Controversies in Security Science
Defense in depth is meaningless
Trust anchors are invulnerable
security can never be a true science
computer scientists need to be trained in the scientific method
the environment in which academic research is performed in security is not conducive to advancing science
strong inference is a technique that needs to be more widely adopted
i think that most of these statements are mostly true.
most statements in the form "A can never be B" are too simple to be true. the statement "security can never be a true science" is true for the same reason for which "computation can never be a true science" is true: there is a categorical mismatch.
but can there be a science of computation? if computation is something that we program, and science is our method to comprehend natural processes, then there can be no true science of computation, because computation is not a natural process. but if computation is also what happens on the Web, then computation is also at least in part a natural process and it falls within the realm of science.
now is security a natural process, or something that we program?
I think security is akin to medicine/health, drug smuggling, and other "arms races," which can be characterized by attackers making advances and defenders catching up.
Just as throwing billions of dollars toward research into curing cancer hasn't "worked out" to total victory, it is possible that doing the same in security won't work either. Indeed, in an arms race, only the attacker or the defender can be satisfied with the current state of affairs at a time (provided they are both seeing the same state. Both can be happy if one side sees an illusion.)
Just as we cannot today guarantee you'll never get sick, we cannot guarantee your network or device will not be compromised.
Just as defining "health of a human" is difficult, defining "health of a network" or "health of a device" is difficult. Indeed, even defining a boundary, such as device, or network, is tricky, in the sense that you might be able to define it well, but it may not be a useful boundary. (Cryptographers tend to assume that the cryptography is a bounded protectable area, but it's more of a device for cryptographers to define where their mathematical responsibilities end than a boundary that any attacker would respect.)
Health is not itself a science, but a practice that rests upon recognized sciences such as biology, radiology, nutrition, etc., Similarly, security rests upon formal code analysis tools and compilers, cryptographic tools, write-only logging systems, etc. (There's less underlying science than medicine but meds have hundreds of years' head start.)
One could make more analogies to support the "arms race" characterization.
This is largely a reaction to reading borbash's post on this topic earlier today, but not a rebuttal or reply in any sense. I think I understand the sentiment behind the statement; we have all probably felt something of this kinds at some point.
I think the term "science of security", though, was intended to indicate "the science component of security studies". Rather than "a science which will encompass all of security and make it a solved science". This is in line with what borbash says about healthcare itself not being a science, but being based on underlying sciences. But some of these sciences existed sort of independently (say chemistry) and others arose specifically as a result of looking at the issue of health (I would hazard "nutrition" as an example).
IMHO (I am not a security person to start with), the recent interest and focus in SoS from various quarters is trying to point up the fact that in the security community the algorithmic and tool-building efforts have outstripped the efforts to connect to underlying science - some of which may be already existing in the form of information theory (but others may be waiting to be discovered - analogy to nutririon). Another way to look at it (personal PoV) is that there has not been as much advance in the systemic or macro-level understanding as at the micro-level. So we don't know how different micro-components fit together (or not), or affect each other - even when such knowledge could in principle be provided by currently known science (or easily achievable future science). Of course, there may be lots of instances where such knowledge cannot even be in principle obtained, or would be very difficult.
So while I agree with everything borbash wrote, I feel that we should add "... and investigation in the underlying sciences (and of what those sciences may be) stand a good chance of benefitting the practice of security."
My 2c.
No.
If there are multiple hurdles for an attacker to jump, that's relevant.
One can imagine, in a high stakes security system, if one had to provide a "yes" or "no" to "is this system secure?" then the amount of work would be irrelevant.
But about what system could you say, it cannot be compromised at any level of attacker effort, time and cost? None that I have experience with.
No.
Invulnerable anchors are worth your trust. But just because you trust it, doesn't make it invulnerable.
