Despite advances in defining, cataloging and understanding software vulnerabilities, developers continue to produce buggy software.
To address the need for better software, scientists at the National Institute of Standards and Technology have proposed a technical approach for developing programs with a 100-fold improvement in reliability. Citing estimates that typical software has 25 errors per 1,000 lines of code, two thirds of them from simple programming errors, they hope their recommendations can reduce this to 25 errors per 100,000 lines of code over the next three to seven years.
The recommendations are included in a new NIST interagency publication appropriately titled Dramatically Reducing Software Vulnerabilities. The goal is to stop vulnerabilities before they occur, find them before they are exploited and reduce their impact.
The need for improving the quality of software is self-evident, and I am not going to bother listing any of the constant drumbeat of breaches we wake up to each morning. The NIST recommendations, if adopted and if they work, could be a great step forward in improving the security and reliability of the global software infrastructure on which we depend. But getting developers on the same page will be a major undertaking and it probably would be decades before millions upon millions of buggy lines of legacy code are retired.
What is a vulnerability?
The report is a response to the White House’s Federal Cybersecurity Research and Development Strategic Plan released in February. It addresses one of the plan’s mid-term goals, to “reverse adversaries’ asymmetrical advantages” by improving the quality of software. In other words, produce software that is not so easy to attack and difficult to secure.
The report’s authors appropriately begin by defining what it is they are targeting. They define a vulnerability as “one or more weaknesses that can be accidentally triggered or intentionally exploited and result in a violation of desired system properties.” These weaknesses do not include user errors in configuration or misuse.
Focusing on technical solutions in software development, the report does not address what the authors call some excellent ideas that are outside its scope. These include improved funding and education, more research, public demands for better software, and liability and standards for developers and vendors.
How to do it
Reliable software is doable, if expense is not an object, the authors say. “Systems with near-zero errors are produced routinely today in the aerospace industry, but at several times the cost of ordinary software.” The challenge is to make reliable software cost effectively.
NIST identifies five technical approaches to creating more reliable software:
• Formal Methods. These include mathematical and logic-based analysis to prove the properties of programs. Despite the complexity and size of modern programs, advances in computing make this type of analysis practical today.
• System Level Security. Advances in hardware such as low cost multicore and system-on-a-chip processors, and software architectural patterns offer opportunities to build security and tolerance into the next generation of systems. This makes possible security-enforcing and intrusion tolerant systems that could reduce the harm caused by vulnerabilities.
• Additive Software Analysis Techniques. A comprehensive approach for enabling the use of multiple advanced software checking tools that can communicate with each other. The goal is the continuing accumulation of usable analysis modules that over time improve the state of software analysis.
• More Mature Domain-Specific Software Development Frameworks. The goal of this approach is the use and reuse of well-tested, well-analyzed code. The idea of reusable software components organized into component libraries dates to 1968. Hardly anything is created from scratch; the vulnerability of new software depends on the selection of existing components and on their interaction with new.
• Moving Target Defense (MTD) and Automatic Software Diversity. A long title that means automatically varying software structures and properties to make it harder for attackers to exploit any weakness.