The Cyber Secure Institute is dedicated to the proposition that it is possible to create computing systems that are completely or inherently secure. To accomplish this, a high assurance approach to software and systems is required; the status quo of building to a feature spec and then patching vulnerabilities after the fact doesn’t work. The daily security breaches in the news provide ample evidence of this fact.

So what is meant by high “assurance engineering”? From the people and organizations that create and regulate safety critical avionics, top secret communications equipment, life-critical medical devices, and industrial safety systems, have come numerous standard for software and systems assurance.

Having experience with many of these standards as well as a history of deploying high assurance commercial products, I have collected a handful of the top-level principles that are common and proven-in-use. I refer to these as PHASE – Principles of High Assurance Security Engineering:

• Minimal Implementation
• Componentization and Isolation
• Principle of Least Authority (POLA)
• Secure Development Process
• Independent Expert Validation

Let’s start by looking at minimal implementation. It is much harder to create simple, elegant solutions to problems than complex, convoluted ones. Most software developers do not work in an environment in which producing the absolute minimal possible solution to a problem is an unwavering requirement. Spaghetti code is the source of vulnerabilities that run rampant in software and provide the avenue of exploitation for hackers. As an example of applying the principle of minimal implementation successfully, engineers have recently created a high assurance HTML compliant 1.1 web server designed to host web sites that cannot be defaced or otherwise hacked. While general purpose web servers such as Apache consist of hundreds of thousands of lines of code (and growing) and were not designed with high assurance principles, this one does its job in a mere few hundred lines of code and uses an HTML data-driven processing engine that renders buffer overflows (a source of vulnerabilities in web servers due to complex protocol parsing) impossible.

In future blogs, we’ll discuss the other PHASE concepts.