Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cats And Dogs Living Together: Langsec Is Also About Usability


Published on

One premise underlies every argument about usability and security that has ever raged: "Secure software is doomed to be unusable, and usable software is doomed to be insecure." This talk will examine the faulty assumptions behind that belief, using the dual lenses of linguistics and formal language theory. We'll explore what makes software -- particularly software that developers use, e.g., APIs -- easy or difficult to use, how mismatches between what developers expect and what users expect lead to vulnerabilities, and how architects and developers can design and code for improved security and improved usability at the same time.

Published in: Software
  • Be the first to comment

Cats And Dogs Living Together: Langsec Is Also About Usability

  1. 1. Cats and Dogs Living Together: Langsec Is Also About Usability Meredith L. Patterson SEC-T 2014 Stardate 68179.7
  2. 2. Forward Observer’s Log, Science Vessel Beagle “The worse your logic, the more interesting the consequences to which it gives rise.” -- Bertrand Russell
  3. 3. What is usability for devs? • IDEs? • Code completion? • Developers’ main tools are libraries • Nobody’s really studied what makes APIs “good” or “bad” to use
  4. 4. “Sooner or later you’re going to have to stop throwing new functions into that menu and clean it up.” -- Jonathan Korman
  5. 5. The Prime Directive “Whenever mankind interferes with a less developed civilisation, no matter how well intentioned that interference may be, the results are invariably disastrous.” -- Jean-Luc Picard This is why we can’t get rid of PHP.
  6. 6. Image © “Melonpool” from the TrekBBS forum
  7. 7. The Second Directive Computation must be composable to be reliable.
  8. 8. cf. Alter and Oppenheimer, “Uniting the Tribes of Fluency to Form a Metacognitive Nation,” 2009
  9. 9. Chunking we’ll never remember this, will we nope cf. George A. Miller, “The Magical Number Seven, Plus or Minus Two,” 1956
  10. 10. Semantics-First Design • Every problem has a domain • Every problem also has a range – What are the effects of success? – What are the effects of failure? • Model how domain values map to range values • Then invent domain-meaningful syntax to describe the mappings cf. Erwig and Walkingshaw, “Semantics First! Rethinking the Language Design Process,” 2011
  11. 11. cf. Georgiev et al, “The Most Dangerous Code in the World”, 2012
  12. 12. When a yes-or-no question isn’t • CURLOPT_SSL_VERIFYHOST – Sounds like a boolean, right? – Nope! 2 = verify, 1 = “a CN exists”, and TRUE = 1 – “Future versions will stop returning an error for 1 and just treat 1 and 2 the same” – 11 releases later, it’s still there • But now I know it’s a valid cert, right? – Only if CURLOPT_SSL_VERIFYPEER=TRUE too
  13. 13. That something has two sides…
  14. 14. Fine, I’ll use plain OpenSSL • Great. Did you set SSL_VERIFY_PEER? – And did you set a verify_callback with it? • Either way, did you call SSL_get_verify_result()? • Gotta validate that host yourself, too • GnuTLS is no better – Returns negative values for some errors – But 0 for others, like self-signed certs!
  15. 15. Takeaway you’re not helping
  16. 16. It Gets Better • Some libraries have been around long enough to watch their interfaces evolve • C++ STL got a lot better in C++11 – They had to add move semantics to do it, but threading is awesome now – Confusing auto_ptr gone; shared_ptr and unique_ptr do what they say on the tin • But let’s talk about a security library.
  17. 17. You call this making it easy? gpgme_ctx_t ctx; gpgme_error_t err; gpgme_data_t cipher, plain; gpgme_engine_info_t engine; [~20 lines of boilerplate] err = gpgme_op_decrypt(ctx, cipher, plain); if (err == GPG_ERR_NO_ERROR) { [at least 8 more lines of boilerplate, just to see what you decrypted] } ... Python has to be better, right?
  18. 18. …maybe? • ISConf wraps the gpg binary • Very opinionated about: – How keyrings are named – Which options various operations use • Leaves out a lot of functionality – Want a detached signature? Too bad “WHO PUTS UNITTESTS IN A TRY/EXCEPT BLOCK WHICH CATCHES ALL EXCEPTIONS?!”
  19. 19. 2013: finally something usable • All the command-line functionality! • Public interface, no need to touch the rest • Sanitizes untrusted inputs! • kwargs for all the things! • All in all, much more pythonic • THANK YOU ISIS, WE LOVE YOU
  20. 20. “I believe that usability is a security concern; systems that do not pay attention to the human interaction factors involved risk failing to provide security by failing to attract users.” -- Len Sassaman
  21. 21. Credits • @skry • Jonathan Korman • The education panel at SLE2014, especially: – Massimo Tisi – Eric Walkingshaw and Martin Erwig • The GIMP and G’MIC • Paramount Pictures (and everyone at TrekCore) • My sisters the elementary school teachers