Death, Taxes, and Imperfect Software: Surviving the Inevitable

A security system is only as strong as its weakest link. This observation lead to security architectures that use a small trusted computing base (TCB) to minimize the number of “links” in the system. A small TCB both reduces the chance of a bug occurring by reducing the volume of software that may contain a bug, and also makes formal verification of the correctness of the TCB feasible. Unfortunately, for a variety of reasons, the commercial marketplace of popular operating systems has chosen to ignore this line of reasoning. The “trusted computing base” (system components embodied with significant amounts of trust) is not small, is not formally verified, and consequently is neither correct nor secure. We conclude that it is inevitable that commodity systems software will have flawed security. Techniques have developed to allow systems to cope with potential security flaws, which we call security bug tolerance. Security bug tolerance enhances the survivability of a flawed system by post hoc dealing with the system’s security flaws. This paper presents a categorization scheme for security bug tolerance techniques, and populates it with techniques of our own and from the literature. The categorization allows the reader to analyze various techniques to discover their similarities and differences, enabling the reader to compare relatively diverse tools on their merits.