advertise here



Industry Comment Research   RSS Feed

Webinars Podcasts

Related Publications Foward Features




  In partnership with:

18 September 2007

Secure software may take 50 years, says Rutkowska

SA Mathieson

Major software packages such as operating systems could be secured through code auditing and formal verification – but it may take as long as 50 years before this is possible, Joanna Rutkowska, chief executive of Invisible Things Lab, told Gartner’s London IT Security Summit on 17 September.

Rutkowska, a Polish researcher who founded the Warsaw-based security consultancy earlier this year, said that such techniques are already workable for short pieces of software, but the likes of web browsers and email clients are too large, and it may take from 10 to 50 years for this to change.

In a keynote speech, she told the audience that many security problems are due to technology, rather than the “stupid users” who usually get the blame.

“Fixing the problem of stupid users doesn’t solve everything,” she said, adding: “I want technology that will allow me, as a savvy user, to feel secure,” and this is not available.

Rutkowska said that Microsoft’s Vista is “significantly better” quality than previous versions of the Windows operating system, but that even its use of new security techniques has not protected it fully. She gave the example of the ANI bug, which uses animated cursors. This evaded Microsoft’s ‘fuzz’ attempts to find errors in this process by sending random input, as the process had not been tuned to find such an error.

It also by-passed ‘stack protection’, which aims to protect core processes, as it was not in use for the function for performance reasons, and a memory randomisation technique, aimed at confusing hackers, turned out to be easy to predict.

She added that protection can turn out to be useless against a changed threat: the Internet Explorer browser in Vista aims to stop outsiders changing user data, but does not stop them reading it, so it fails to tackle data theft.

Rutkowska said that she believes prevention functionality will have to be built with the co-operation of operating system providers: “I don’t believe prevention could be provided effectively by third parties,” she told the conference, adding that such external vendors “are using tricks and hacks” to provide products.

Spend less on IT security, says Gartner (18 September 2007)

Increased collaboration between companies set to ignite new security market, says Gartner (6 March 2007)

News index



 

 
Search this Site:
Google Custom Search



sign up for enews





Click here...