Ada and cybersecurity

Ada and cybersecurity

[tmoran]

CSPAN-2 had todays hearings of the House Technology(etc) committee, of
which I just saw a part.  Did anyone tell them software doesn't have
to be holey and proven technologies like Ada, for instance, can help?

RE: Ada and cybersecurity

[Robert C. Leif]

To: Tom Moran et al.
This is what I was getting at when I asked about the use of Ada to protect
against worms etc. I suspect that the place to start is to ask DoD or NSF
for SBIR grants to build both XForms and to use the distributed computing
annex-E to create the communications parts of XML Protocol
http://www.w3.org/TR/2003/NOTE-xmlp-reqs-20030728/
Bob Leif 
Robert C. Leif, Ph.D.
Email rleif@rleif.com
-------------------------------------------------------------
4.7 Convention for RPC
Charter: "A convention for the content of the envelope when used for RPC
(Remote Procedure Call) applications. The protocol aspects of this should be
coordinated closely with the IETF and make an effort to leverage any work
they are doing" 

R200 
XMLP (XML Protocol) must contain a convention for representing calls and
replies between RPC (Remote Procedure Call) applications and services. The
conventions must include the following:

Complete and unique identification, by means of URI syntax [5], of the
program, service or object and procedure or method to be called.

Enable support for matching response messages to request messages for cases
in which matching is not provided by the underlying protocol binding.

The ability to specify the parameters to a call in a request message and the
results of a call in a reply messages.

Provisions for specifying errors in a reply message (see also [R703a
Requirement for Encapsulation of Error Information] and [R703b Requirement
for Encapsulation of Status])

Where possible, an attempt will be made to leverage any related work done by
the IETF.

R201 
The RPC conventions within XMLP should use the Data Representation model
discussed in 4.5 Data Representation to represent parameters to a call in
the request message and results of the call in the reply message. It must be
convenient to create straightforward mappings of the data types to a wide
variety of widely deployed programming languages and object systems.

R202 
XMLP should allow applications to include custom encodings for data types
used for parameters and results in RPC messages.


-----Original Message-----
From: tmoran@acm.org [mailto:tmoran@acm.org] 
Sent: Thursday, September 11, 2003 12:39 AM
To: comp.lang.ada@ada.eu.org
Subject: Ada and cybersecurity

CSPAN-2 had todays hearings of the House Technology(etc) committee, of
which I just saw a part.  Did anyone tell them software doesn't have
to be holey and proven technologies like Ada, for instance, can help?

RE: Ada and cybersecurity

[tmoran]

> >CSPAN-2 had todays hearings of the House Technology(etc) committee, ...
> This is what I was getting at when I asked about the use of Ada to protect
> against worms etc. I suspect that the place to start is to ask DoD or NSF
  When Congressman Putnam asked witnesses "what should the government do",
someone suggested a government lab to test and issue "secure"
certificates, another suggested more education of young people so they
won't be hackers, etc.  I doubt a government lab could find obscure holes
much faster than they are found now, and I'm quite sure the the small
fraction of a percent of "young crackers" can't be reduced to zero by any
reasonable education campaign.  One thing I didn't hear (but then I didn't
listen to the entire hearings) was any comment about better software
development tools, such as cutting down on buffer overflows (etc.) with
Ada.  So perhaps we can expect a continuing low level of security, ever
more expensive worms, plus the government spending more of our children's
money ineffectively.  Congress is unlikely to come up with good ideas
if nobody suggests any to them.

Re: Ada and cybersecurity

[Warren W. Gay VE3WWG]

tmoran@acm.org wrote:

>>>CSPAN-2 had todays hearings of the House Technology(etc) committee, ...
>>
>>This is what I was getting at when I asked about the use of Ada to protect
>>against worms etc. I suspect that the place to start is to ask DoD or NSF
> 
>   When Congressman Putnam asked witnesses "what should the government do",
> someone suggested a government lab to test and issue "secure"
> certificates, another suggested more education of young people so they
> won't be hackers, etc.  I doubt a government lab could find obscure holes
> much faster than they are found now, and I'm quite sure the the small
> fraction of a percent of "young crackers" can't be reduced to zero by any
> reasonable education campaign.  One thing I didn't hear (but then I didn't
> listen to the entire hearings) was any comment about better software
> development tools, such as cutting down on buffer overflows (etc.) with
> Ada.  So perhaps we can expect a continuing low level of security, ever
> more expensive worms, plus the government spending more of our children's
> money ineffectively.  Congress is unlikely to come up with good ideas
> if nobody suggests any to them.

Another option is often overlooked: get the hardware vendors (Intel)
to include a better return instruction, so that code does not
execute off of the stack (the return address must point to text, in
read-only, excecutable (if the cpu supports it) address - else generate
a fault). This too can be exploited I think, but it does make things
much more difficult. There are perhaps other ways to perhaps eliminate
this entirely, if the right hardware was in place.

-- 
Warren W. Gay VE3WWG
http://home.cogeco.ca/~ve3wwg