Site Map - skip to main content - dyslexic font - mobile - text - print

Hacker Public Radio

Your ideas, projects, opinions - podcasted.

New episodes Monday through Friday.


hpr2863 :: Simplified application architectures for improved security

A thought experiment in whether reducing runtime dependencies can improve security and how to do it.

<< First, < Previous, Latest >>

Hosted by Beeza on 2019-07-24 is flagged as Clean and is released under a CC-BY-SA license.
Tags: Application development, Application architecture, Security.
Listen in ogg, spx, or mp3 format. | Comments (1)

Before the days of the PC, application architectures were often very simple - being little more than the executable itself and any input files. The constraints of the early PC’s very limited resources required new architectures to make the most of those resources.

We now have a situation where most applications either install, or require the presence of, multiple runtime dependencies. Each dependency has an interface which allows communication between itself and the application, but every interface presents an attack surface with the potential to be exploited by a malicious 3rd party.

Modern computers do not have those same resource constraints yet we are still developing applications using the principles that applied 3 decades ago.

Re-usable functionality can be internalised through static linking at compile-time or by code inclusion (along the lines of a .h file in C/C++)

To change from using tried and tested methods is never convenient, but with concern for cyber security high and rising, has the time come to exchange convenience for simpler application architectures that should reduce vulnerabilities?

…And may a move to new (or is it old) architectures deliver a big win for open source software?


Comments

Subscribe to the comments RSS feed.

Comment #1 posted on 2019-08-13T23:13:49Z by clacke

Dynamic vs static linking doesn't matter

Thank you for your thoughts! I started listening thinking I would agree, but I didn't.

Vulnerabilities do not generally come in through technical details like what style of linking is used. Your attack surface remains the same. Vendoring the code doesn't help either, that's just a distribution and versioning issue.

The only real way to reduce dependencies is to reduce them; Write the code ourselves, or make sure we fully understand our dependencies.

Here's an article that goes further into this: https://medium.com/@kori/systems-easily-understandable-by-one-person-f92e8613e2e

<< First, < Previous, Latest >>

Leave Comment

Note to Verbose Commenters
If you can't fit everything you want to say in the comment below then you really should record a response show instead.

Note to Spammers
All comments are moderated. All links are checked by humans. We strip out all html. Feel free to record a show about yourself, or your industry, or any other topic we may find interesting. We also check shows for spam :).

Provide feedback
Your Name/Handle:
Title:
Comment:
Anti Spam Question: What does the P in HPR stand for ?
Are you a spammer →
Who hosted this show →
What does HPR mean to you ?