
This makes absolute sense, but I don't see how we-without-source can
live in such a world. Even if I do have source, a "user" can't verify
every program--even assuming the programs could be verified by their
authors. :-) For example, you state:
> b) a chrooted process cannot un-chroot itself[...]
How can I know this? My firewall kernel is 704K code and 117K "data".
Theoretically, I eliminated lots of junk--my config file is 32 lines.
This is a major piece of code to trust. Considering how it was
written and is maintained, I am a fool to trust it.
> Software that is critical to the security of the system should not
> contain comments. If it needs to be commented, it's too complicated
> to be secure. :)
I don't see how one can verify anything without a commentary to the
proof. If the proof is kept secret, we come back to "who judges the
judges?" The proofs should be made public for all to inspect. In
other words, I'd rather use RSA for encryption than anything developed
by the NSA, e.g. DSS.
This may all seem like a lot of whining. It is. "You are in a maze
of twisty passages all which look alike." However, I must have a way
of assessing my company's security risk. Should I spend a man-month
or a man-year to secure our Internet connection?
Has anybody performed a risk analysis for their firewall project? I
know about Berferd, but we aren't AT&T, so I assume our risks are much
lower. I'd like to know two things: How likely is an attack for a
typical small company? and How much does feature X reduce the
probability of a break-in? (Sounds like a great niche for an
insurance company: "Cracker Claims, may I help you?" Maybe I should
call Lloyd's.) Given that there are no physical phenomena involved,
it seems like the assessment should be easier than, say, assessing the
likelihood of being killed by a meteor (1:30K, btw).