Thomas Dullien, Optimyze: Security, Moore's Law, and the anomaly of cheap complexity
It is fashionable to speak about a "digital transformation"- but what are the factors that drive this transformation? One is Moore's law - the clockwork-like regularity with which transistors are shrunk further and further -- and one is universal computing. Universal computing implies (among other things) that one can easily specialize an existing complicated device (a CPU) to simulate a much simpler device. Moore's law means one can build an ever-more complicated device, ever-more cheaply. Both factors have led to an exponential increase in complexity - which is generally regarded as bad for security: It is often cheaper to use a very complicated device to simulate a simple device than to build the simple device - and the code to simulate this simple device needs to be written only once, and can be re-used at essentially zero cost. Adding more software complexity does not impact unit costs - but adds to the security burden.
This keynote discusses how these two underlying factors drive many of the problems in security:
The takeaway will be better understanding of the magnitude of the complexity we are facing, how the same factors that drive digitization drive this complexity, and how much of security is a (somewhat desperate) attempt to contain complexity.
Thomas Dullien is a security researcher and ex-entrepreneur well-known for his contributions to the theory and practice of vulnerability development and software reverse engineering. While studying for his MSc in mathematics, his research on graph-based code similarity won the Horst-Goertz Prize in 2006 - then Germany's biggest privately financed research prize in the natural sciences. He commercialized this research in a company called zynamics which got acquired by Google, leading to him aborting his PhD studies. He has worked on topics from the very practical (turning security patches into attacks) and concrete (turning physics-induced DRAM bitflips into useful attacks) to the theoretical (attempting to clarify the theoretical foundations of exploitation). After 7 years of Google - 5 in their threat analysis department, and two years at Google Project Zero, he recently left to start a new venture focused on efficient computation in the cloud, https://optimyze.cloud
Per Thorsheim, CSO Nordic Choice Hotels
Keld Norman, Dubex