Presenting at Royal Holloway Colloquium
All, I have been invited to give a TED style talk (20 mins) at the Royal Holloway Hewlett Packard Information Security Colloquium: https://www.royalholloway.ac.uk/isg/externalengagement/hpday.aspx. Now I could give an uncontroversial talk about Internet banking security using triple DES, role based access control, etc. but I am thinking about being controversial (I think that is in the spirit of TED). I’d like to say that the Information Security community is solving the wrong problems by e.g. performing security audits of code, developing tools for finding buffer overflows, etc. and what they should really be doing is encouraging development in languages that prevent this sort of behaviour. E.g. if openssl were written in Haskell, heartbleed (http://en.wikipedia.org/wiki/Heartbleed) would never have happened. What do people think about this? Are there other examples I can draw on? Dominic Steinitz dominic@steinitz.org http://idontgetoutmuch.wordpress.com
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 12/11/14 13:41, Dominic Steinitz wrote:
E.g. if openssl were written in Haskell ... timing attacks would be trivial.
You could argue to use things like Cryptol where it makes sense to use them. But remember that Haskell is not a silver bullet for security. - -- Alexander alexander@plaimi.net https://secure.plaimi.net/~alexander -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlRkg+cACgkQRtClrXBQc7WswQD/bCifZHMTLPjoz/St1yorc66f wG7nAJWlMrhVTshY1EQA/1zqFltpGjgbGJ4N9PFOpHpcZIAm97wuB7EOHQM0EfbJ =HJPM -----END PGP SIGNATURE-----
On Thu, 13 Nov 2014 11:11:51 +0100
Alexander Berntsen
On 12/11/14 13:41, Dominic Steinitz wrote:
E.g. if openssl were written in Haskell ... timing attacks would be trivial.
In fact, I bet the majority of cryptographic code written in Haskell
is susceptible to sidechannel attacks.
--
Luis Ressel
Alexander Berntsen
On 12/11/14 13:41, Dominic Steinitz wrote:
E.g. if openssl were written in Haskell ... timing attacks would be trivial.
You could argue to use things like Cryptol where it makes sense to use them. But remember that Haskell is not a silver bullet for security.
I think it would be straightforward to circumvent timing attacks. Clearly there are other attack modes as well and it would be interesting to see how easily these could be addressed in Haskell. Interestingly I just found this: http://www.mitls.org/wsgi/home which uses F#. I hope I didn't claim that Haskell was a silver bullet for security. At the very least, it certainly couldn't address bugs in protocols although it might help in finding them.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 14/11/14 13:28, Dominic Steinitz wrote:
I think it would be straightforward to circumvent timing attacks. [Citation needed]
It would be straightforward to prevent the OpenSSL bugs as well, for some value of "straightforward". For cryptography, I think the most interesting approach would be to use Haskell where possible, and a non-GC RTS where necessary. Note that code for the non-GC RTS could conceivably be written in a Haskell DSL. - -- Alexander alexander@plaimi.net https://secure.plaimi.net/~alexander -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlRl/UYACgkQRtClrXBQc7XKrwD+PQ6PnHARZXqRJvzGJDAAXyb0 i1hIobU/QwKH9beEMhEA/0fNsFjJkKTEKjTaex5Age6fw7E6+ShFWipIC3IwVAfU =6SPZ -----END PGP SIGNATURE-----
participants (3)
-
Alexander Berntsen -
Dominic Steinitz -
Luis Ressel