Unifying Disparate Tools in Software Security

摘要

How much can you trust software? When you install a piece of code, such as a video game or a device driver for a new camera, how can you be sure the code won't delete all of your files or install a key-stroke logger that captures your passwords? How can you ensure that the software doesn't contain coding bugs or logic errors that might leave a security hole?rnTraditional approaches to software security have assumed that users could easily determine when they were installing code and whether or not software was trustworthy in a particular context. This assumption was reasonable when computers controlled few things of real value, when only a small number of people (typically experts) installed software, and when the software itself was relatively small and simple. But the security landscape has changed drastically with advances in technology (e.g., the explosive growth of the Internet, the increasing size and complexity of software) and new business practices (e.g., outsourcing and the development of open-source architecture). Furthermore, the more we rely on software to control critical systems, from phones and airplanes to banks and armies, the more desperately we need mechanisms to ensure that software is truly trustworthy.