Author: devway (from xfocus bbs)
Network security as a realistic existence, there is three phases of production, development, death. Of course, this is the beginning of this philosophy from everything. We see the code in the low level of technology, we see the weakness of human nature from philosophy.
From the most basic principle, security is caused by the physical level of the computer and the inconsistency of the person's spiritual level. The gap between the two can make up for a good man-machine interface, but human beings may never reach the realm of fully communicating with the machine. If the flesh is also considered part of the physical world, we can't fully understand and control your body, not to mention the computers of the birth of a century. Therefore, the gap between the spiritual world and the physical world is the birthplace of all security issues. Today's and future security issues, is not from this source, mixed various environmental changes.
A software, specific to a program, is also born and end. Its makers and users will not be the same person. If the author and the user are not the same person, then they have different understandings of the procedure, which is a gap. There is a security issue in places where gaps. From this we can recall the story of "Tongtian Tower". The spiritual world between people, and even personal and individuals, there is a separation, mutual understanding, even exclusive, or even hostile. The spirit of spiritual world cannot be harmonious, causing us to actually need a multi-growing social regulatory to ensure that so many spiritual worlds can get along with peace. In a sense, the purpose of our survival is to get along with peace, and everything else is a table.
For the relative spiritual world, the program is slightly better because it can be precisely replicated. It can even be run on the computer of the same hardware. But this is just a look. There is no exactly the same two leaves in the world, and there is no two identical computers. Is the same manufacturer, the same batch, the computer produced at the same time? No. Their clock settings will never differ. Exactly replicated programs, on two computers, because of the differences in hardware, thereby affecting the operation results of the program. Will this difference meaning? At the very least, we hope that the performance of the program is everywhere, what is a luxurious wish.
People come from history to now, after thousands of years, they are only safe. Yes, slightly. Think about the World Wars for the last century, and there is still a big tsunami last year. Of course, human beings are now drinking from Ru Mao, at least from individual feelings, it is safer, but the ultimate goal of human beings is far from being achieved. In contrast, the race of the computer (this name is simple), which has been developed for 60 years. It is an armor. And the rise of the network, there is a shorter development, decades. More than a major role in the online world is often just more than ten years ago, even a few years ago.
Whenever the history is major change, it is most painful or humans. Because the old gap has not been filled, new and larger gaps have already appeared. A group of radical molecules were taken before, and the runners following them were less and less. Human is like a stream, flowing too long, the momentum begins to weaken, and the flow has also begun to decrease. If a terrible situation occurs, for example, the radical molecule began to illustrate the target in the desert, and the end of human thorns is not far away. (I hope that we will bring you new oasis for yourself, there is ganquan and jungle.)
Therefore, all safety issues begins to be separated (GAP). For example, if you design a compiler and CPU from now, is there any buffer overflow? It reflects the history of history. People can't surpass his era, and the changes in the times produce new partners that people can't expect. The same era, there are people between people and people. Programmer A program calls programmer B's program, what is considered to be as exactly the same. Here is a potential security issue. Programmer's program and user program may be bigger: we have heard too much such story. I can't continue to talk about such a void. The reader points out the valuable time to go online, always want to get a very valuable thing. So, on the guidance of computer security, can I get some suggestions?
1. We now have some network elves trying to let people ignore the most fundamental security issues. The firewall is the biggest culprit because it tries to cover up its own serious security issues. The huge medical industry will never replace the value of a healthy lifestyle. Fundamentally, the ultimate goal of network security is no need for any firewall. If the best health is not sick, it is not necessary to see a doctor, and take medicine. We hope that the future computer system can be strong enough, so people don't have a firewall to reach safe operation.
2. The loophole of the code is much more than what we have seen. There is a lot of vulnerabilities every day, just like we have found that there is ice on the sea, more vulnerabilities have not been found. The hardware and software is too fast, so that more and more GAP. People who write code are unlikely to write overallspaces (can run on any hardware of any era). A lot of code left by the former people, the future generations are unlikely to rewrite, because they are writing new code, so the solution can only be running, and the problem will be corrected.
3. Open source movement is trying to make human beings return to the times before the "Building Tongtiang Tower". The advantage of opening sources is that we can eliminate developers and developers, developers and users between developers and users from a single source level, because everyone can see the same thing. From this point, open source is much more than no sources.
4, if the intelligence level is not enough, the open source and the no-open source are not different. Open Source tried to use a single language (source) to eliminate three segregation, but it is necessary to remember that all these people must use the same way to understand the code, and the isolation between them can minimize. If you don't understand any side, or understand the source code, the goodness of the open source is white, and the gap is not narrowed, and it is estimated that it is more.
5, the more complex the system, the more components, the more GAP. This is obvious: a complex irrigation system will leak a lot than a cup. The vulnerability discovery can track the flow of data in a complex system and discover new vulnerabilities. Of course, there is a large GAP between people who design complex systems and any people trying to understand complex systems.
6. We are getting farther in the era of tools. Take a slight addition to analyze that we can find that in so many people have not had a big progress, and the wild, smart people are always so phoenix. We can control more and more complicated things, our tools are getting more complicated. We only have a smart wisdom to enhance the generation of a generation of intelligence to concentrate in another tool, so that the later people can walk a little with the help of the tool. Therefore, as a vulnerability analyst, everyone's wisdom level is similar, and who is more advanced, huh, huh.
7. The next-generation security tool will be something of DTRACE. DTRACE is a new tool introduced by Sun in Solaris 10, which can dynamically track the run of a program. Debug is the master of the old world, and Trace is the king of the new world. The future security analysts will have such a tool that can be taught out of a program, or a data, and the boundary between the platform, and what happened on the boundary line. 8, in the future, safety control will be meticulous to each inch line (mentioned inspiring on the 7th). Thorough runtime control will be the core function of the next generation of safety products. Runtime control not only controls the flow of data in a computer system, but also controls human-computer interaction. The system of the entire person and machine will be handled, and the security issue will extend to every place of people's lives.
9. In the future, anyone engaged in safety research must be based on the GAP theory summarized by this article. Since then, the safety industry will reshufford, code security will be considered from the elimination of GAP and control GAP. The essence of safe is to control the hazard control caused by GAP within an acceptable range.
10. This article will inspire everyone's enthusiasm for theoretical research. This is a good thing. From practice to the theory, then guide more practices, this is the basic law of the development of things, hahaha. .
