488 private links
Clive Robinson • April 4, 2024 2:24 PM
@ Gert-Jan, ALL,
Re : Something’s can not be done.
“The question is, how can we guarantee a particular level of quality and security?”
We can not is the short but honest answer.
...
“Security is a quality process”
And like all quality processes,
“It needs management buy in at the highest level, and should be in place before the project is thought of let alone be the pre-specification wish-list thought up.”
Even then, basic information theory tells us it can not be shown to be secure…
Because to “process” information it has to be “communicated”.
Claude Shannon proved for information to be transmitted then there has to be “redundancy” in the resultant communications channel.
Gus Simmons proved that where there was a channel with redundancy then another channel could be created within it. Importantly this “side channel” could be made not just covert but impossible for an observer to show existed.
From that alone you can see it can not be secure.
I could go on and bring in work from Gödel from nearly a hundred years ago that pre-dates the work of Church and Turing that in effect gives further evidence, but there’s not enough space to go through it[1]. If you want to try you first have to get your head around the implications of the “Axiom of choice”(AoC) and Cantor’s Diagonal Argument both fundamental to set theory and both Gödel and Turing proofs.
But from a simpler perspective take a “black Box view” but with a slight difference…
There are two sets of inputs and two sets of outputs.
You as the observer can only see one set of outputs, and as a tester can only see and manipulate one set of inputs. Your task is to show that the set of outputs you observe are only generated by the set of inputs you control and some internal function that has both state and feedback and not in anyway effected by the other inputs you can neither control or observe.
[1] I’ve four hard back books on Gödel’s work and two on Turing’s in my dead tree cave, they are all hard work to read let alone get your head around…
