The Hindu Business Line : Achilles' heel of almost all modern systems is software

Why is it so difficult to produce secure software? "The answer is simple. Complexity," says Aviel D. Rubin in his foreword to Exploiting Software: How to Break Code, by Greg Hoglund and Gary McGraw, from Pearson Education (www.pearsoned.co.in) .

"For every task, there are seemingly infinite choices of algorithms, parameters, and data structures to use. For every block of code, there are choices on how to name variables, how to comment, and even how to lay out the code in relation to the white spaces around it," he points out.

As a result, it is a challenging task to avoid security vulnerabilities even in programs that run to hundreds of lines of code. "For programs with millions of lines of code, such as modern operating systems, it is impossible."

An example is Microsoft Word, coded with 2 million lines, in 1995. Would you believe that in 1983, Word had only 27,000 lines of code (LOC)? Windows XP is another example; it has 40 million LOC, almost the same number as in Space Station, and four times of the number of lines controlling Space Shuttle. "Even a system that has undergone rigorous quality assurance (QA) testing will still contain bugs - around five bugs per KLOC (kilo or thousand lines of code)."

Software security is in for a reality check, declares the preface. "Simple and popular approaches being hawked by upstart `application security' vendors as solutions - such as canned black box testing tools - barely scratch the surface," rue the authors.

"We need to get real about what we're up against," they urge, before plunging headlong into real-world software exploits, "explaining how and why they work, the attack patterns they are based on, and in some cases, how they were discovered."

The Achilles' heel of almost all modern systems is software, say Hoglund and McGraw. "Lady Lovelace's claim that software can provide `any function whatsoever' is true, and that `any function' includes malicious functions, potentially dangerous functions, and just plain wrong functions." Which is why, `bad software is ubiquitous'.

One of the horror case studies cited in the book is of the `automated baggage system' in Denver International Airport. The software was to control `unmanned carts running along a fixed track', but bugs caused major problems.

"The carts would get out of sync, empty carts would be `unloaded' of nothing, and full carts would be `loaded' far beyond capacity... These software bugs delayed the opening of the airport for 11 months, costing the airport at least $1 million a day."

Trinity of trouble, according to the authors, has extensibility and connectivity, apart from complexity. Extensibility occurs when systems are built around VMs or virtual machines, as in the case of Java and .NET. "An extensible host accepts updates or extensions, sometimes referred to as `mobile code', so that the system's functionality can be evolved in an incremental fashion," explain the authors.

"Today's applications, such as word processors, e-mail clients, spreadsheets, and Web browsers, support extensibility through scripting, controls, components, dynamically loadable libraries, and applets."

To the security professional, though, extensibility poses a nightmare. Because, hackers can use mobile code to propagate viruses, install backdoors, and compromise machines. Eerily, the book speaks of rumours in the underground regarding `the so-called Fortune 500 List - a list of currently working backdoors to the Fortune 500 company networks'.

The third of the trinity, connectivity, is visible all around us as connections: "from home PCs to systems that control critical infrastructures such as the power grid." The authors observe that a crucial paradox of networking is that connectivity becomes "a classic mechanism for increasing availability and reliability," even as path diversity "leads to a direct increase in worm survivability."

Often, connectivity has economic implications. For instance, SWIFT (Society for Worldwide Interbank Financial Telecommunication), which moves trillions of dollars every day, connects nearly 8,000 international financial companies in 200 countries, and accounts for roughly 80 per cent of global financial transactions.

Connectivity is a convenient leverage for law enforcement. A recent example is of how, a few days ago, Stuart Levey, Treasury under secretary for the Office of Terrorism and Financial Intelligence in the US, conceded that the US Treasury has made queries on "tens of thousands, maybe hundreds of thousands" of SWIFT transactions and has been able to learn names, addresses and account numbers of those sending money!

If you wonder whether the book on hand is too dangerous, the authors have this to say: "None of the information we discuss here is news to the hacker community. Some of these techniques are as old as the hills. Our real objective is to provide some eye-opening information and up the level of disclosure in software security."

Mandatory read.

Business model innovation

A must read collection of innovative models to follow.

"Do you think that a CEO would be better off working on improving the company's business model, or the efficiency of the way the company operates now?" The answer is the first option, say Donald Mitchell and Carol Coles in The Ultimate Competitive Advantage, from Tata McGraw-Hill (www.tatamcgrawhill.com) .

The authors define `business model' as "the who, what, when, where, why, and how much a company uses to provide its goods and services and receive value for its efforts." The book chronicles scores of businesses model innovation tales. Such as about Linear Technology, an analog semiconductor maker, which believes in `having more knowledge than competitors of customer and end-user applications.'

The company identified that reducing power usage would make cell-phones and other portable electronic devices more valuable to end users `by increasing how long the equipment could be operated between battery charges and changes.'

Read on: "With Linear Technology chips in place, battery life was greatly extended. Portable electronic product designers could either pack more usefulness into the same size package or offer smaller packages with the same utility. Portable devices became more functional."

Chapter 1, titled `increase value without raising prices and costs' invites you to imagine that you can totally customise your products, services, and the ways that you market and deliver them to quickly match what any one person wants. "This capability is very important because one secret of achieving competitive advantage is to individualise products more effectively than anyone else." The authors cite the example of how Amazon.com created a listing service for new, collectible and used books offered for sale by its customers. "This service is easy to add to its existing marketing pages, complements its own inventory and access to stock to improve availability, draws more potential customers and reduces customer costs."

Adjust prices to increase sales profitably, advises another chapter, where you come across Gilat Satellite Networks, an Israeli company, which announced a technical innovation in 2000: "You could receive high-speed, broadband Internet service on your personal computer without being connected to the telephone network or a cable television box." This, Gilat could achieve, "by fine-tuning its technology for very small aperture satellite dishes." PCs would communicate to the dish to bounce signals to and from a satellite, which in turn relayed to `a ground station connected to the Internet by high-speed transmission lines'. How does that help? The authors explain: "This technology means that people in almost any locale can access the latest computer communications technology. Service companies now provide this breakthrough access for out-of-the-way places around the globe."

A collection of innovative models to follow.

Tailpiece

"After three failed attempts to login with a wrong password... "

"The computer locked you out?"

"Yes, and it showed me a red card too!"

http://BookPeek.blogspot.com