[520] in WWW Security List Archive
Web Scripting Languages (was: Re: two-way communication in html)
daemon@ATHENA.MIT.EDU (Rick Smith)
Thu Mar 9 16:56:19 1995
Date: Thu, 9 Mar 1995 09:47:40 -0600
From: Rick Smith <smith@sctc.com>
To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
>> 1) Turing has a formal and provable semantics(this includes IO) and
>> claims to meet the US DOD criteria as a TRUSTED language.
>What US DOD criteria for TRUSTED languages? Got any pointers? Thanks.
> Mez
This sounds like it's supposed to refer to National Computer Security
Center notions of "trust" since they're the only group developing such
standards for DOD as a whole. NCSC has no notion of a "trusted
language" though they do have requirements for languages used in
"formal verification systems" (report NCSC-TG-014). The languages are
required to have provable semantics and such.
However, this does not guarantee that the language always produces
secure software. IF you have a properly trained expert in security
modeling (expensive, hard to find) AND the language semantics can
capture the critical requirements of the Web script (a big IF) AND the
language's implementation behavior in fact correctly reflects its
semantics THEN the system can tell you something useful about the
script's security behavior.
This is a very costly process. It is only worthwhile if you have
extremely important requirements (life threatening, for example) and
there's no cheaper way to comprehensively evaluate the script's
behavior. These techniques were originally developed to evaluate the
ability of large scale operating systems to keep "Top Secret" data
separate from "Unclassified" data. Formal analysis is the most
effective way there is at finding design weaknesses in such systems.
This is overkill for most Web applications, and is vulnerable to
unexpected server bugs just like all other scripting applications.
Rick.
smith@sctc.com roseville, minnesota
