Schneier on Security

Clive Robinson • November 1, 2021 2:57 PM

@ BCS,

The simplest mitigation for a tool chain is likely to provide an –ascii-only flag.

Err, no, and you know it 😉

At a guess >99% of code has no need for anything outside 7-bit ASCII, so just enforce that.

The default for the compilers should be 7bit ASCII, the exception switch or flag needs to be –notascii–

Clive Robinson • November 1, 2021 4:27 PM

@ lurker,

Let’s all point fingers at Unicode, which should be a pure character set, and let text/word processors decide if and how they want to handle LTR/RTL.

The issue is not just Unicode. The problem is “in band signaling” that is silent to the user, which is stupid.

Even ASCII has it’s control chars, with which you can print backwards and forwards as much as you want. It was after all how *nix “man pages” got their Bold titles on printers that lacked any kind of intensity control (nearly all serial printers and many parallel port printers going into the 1990’s).

No, this problem is a compiler/interpreter problem.

The issue is not realy the compilers either they are acting on what is actually in the file, not what appears on the screen as seen by the human eye, because it’s actually the application that displays the file, that lies to the users eye.

So the real problem is stupidity, for not thinking such behaviour would not have undesirable side effects.

But the problem goes deeper, there has never yet been invented a “universal tool” that “can do every job”… The nearest we have to that when you think about it is a broken claw hammer…

And “broken” is the real issue. To try to make a tool that “can do every job” you have to break things, the only real question is,

“Where do you want the breaks to be?”

Then make them “hard breaks” where they can not hide or be used to hide other things.

That is “overt” not “covert” behaviour with “in band signaling”, anything else is asking for trouble…

Clive Robinson • November 2, 2021 2:35 AM

@ MarkH,

I’ve been startled to see what (by my lights) look like airy dismissals of the needs of non-Anglophone cultures and application domains.

Because you are looking at things the wrong way.

In effect you are seeing the swelling in someones leg and saying it needs a compression stocking. Where as the swelling is a side effect of a broken bone that needs setting and splinting and then the swelling will then go away anyway.

Language is a communications tool, designed by humans for humans.

However we do not all speak the same language or write our words in the same way.

Does not speaking Finish make you any less of a human?, how about Cantonese?, or how about one of ~30 African languages that use click consonants?

So why apply the same bad reasoning to a computer program that has a formal language of its own?

Your,

airy dismissals of the needs of non-Anglophone cultures

Is nothing what so ever to do with the computer language, but everything to do with the “totaly irrelevant to the compiler or interpreter” of “presentation” of the source code to humans.

Whilst I disagree –for other reasons[1]– with those who say code should not have comments, they do have a valid point about learn to “understand the code the way the computer does”. That is treat it as a new language and learn to speak it correctly.

So why should there be any comments being sent to the compiler or interpreter any way?

The simple answer is that they should not…

However, there is a reason why comments do go into the compiler, and that is “tracing” in “debugging” from a low level (something embedded systems programers used to do one heck of a lot of last century).

The problem with comments is character sets and the way they are presented to humans. For arcane reasons to do with teleprinters –that long predate computers by a half century or so,– being able to “over strike” was desirable and went back to the earliest of manual typewriters and the ability to “underline” text for titles and headings. Also it alowed “overtype” to get accents or make text bold.

It is the reason why we have in-band control charecters for,

1, Carriage return (no line feed).
2, Line feed (no carriage return).
3, Backspace.
4, Vertical feed (opposit of line feed).

The problem is what works nicely on paper mostly does not work at all on screens.

That is “overtype” on paper alows you to build up a charecter by adding additional print. But on a screen it is nothing of the sort, it is most often simply a replacment.

And the “backspace” and “overtype” on screens at the user presentation level, when combined alow information to be “hidden from view”. So a malicious user can “hide from view” of the user what a compiler or interpreter will see and act upon.

There is no real change you can make to a compiler or interpreter that will stop this because that is not where the “information hiding” occurs.

To solve it the tool chain would have to pre-process the file so it is an exact match for what the editor presents to the users view…

So to do that the compiler would have to know all about your editor… Which we do not realy have a mechanism for currently, and the level of complexity it would add would in all probability open up other vulnerabilities.

But this “hiding” trick is not limited to just abusing comments you can do it to the actual code as well though it is more difficult.

If you just “flag up” the backspace or other presentation level control characters you will have to stop comments etc.

So you are “Caught twix t’Devil ‘n t’deep blue sea”.

Importantly it applies just as much to WASP English as it does to any other human to human language, so it does not have an,

airy dismissals of the needs of non-Anglophone cultures

[1] My view comming from a machine code and lower level background is that comments are part of the specification translation. That is they are an abstraction of the high level specification into a description of function so is a “functional language” at an intermediate level. If you have written your comments correctly the assembler code for one processor could be striped out and replaced with that for another and the comments would be no different.

Clive Robinson • November 2, 2021 8:23 AM

@ Ted,

With regards,

“The fact that the Trojan Source vulnerability affects almost all computer languages makes it a rare opportunity for a system-wide and ecologically valid cross-platform and cross- vendor comparison of responses”

Is a statment that is paraphrasing the issue somewhat…

The reality is,

1, Only relatively modern compiler etc tool chains support Unicode.
2, Other programs that support Unicode are vulnerable in some way (even if it’s a DoS).
3, It is not just Unicode that has in-band control codes that alow this hiding of information in files and serialised streams.

Thus the actual affected code base is a lot lot larger than “computer languages” for compilers and interpreters…

But look at it in terms of a generalised computing stack model. It is a valid attack at the presentation layer, which was the upper most layer of the ISO OSI seven layer model. But it works “up” to the user layer to produce vulnerabilities further down…

Take a moment to think about that.

Yup it is an attack that works up the stack to attack the “human”. And by successfully attacking the human, it gets a vulnetability into the code at a lower level.

Does that make it some form of “social engineering”[1] attack?

Some will no doubt say that it is a “steganographic”[2] attack and I guess linguistically they would be correct.

Though both catagories feel wrong 😉

It is however an attack using valid “in-band signaling” of a “serialized stream” which when people realise the actual extent, makes it a very big “class” of vulnerabilities in which many many “instances” are very probably going to appear.

Which is why, yes to a limited extent did make it,

“a rare opportunity for a system-wide and ecologically valid cross-platform and cross- vendor comparison of responses”

If and only if (iff) the vendors chosen were providing programs that were actually affected by it.

This is where I am probably going to get shot at by a few people 😉

Were the compilers and interpreters vulnerable?

Arguably no. That is they received a valid file within their language specifications and processed it correctly. Does this mean their specifications were incomplete?

Arguably no. No program can be all things to all situations it’s logically and practically impossible because things will break. Thus it’s highly undesirable to even try to make a program like a compiler or interpreter do this. Look at it this way, the file is valid the syntax of the code is valid and so on up. It’s only when you get up into a much higher level in the functional business logic of the application being compiled or interpreted that the choice can be made, and the compiler or interpreter has no way to know if the code is intended or not, nor should it be able to decide. The best it can do is warn about the use of “in-band signalling”, which is to be expected under many use cases…

In short, as the compiler or interpreter is part of a tool chain preceading parts of the tool chain should be responsible for picking it up.

Thus logically you need to move such functionality where it belongs, which is in or immediately following the human user interface. That is the editor etc.

So the question arises as to what venders were contacted?

Having had the opportunity to skim read through the main body of the paper, there is not a list, though refrence is given to using MITRE as a “last resort”.

Without this list, we have no way to independently judge if the responses given by the vendors was appropriate or not…

One of the major reasons for scientific papers being withdrawn from journals is that the published results may not reflect the actual data set. This is not to say that that there is any way an attempt by authors to decieve either consciously or subconsciously, they may use inappropriate analysis or be unaware of other pertinent information.

To demonstrate this, there is the line about “Physics is a series of lies each more acurate than the proceading ones”. Sir Issac Newton came up with a theory of gravitation, it’s elegent it’s simple and it’s more than good enough to get you around the solar system. As our ability to measure improved, certain inacuracies were found that Newton could not have known about. Just over a century ago Albert Einstein came up with a new idea, it was found that whilst this could account for the anomalies, it’s not suitable for navigation as there is a problem. Newtons work inherantly assumes that the force of gravity is not constained by the speed of light, and it produces stable results. Einstein’s work does take the speed of light constraint into account, but it does not produce stable results, so without extream caution it won’t get you around the Earth let alone the solar system…

Now getting back to the paper, why has the list of venders and their responses not been published in the paper so others can analyze them independently?

The answer is “Human nature” at one of it’s basest levels. If such information was publically available, there would be consequences.

Unfortunatly the likes of certain vendors Oracle being one have repetedly made false claims about the function[3] and security of their products for fiduciary gain (ie technically fraud and extortion). Then senior Oracle staff have effectively threatend people with “breach of contract” including chief security officer, Mary Davidson[4] and other legal sanctions such as implying “false light reporting” for investigating the security of Oracle’s products. The customers had little choice because they had become aware by a process of elimination that the products were vulnerabe and had been exploited to the customers loss…

So some vendors are “trigger happy” and have reached for “legal sharks” as a first solution and some still will.

Which kind of makes it tough as a researcher…

[1] “In the context of information security, social engineering is the psychological manipulation of people into performing actions or divulging confidential information.“,

https://en.wikipedia.su/wiki/Social_engineering_(security)

[2] “Steganography is the practice of concealing a message within another message or a physical object. In computing/electronic contexts, a computer file, message, image, or video is concealed within another file, message, image, or video.“,

https://en.wikipedia.org/wiki/Steganography

[3] https://www.pcworld.com/article/472852/university_accuses_oracle_of_extortion_lies_rigged_demo_in_lawsuit.html

[4] https://www.digitaltrends.com/computing/oracle-cso-blog-security-testing/

Clive Robinson • November 2, 2021 9:23 AM

@ Dave C,

Thankfully I read On “Trojan Source” Attacks before these comments.

I’ve just read it, and yup, he sees it the way I do…

Clive Robinson • November 2, 2021 6:23 PM

@ SpaceLifeForm,

BNF is your friend

Yes it removes ambiguity in LEXing but that is not relevant here.

The source code file is serialised. The vulnerability is put into the file, it is syntaticaly and lexicaly correct code. The compiler or interpreter reads it in and treats it as valid code, as it should do.

At some later point in the file is a bunch of control characters serialised in a perfectly valid comment or data decleration of some form so the compiler or interpreter reads it in and again treats it as valid as it should do.

Take a comment that contains a couple of hundred back spaces as far as the compiler or interpreter are concerned they could be the same bumber of ‘A’ or ‘z’ characters it treats them all the same and appart from allocating space in the heap and putting them there it does nothing with them.

That is the backspace or any other character in a comment or data declaration does not get interpreted in any way (unless the data gets used in the program).

As I’ve said a couple of times now the problem is not the compiler or interpreter, which is why you can not fix this vulnerability in them. Trying to would be a monumental excercise in futility and would in all probability create new vulnerabilities.

The problem is entirely in the editor or other application that pushes the file out at the presentation level to the users screen.

In effect what happens is,

The file is read in character by character. Each is either written into the display memory or ifva control charecter interpreted.

So,

1, The vulnarability gets written to display memory.
2, The string of backspaces moves the display memory write pointer back before the memory that holds the vulnerability.
3, The characters following the string of backspaces gets written into the display memory over writing the vulnerability.
4, The display memory gets output to the screen.

That is in the editor, browser, or other app that displays the file contents on the users screen never displays the vulnerability code because it correctly interpreted the control characters in the file.

The solution is in the presentation layer application that displays the file, it should not interpret control characters.

Old style *nix CLI apps that output files to Standard Out and Standard Error as a general rule do not interpret the control characters, just replace them with a ‘.’ or similar.

So much for the ASCII backspace method, Unicode is on steroids in comparison. It is capable of oh so much more, so much in fact it’s distinctly problematical to resolve.

To do so would require the equivalent of a syntax parser to issolate where Unicode control characters can be safely interpreted and where they can not.

Oddly perhaps a few editors already have much of the required code to do highlighting already…

Clive Robinson • November 3, 2021 4:55 AM

@ SpaceLifeForm, ALL,

But, why does anyone really believe that code reviews really work?

I don’t think they realy do, but they are a check box on a “managment approved” list, which came about from some assumed “Best Practice” list etc.

As I’ve mentioned before I worked for a while at an organisation where managment put what they viewed as the “most productive” programers on producing production code features, and lets say those they viewed as the “least productive” on code review[1]. What does that say?

Even a semi-smart programmer could get stuff by that code review process and into production, “Code signed sealed delivered it’s yours”[2].

But as you correctly note, “code review like “scrums” are way way up the chain well away from code signing and as Shakespear’s predecessors observed “There’s many a slip twixt the cup and the lip”.

Way way back on this blog[3] you will find conversations about the failings of code signing and code reviews that covered this issue exactly. Yet here we are still pointing out the failing more than a decade later…

But let’s be honest, it’s now kind of widely acknowledged that “scrums” are in reality an abusive proces that is inefective. Often wielded by certain types of people as weapons against those they dislike or want to penalize. The same failings are also apparant with code review processes. What we need is effectively a “blind process” that can not be used for “office politics”, and we don’t currently have one.

So time for my lament 😉

“Why is the IT industry not learning from even it’s living history?”

Any bets on how many more decades it will be true?

[1] The managment appeared to think that fast production of marketing features that shall we say were forever “high in maintainance” whilst “low in use” was a winning stratagy.

In theory a good code review process would have sent much of it direct to the “scrap yard” because it had more holes than a pair of second hand string underpants. But managment would have instantly pulled the teeth. So all that came out of it were comments about “comments and style” and I do not remember them ever finding actual faults, vulnerabities, or backdoors…

[2] With appologies to Stevie Wonder and fans for mutilating “Signed, Sealed, Delivered I’m Yours”.

[3] This from over 11years ago states exactly the conversation we are now having,

https://www.schneier.com/blog/archives/2010/03/back_door_in_ba.html/#comment-133824

But it was at the time “old” you can go back further discussing the failings of both “code signing” and “code review”. But I even outlined how malicious actors would behave,

https://www.schneier.com/blog/archives/2011/06/malware_in_goog.html/#comment-161737

The fact the industry has not changed for the better in the slightest, as they say “speaks volumes” about the industry, or more correctly those who manage it.

[4] Have a read of this very short article about the history and failings of assessing glucose levels in blood samples, to see it’s not just the Software Industry QA processes where problems slip through,

https://academic.oup.com/clinchem/article/60/7/1025/5621704

Clive Robinson • November 3, 2021 7:34 AM

@ Matthias Wiesmann,

Interesting link, especially the small line that says,

“Published 8 years ago by Thias”

I’ve noted on several occasions that vulnerabilities discussed on this blog have in the past taken around eight years to become known in the industry…

But even back then Unicode was just one of the more current of “code sets with control charecters”.

ASCII has “backspace” and vertical tab and goes back over half a century to around 1960 with it’s standard being published in 63[1]. But before that most “teletype codes” had a “back space” or equivalent to enable correction of mistakes a century ago, that they inherited from manual typrighters.

The first manual typewriter was made by Pellegrine Tarri, who made an early typewriter back two centuries ago in 1801[2]… Though if it had a “backspace” equivalent I have no idea. But he clearly had ideas about over striking and similar because he also invented carbon paper in 1808.

The thing about all these codes and the systems that “present on paper” is that the “overtype” is usually obvious and often quite usefull. The move to initially Nixie tube, then “Cathode Ray Tube”(CRT) and later other electronic display systems changed the “backspace” and other control charecter effects from “overtype” to “overwrite”.

To most the difference between “overtype” and “overwrite” is to subtle to notice let alone think about… When they have it’s because of the likes of umlauts (double dots over vowels). Often they double dots existed as a print head in it’s own right so rather thsn have all the vowels repeated with double dots over them you typed {vowel}{backspace}{umlaut}.

So whilst there as clear as day, the potential for backspace and other printhead control characters to be used for mayhem has passed people by. For probably three to five decades, that is since the use of paper based user terminals declined in the 1970’s and early 80’s. At first the likes of early editors would have shown it up. But the first editor I can find that does not show it up is Microsoft’s DOS editor[3]…

[1] Of interest to cryptograhpy is the all important ASCII “NUL” control charecter which is 0x00. The NUL could have had any values as a control character. But importantly if you XOR or more importabtly ADD 0x00 with any other value, it does not change. So if you use a One Time Tape(OTT) super encryption system which has a non binary power sized alphabet as all telletypes do. Then it provides an easy solution to the “overflow problem”. That is if you receive a character that matches to the one on your OTT you know a NUL has been sent and you just “drop it”. So as the sender if the charecter you want to send when added to the OTT character “over flows” out of the teletype printing alphabet, you just hold the input and send a NUL. You keep doing this untill the addition does not produce an overflow, and so send the actual charecter.

[2] This was long before what many claim as the “first” typewriter by “US patent date”. Made by Christopher Latham Sholes of Milwaukee and others in 1868. What might be of further interestcis that the prototype was built by the clock-maker and precision machinist engineer Matthias Schwalbach the year before.

[3] As Microsoft’s editor actually came out of their implementation of BASIC the chances are that other “screen editors” in BASICs of a myriad of home computers that loaded files from tape or disk also did information hiding by printhead control characters. I guess those that still have working ones can “test and report back”.

Clive Robinson • November 3, 2021 4:33 PM

@ FA,

Ehh, no, you send the OTT character.

That is the result when,

“you just hold the input and send a NUL.”

The whole of what you quoted, is talking about the “input to the adder” not “the output sum to line”. Because the “holding” is a function that preceads the adder.

With regards the XOR function not ADD, yes the result is very similar, only the complexity is different[1].

[1] With an XOR system each bit is in effect isolated from all the other bits as the XOR is a “half adder”. With ADD whilst the least significant bit is an XOR function, from then on the other bits have the potential for a carry input. This causes a non linear effect in the higher bits, which some believe is desirable.

Personally I use both in series in some stream cipher systems, using two stream generators that are very different in their basic design.

In effect the XOR “whitens the input” changing it’s statistics and the ADD does the actual encryption of that.

Some think the other way around ie ADD then XOR is better. Further some think “rotating” the input is as good as whitening it (but as it does not change the set to clear bit ratio, only the bit positions, I have my doubts).

Clive Robinson • November 3, 2021 7:56 PM

@ SpaceLifeForm, ALL,

But, why does anyone really believe that code reviews really work?

It took me a while to find this, I hope it makes you smile as well,

https://www.osnews.com/story/19266/wtfsm/

Clive Robinson • November 4, 2021 10:17 AM

@ FA,

would you put the switch at that input, selecting either the plaintext symbol or NUL ?

It’s a question that has no correct answer other than,

“It depends on implementation factors”.

And brings up “Security-v-Efficiency” issues. Which is why I prefere to pipeline things with latches and bi-phase clocks.

First though, one difference between a true OTT system and a Stream Cipher is that it matters not a jot how much OTT keyMat you send over the wire instead of ciphertext (as long as it is never re-used). However you should aim to NEVER send any KeyMat over the wire with a key stream generator only ever ciphertext[1] preferably where the plaintext has had it’s statistics flattened by compression or encryption[2].

So one known issue of the early Rockex was that it was hoplessly insecure to what we would call a TEMPEST or “Passive EmSec” attack[3]. The reason was that the XOR function had a bad time based side channel issue that revealed the OTT on the wire. That is by looking at the ciphertext on the wire with an oscilloscope or simillar you could tell by the pulse width if a bit had been fliped or not… So striping off the XOR’d OTT whilst not childs play could be done automatically. Something that apparently caused the Canadian Pat Bayly, Assistant Director of “British Security Co-ordination”(BSC) who designed Rockex more than a few headaches to sort out.

So in a practical implementation you have to consider “side channels” and that takes priority over other apparently more logical reasons you indicate.

It’s also one of the reasons for a TEMPEST design rule that is effectively,

“Clock the outputs”

As this is effectively a subset of “pipelining techniques” that can remove “jitter” that can be a side channel that leaks KeyMat or plaintext via timing.

[1] This is because each character in an OTT is “truly independent” –or should be– but every character out of a key stream generator is 100% dependent on the generator internal state. So every output charecter from a stream generator is in no way independent of all the others. So allowing output from the stream generator on the wire provides information to an observer, that can in theory help predict the next output charecter from the stream generator.

[2] It’s one of several reasons why the Rockex was used as a “super-encrypter” not a message encrypter like the Typex. But to those who used the Rockex they were encouraged to think of it as a “link encrypter” of fast multiplexed teletype traffic that was being “routed through their switching node”. Not that, by that time, the Typex was actually considered insecure (because of Ultra). Something that neither the British or US wanted to get out as the myth of rotor machine security ment other Nations used it or similar rotor machines without super-encrption, so up into the late 1980’s GCHQ and the NSA were happily reading their “routine” messages, that gave more valuable intell due to “traffic analysis” than traffic that the adversary considered so secret they hand ciphered with an OTP. Not that OTP was always secure in practice… in some cases due to corruption it was actually totally insecure due to “key reuse”, as Project VENONA demonstrated over the many years it ran,

https://en.wikipedia.org/wiki/Venona_project

[3] Whilst now “common knowledge” this is still technically clasified in both the UK and US but… Suprisingly for different reasons.

In the UK it is both “unavailable” under the “hundred year rule” that “protects the guilty”, as well as the fact it is still “classified” which is something we should not know as the UK does not reveal such things under the “We can neither confirm nor deny” mealy mouth response to nearly all alledged “National Security” related questions. But we know through the US…

In the US TEMPEST, and all that is related to it, is still technically classified even though most of it is obvious from the laws of physics. So the technique of pulse width measurment with an oscilloscope, chart recorder or simillar, is “clasified”… But also under the BRUSA/UKUSA arangment the US treats anything originating from the UK that the UK still regards as “clasified”, as “clasified” as well. But as with measuring pulse widths the way the US has handeled information requests has enabled people to strip off the cause for the classification, so we know it’s because the UK still have it clasified… Yup there is some irony there.

Clive Robinson • November 4, 2021 6:02 PM

@ vas pup, ALL,

With regards the “British Broadcasting Corporation”(BBC)

It along with the UK “Civil Service” have become “captured” by the current political encumbrants. Thus the touch stone the operated on of,

“Speak the truth, without fear or favour”

Is very much a thing of the past.

I thus advice people to “sanity check” anything coming out of either of them with other independent sources.

As Samual Langhorn Clemens (Mark Twain) once remarked,

“If you don’t read the newspaper, you’re uninformed. If you read the newspaper, you’re mis-informed.”

And in the case of the BBC and UK Civil Service, they have become “mouth pieces” for what you might call “The UK Alt-Right”, that the current political encumbrants are, and their brand of “faux news”.

Sam Clemen’s also had wise words on politicians,

“Reader, suppose you were an idiot. And suppose you were a member of Congress. But I repeat myself.”

Clive Robinson • November 5, 2021 1:45 AM

@ SpaceLifeForm, ALL,

Code review is not going to prevent all attacks.

No disagreement there, the logic behind that, though raises a problem.

The logic is the issue of the “Known, Knowns”, “Unknown, Knowns”, and “Unknown Unknowns”

Whilst all review processes should pick up “Known, Knowns” you start runing into problems with “Unknown, Knowns” or as some call them “Black Swans”. Whilst I’m not that good at it I can “join the dots” and envision a limited number of “black swans” often half a decade to a decade befor they become “Known, Knowns”. Any security or safety review needs people who can not just see black swans but enunciate them sufficiently clearly that all involved understand them.

But by definition you can not predict or anticipate “Unknown, Unknowns” (just be an originator of then at some future point). Whilst that is true, you can “get lucky” and stop them by chance. That said you can evolve design processes that help in that direction. One such is aim to “Mitigate Classes not Instances” of vulnerability[1].

Which brings us to the problem, whilst what you can do for design processes carries forward into review processes, the review process can never go beyond the design process it is bound by.

As design processes are bound so must be ALL review processes.

That is “All review processes are limited by design”.

Whilst it can be argued that some review processes are better than the design process in use, it is only true because the review process is based on a different and arguably better design process. Whilst this might suggest changing the design process in use, there may be good and proper reasons for not doing so.

But at the end of the day, we should realise that any review process can not pickup anything the design process it is based on should have highlighted and stopped…

[1] To “Mitigate Classes not Instances” of vulnerability, you have to understand the notion of “coverage”. Whilst akin to scope it works the other way around, that is coverage reduces from global to individual, whilst scope increases from individual to global. Most thing interms of scope, not coverage as it is they assume simpler or more well defind thus tractable. Actually it is often not the case. An instance of vulnerability falls in a class, the instance has many very specific attributes, which you abstract out some key elements to form a class. Obviously this means that a spicific class is part of a larger class within the global set of all vulnarabilities. Thus if you mitigate one key feature all vulnerabilities that have it are also mitigated. It is possible to have entirely simple mitigations that have near global coverage. As an example, at the highest class levels of attacks we have “internal” and “external” attacks under which all attacks fall. To mitigate against all “external” attacks you simply do not have a system with any communications, and you make it “tamper evident” which is realisable under certain broad assumptions whilst “tamper proof” is provably not possible. This is the basic design philosophy of “secure tokens”, whilst there might be “Unknown, Unknown” attacks the system might be vulnerable to, it can not be attacked by them if the attackers can not get to the system at the level required. In essence it is the basis for both “segregation” within systems and “issolation” of whole systems, the latter being covered by “energy-gapping”. However for a component to function within a system it needs to be part of it and that requires the ability to transfer energy of some form which is the essence of communication. Thus to segregate it you have to identify all communications paths and their characteristics and not just mitigate those that are undesired but also monitor and control desired communications such that it does not behave out of the specification. Think of striping the majority of control characters out of ASCII as a base level then work upwards through the layers. As can be seen “issolation” is far easier than “segregation”, but it has way more limitations on utility.

Clive Robinson • November 5, 2021 11:16 AM

@ John Nada

Virtue stands in the middle, is most apt.