Andrew Myers

Security, programming languages, and computer systems


New Fabric release

We released a new version of Fabric recently, version 0.2.2. It is much faster and more robust than the previous release. It’s what we used for our NSDI 2014 paper on warranties as a performance comparison point. We also released the version of Fabric that has warranties in it. That’s still a bit less robust, so it’s separate.

It can be downloaded at: http://www.cs.cornell.edu/projects/Fabric

Advertisements


Limits of Enforcement

Something we in the security community seem to ignore is that it’s not enough to have an enforcement mechanism. Of course, you also need policies and you even need a semantics for those policies. But even with all of that, you still don’t have enough. Because security does not happen by accident; it requires careful design. And the real problem is that developers don’t get any help in designing software to be secure.

The fate of proof-carrying code seems like a case in point. Extremely cool and solid technology, with rock-solid enforcement and deep semantic underpinnings. But relatively little attention to how developers might produce software that was accompanied by proofs of properties that go beyond type safety (a property for which PCC is probably overkill).


Competition

The World Cup is fun to watch. We need to figure out how to make software coding competitions this exciting. The problem is that there is no human adversary. It’s like mountain climbing: the adversary is the problem. But I’m not sure how to add the adversarial component in a symmetrical way. I suppose you could have both teams trying to hack into each other’s servers. Or you could let one team adjust the other’s spec in real time. I guess the closest thing to this that I know of is this event: http://builditbreakit.org.