Chapter 12
Insecurity in Software
Every time I write about the impossibility of effectively protecting digital fileson a general-purpose computer, I get responses from people decrying thedeath of copyright. “How will authors and artists get paid for their work?”they ask me. Truth be told, I don’t know. I feel rather like the physicistwho just explained relativity to a group of would-be interstellar travelers,only to be asked: “How do you expect us to get to the stars, then?”I’m sorry, but I don’t know that, either.
—Bruce Schneier
So much time and so little to do! Strike that. Reverse it. Thank you.
—Willy Wonka
12.1 Introduction
In this chapter, we begin with software reverse engineering, or SRE. To fully appreciate the inherent difficulty of implementing security in software, we must look at software the way that attackers do. Serious attackers use SRE techniques to find and exploit flaws—or create new flaws—in software.
After our brief look at SRE, we’ll discuss digital rights management, or DRM, which provides a good example of the limitation of relying on software for security. DRM illustrates the impact of SRE on software-based security.
The last major topic of this chapter is software development. It was tempting to label this section “secure software development,” but truly secure software is difficult to achieve in practice. We’ll discuss methods to improve the security of software, but we’ll also see why most of the advantages lie with the bad guys. Finally, we briefly ...
