Do yourself a FAVAR: security mindset

post by lemonhope (lcmgcd) · 2022-06-18T02:08:47.415Z · LW · GW · 2 comments

Contents

  More examples
    See also
None
2 comments

(We're always in search of a concise and actionable way to communicate security mindset. Here's my attempt.)

Just as a sprocket you don't use never fails and code you don't write has no bugs, an input constraint you don't require is never violated.

Want a secure system? Then DO yourself a FAVAR:

Let's take this transferMoney procedure in a token program or an online bank as a case study:

transferMoney(fromId, fromSig, amount, destId):
	if amount < 0: return
	if not validate(fromId, fromSig): return
	curBal := db.get(fromId)
	if curBal < amount: return
	db.set(fromId, curBal - amount)
	db.set(destId, db.get(destId) + amount)
transferMoneyBetter(fromId, fromSig, amount, destId):
	if amount < 0: return
	if not validate(fromId, fromSig): return
	with db.transaction as tx:
		curBal := tx.get(fromId)
		if (curBal < amount): return
		db.set(fromId, safeSub(curBal, amount))
		db.set(destId, safeAdd(db.get(destId), amount))

Now the system can tolerate untrusted input, a database connection that fails, simultaneous calls to transfer, etc. We reduced complexity instead of increasing it.

When we're trying to make safe AI, it is so so much higher impact to remove an assumption than to add a check or balance.

The hardest parts are finding and removing assumptions, so the full message is "DO yourself a FAVAR, FR!"

More examples

See also

2 comments

Comments sorted by top scores.

comment by mruwnik · 2022-06-18T20:17:57.147Z · LW(p) · GW(p)

A couple of nits:

  • the second-to-last line throwing an error can be fine, as long as it happens before the data is written to the database. More worrying would be if the last line caused an error, as that's more likely to corrupt the data
  • the transaction hides the complexity, rather than removes it - the transaction adds some potential failure modes, even if it's a net lowering of the total complexity
  • a transaction might not protect from overflows - it will depend a lot on the actual implementations

That being said, this is a good example of a real problem with a real solution, explaining an important concept - nice!

Replies from: lcmgcd
comment by lemonhope (lcmgcd) · 2022-06-21T06:53:10.473Z · LW(p) · GW(p)

Thanks for the nits, cuz this kind of thing is all about nits! Agree with the first two, re your third one, it's safeSub and safeAdd that would protect from overflows. Like the transaction, they're more complex in the sense that their implementation is probably slower and more code, but simpler in the sense that they have a less constrained "safe space of operation". (I am in search of a better term for that.)