On Wednesday I will be presenting an invited paper which I wrote together with Ben Hermann, Johannes Lerch and Mira Mezini for a special session at this year’s Future Security Conference. In this work, we give a retrospective survey about the different software security architectures that come with common current programming-language runtimes.The more we learned about these models the less it came as a surprise to us that the world is now seeing the problems and vulnerabilities that it is seeing. In retrospect it is often simple to blame “stupid developers” for including a programming mistake that leads to an exploitable vulnerability. In practice, however, this is just a too simple answer. To truly understand what causes the inclusion of such code one must understand the development history of the respective projects, the organizational structure in which development happens and also the number of constraints a developer has to keep in mind to avoid such mistakes. We argue that, at first, simpler security models are preferable because in such models mistakes are less likely to occur. The trick is then to retain a security model that is restrictive enough. We discuss object capabilities as one mechanism to support models that can be relatively expressive and maintainable at the same time.
Reducing human factors in software security architectures