We often hear that security is "hard to implement." Why is that? A
better way to phrase it is that it is very hard to find the right
balance between usability and security in a system. It is very easy to
create a system that is secure but unusable " for instance one that is
not connected to an outside network, or one that is powered off.
So, why is security so hard to combine with usability? The short
answer is: because of the amount of source code that goes into a
typical system. Today's systems are not just big, they're huge,
registering at millions of lines of code. All other reasons are just
corollaries of that one basic fact. That leads us to the first rule:
Rule 1: Security is hard because systems are huge
A system is implemented through source code. Every line of code in a
source base is telling the system to execute a set of instructions. In
other words, every line of code could potentially do something to
compromises the security and reliability of the system. In order to
implement security, someone or something needs to check every line of
source code.
But that is not where it ends. Each source line depends on and
interacts with all of the lines around it! A system is not simply a raw
collection of source lines " it could be more accurately described as a
tightly woven fabric built up of threads that are source lines. So not
only do we need to check every source line, but also the interactions
each source line has with everything else.
According to Wikipedia, Microsoft Windows source base consists of
about 50,000,000 lines of source code. That sounds like a huge number,
but what does it actually mean? Consider a huge novel " "War and Peace"
comes to mind. Leo Tolstoy's masterpiece depicting 19th century Russia
is a mere 1,500 pages " that is about 100,000 lines of text, or my new
unit: one WAP ("War And Peace").
That makes Windows source base about 500 WAPs. Imagine reading and
intimately understanding five hundred books that rival "War and Peace"
in size and complexity. No offense to Tolstoy, but that sounds like a
literature-class nightmare.
A smaller application, like the Apache web server, will come in at
about 1.5 WAPs. Among popular operating systems, Linux Debian source
base takes the top prize at 2,000 WAPs.
Rule 2: Security is hard because source code
generally never gets removed
The problem of understanding the code does not scale proportionally
with the amount of code. The solution is not simply to throw more
programmers into understanding and checking code, because the
complexity grows exponentially.
At some point the complexity reaches a limit where a certain level
of security is no longer possible " and it looks like Windows and Linux
developers have abandoned that idea several hundred WAPs ago. It's no
wonder that my Windows machine downloads new critical security updates
every few days. It is impossible to find all of the vulnerabilities.
Rule 3: Security is hard because complexity grows
exponentially relative to source code, due to interdependencies.
How did we ever get ourselves into this mess? The biggest problem is
that most of the systems are evolved versions of things that have been
developed for decades. And when people add new things, they rarely
remove the old functionality.
Why? Because no one wants to risk removing something that other
things might depend on. And that leads to a vicious cycle " the more
code you add, the less likely you will be able to understand the
complexity of the system, and the less likely you will want to remove
something old, but you still have to add more code, oh, you get the
idea.
When I was in college, my professors told us to cherish our class
projects, because that would be the only time we would write a new
program from scratch. They were right.
