Embed Size (px)
DESCRIPTION
One premise underlies every argument about usability and security that has ever raged: "Secure software is doomed to be unusable, and usable software is doomed to be insecure." This talk will examine the faulty assumptions behind that belief, using the dual lenses of linguistics and formal language theory. We'll explore what makes software -- particularly software that developers use, e.g., APIs -- easy or difficult to use, how mismatches between what developers expect and what users expect lead to vulnerabilities, and how architects and developers can design and code for improved security and improved usability at the same time.
Citation preview
Cats and Dogs Living Together:Langsec Is Also About Usability
Meredith L. PattersonSEC-T 2014
Stardate 68179.7
Forward Observer’s Log,Science Vessel Beagle
“The worse your logic,the more interesting the consequences
to which it gives rise.”
-- Bertrand Russell
What is usability for devs?
• IDEs?• Code completion?• Developers’ main tools are libraries• Nobody’s really studied what makes
APIs “good” or “bad” to use
“Sooner or later you’re going to have to
stop throwing new functionsinto that menu and clean it up.”
-- Jonathan Korman
Our tools are made of language
If this is how you do UX research
YOU’REDOING
ITWRONG.
The Prime Directive
“Whenever mankind interfereswith a less developed civilisation, no
matterhow well intentioned that interference
may be,the results are invariably disastrous.”
-- Jean-Luc Picard This is why we can’t get rid of PHP.
When You Need It Now
It won’t go very far,but he’ll never get stuck.
Image © “Melonpool” from the TrekBBS forum
The Second Directive
Computation must be composable to be reliable.
Processing Fluency
all thesef***ingbuttonslook thesame
*snrk*
cf. Alter and Oppenheimer,“Uniting the Tribes of Fluency to Form a Metacognitive Nation,” 2009
Recognition Vocabulary
If you think there are four lights,but the CPU thinks there are five,you’re the one with the problem.
Chunking
cf. George A. Miller, “The Magical Number Seven, Plus or Minus Two,” 1956
we’ll neverrememberthis,will we nope
Semantics-First Design
• Every problem has a domain• Every problem also has a range–What are the effects of success?–What are the effects of failure?
• Model how domain values map to range values
• Then invent domain-meaningful syntax to describe the mappings
cf. Erwig and Walkingshaw, “Semantics First! Rethinking the Language Design Process,” 2011
I don’t always forge SSL certs
Why bother? No one understands SSL APIs well enough to validate them
anywaycf. Georgiev et al, “The Most Dangerous Code in the World”, 2012
When a yes-or-no question isn’t
• CURLOPT_SSL_VERIFYHOST– Sounds like a boolean, right?– Nope! 2 = verify, 1 = “a CN exists”, and
TRUE = 1– “Future versions will stop returning an
error for 1 and just treat 1 and 2 the same”
– 11 releases later, it’s still there
• But now I know it’s a valid cert, right?– Only if CURLOPT_SSL_VERIFYPEER=TRUE too
That something has two sides…
…doesn’t mean it should.
Fine, I’ll use plain OpenSSL• Great. Did you set SSL_VERIFY_PEER?– And did you set a verify_callback with it?
• Either way, did you call SSL_get_verify_result()?
• Gotta validate that host yourself, too• GnuTLS is no better– Returns negative values for some errors– But 0 for others, like self-signed certs!
Takeaway
you’re nothelping
It Gets Better• Some libraries have been around
long enough to watch their interfaces evolve
• C++ STL got a lot better in C++11– They had to add move semantics to do
it, but threading is awesome now– Confusing auto_ptr gone; shared_ptr and
unique_ptr do what they say on the tin
• But let’s talk about a security library.
You call this making it easy?
gpgme_ctx_t ctx;gpgme_error_t err;gpgme_data_t cipher, plain;gpgme_engine_info_t engine;[~20 lines of boilerplate]err = gpgme_op_decrypt(ctx, cipher, plain);if (err == GPG_ERR_NO_ERROR) {
[at least 8 more lines of boilerplate,just to see what you decrypted]
}...
Python has to be better, right?
Not much.
ctx = gpgme.Context()ctx.armor = Truekey = ctx.get_key(‘...’)plain = BytesIO(‘...’)cipher = BytesIO()ctx.encrypt([key], 0, plain, cipher)
So is binding the problem?Is wrapping gpg any better?
…maybe?• ISConf GPG.py: wraps the gpg binary• Very opinionated about:– How keyrings are named–Which options various operations use
• Leaves out a lot of functionality–Want a detached signature? Too bad
“WHO PUTS UNITTESTS IN A TRY/EXCEPT BLOCKWHICH CATCHES ALL EXCEPTIONS?!”
2013: finally something usable
• All the command-line functionality!• Public interface, no need to touch the
rest• Sanitizes untrusted inputs!• kwargs for all the things!• All in all, much more pythonic• THANK YOU ISIS, WE LOVE YOU
“I believe that usability is a security concern;
systems that do not pay attention to the
human interaction factors involvedrisk failing to provide security
by failing to attract users.”-- Len Sassaman
Credits• @skry• Jonathan Korman• The education panel at SLE2014, especially:– Massimo Tisi– Eric Walkingshaw and Martin Erwig
• The GIMP and G’MIC• Paramount Pictures (and everyone at
TrekCore)• My sisters the elementary school teachers
