Tuesday, August 12, 2008

Tony Hoare's revenge

C.A.R. Hoare ("Tony" to his friends and to random upstart bloggers) has had many worthy things to say about computing. One that sticks in my mind most is this:
I conclude that there are two ways of constructing a software design: One way is to make it so simple that there are obviously no deficiencies and the other way is to make it so complicated that there are no obvious deficiencies.
(This is taken from Hoare's ACM Turing award lecture The Emperor's Old Clothes. The same sentiment can occasionally be seen floating around the net in somewhat simpler form; I'd like to think Hoare would appreciate the simpler formulations.)

Two of the more spectacular exploits at the latest Black Hat conference prove the point, in a way. The exploits involve DNS and routing. Now on the one hand, DNS and routing are not monsters. The same basic standards have been in use for decades now (with updates from time to time) and have scaled from the early internet to the sprawling virtual metropolis we know today. The concepts behind them are well-established. Implementations abound. All of these are a good sign that something has been done right.

So really, the designs are remarkably good, particularly considering the vast changes that have come to pass over the past two decades or so -- changes that those standards had a major role in effecting. The problem is that the systems that DNS and routing give rise to, what you get when you actually deploy them on thousands or millions of hosts and pump zillions of packets through them, under the administration of any number of entities, are beyond ferociously complex.

Which brings us back to Hoare's observation. The recent exploits are not ferociously complex. From what I understand, they are rather elegant. I would call them "neat hacks" but for the horrible confusion that comes from using "hack" in its earlier sense, particularly in this context. They do, however, take advantage of systems that have grown far beyond anyone's easy control. From this point of view, the concern is not so much the exploits themselves, but the difficulty of patching the live internet to counter them.

1 comment:

David Hull said...

Note to self: what sort of shape are DNS and routing in these days, from a security point of view? Clearly they're doing their main job ok. The occasional major outage notwithstanding.