Jaa


How Do you Get from Theoretical Physics to Information Security?

Hi Andreas Fuchsberger here.....and no this is not a new Seinfield commercial!

The much anticipated and televised switch-on of the Large Hadron Collider (LHC) at CERN made me realise again how little we know about life and how much there is still for humanity to explore. It also led me to make a connection between theoretical physics via aerospace engineering and Information Security/secure coding.

So how did I make the connection between Theoretical Physics and Information Security? Well while reading the some of the articles on the LHC on the BBC News website I came across an interview with Prof. Stephen Hawking in which he reveals he has a bet that the LHC will not find the Higgs boson - the most highly sought-after particle in physic. But he did say "the most exciting result would be something we don't expect". Prof. Hawking he is famous for his bets, in his first popular book published in 1988, “A Brief History of Time”, which became a popular bestseller in the UK, he explains a bet known as the Thorne–Hawking–Preskill bet. Thinking of Prof. Hawking lead me to another book he edited “God Created the Integers: The Mathematical Breakthroughs That Changed History”, and reading integers in the title lead me to Information Security and secure coding.

How can improper use of integers cause software to fail? Consider the following simple code example:

 int i = 1;
 while (i > 0)
 {
   i = i * 2;
 }

At first glance this should be endless loop, but is it? In fact the loop terminates because of the integer overflow causes i to become negative, in (some versions of) C there is no exception, no crash, the code just keeps running.

None of course of this new, Michael Howard talks about this in Writing Secure Code, Second Edition, pp620-624 and many of his blog posts. Integer overflows are caused by the mismatch in mathematical conception of integers and its actual implementation in computers.

Just to show how serious the incorrect usage can be, remember Ariane 5 Flight 501, which took place on 4th June 1996, was the first, and unsuccessful, test flight of the European Ariane 5. The breakup caused the loss of the payload, resulting in a loss of more than US$370 million. The official report found the error to be an exception due to a conversion from a 64-bit floating-point to a 16-bit signed integer, which should only have been applied to a number less than 2^15. There was no explicit exception handler to catch the exception, so it followed the usual fate of uncaught exceptions and crashed the entire software, hence the on-board computers, hence the mission.

So we have gone full circle from theoretical physics to Information Security and secure coding via aerospace engineering, which ultimately depends on theoretical physics.

Comments