On 21 Aug 2003, Balwinder Singh wrote: > "We do not claim that this is the only technology providing guaranteed > security, there could be (should be) more methods aiming 100% security. > EFC is just one of those methods. > This is first release. Please note that we do not claim that right from > version EFC will provide 100% security (although it can) against all > kind of attacks.Future releases will achieve higher level of security > leading to unbreakable system" This is impossible. To get 100% security by this method, you must model the program's intended behavior perfectly; but if you do that, then you are, in effect, writing a perfect reimplementation of the program, running the reimplementation alongside the original, and comparing the results of the two programs at every step. Reimplementing the program will either involve mindlessly duplicating the original code (which adds no security, as any bug will be in both versions), carefully and perfectly auditing every line of source to determine the program's intended behavior in all cases (which will find all the bugs in the original code, eliminating the need for EFC), or some mix of those (which permits bugs to appear). Using anything less than a perfect model of the program makes it possible for an attacker to take control: If EFC does not know exactly what behavior should happen at every clock tick, how does it know whether any given behavior is good or bad? By design, EFC only knows when a program uses system calls, not why, so it is an imperfect model and thus cannot know exactly which behaviors are good and which are bad. This does not make EFC a failure. It can still provide useful protection from lots of attacks. It cannot, however, provide 100% security. -- Kyle R. Hofmann <krhofman@umich.edu>
