I will not introduce myself as an expert of security research. Actually, I will never like to say myself as an expert (maybe at most professional) on any field. Every research field is expanding every year, little or more (does not matter), it is not possible to say anyone to expert on that field. I consider myself as an advanced software and security researcher, so a professional on this field would be an inspire to me (with his/her dedication and deep thoughts for the field). The year 2018 is a disappointment to me. People who could be great inspiration for newbie like me (I was before 2018) have completely failed to show their impartial view and encouragement to move forward the field. Hence, we are still asking same question in this 2019 that why we cannot prevent decades old security issues yet. We have failed to resolve old issues when we are continuously facing advanced issues (e.g. online fake news propagation because of latest machine learning technology). This is very frustrating but at the same time it should be also encouragement to newbie and advanced level researcher to row against the tide (the negative view). I hope this new generation of security researcher will realize how it is important to resolve the issue in practical than daydreaming over theoretical talks. I hope it because this generation sees how badly the negligence of professional research impact today. Our everyday starts with a doubt about whatever we see, listen and read in online. A current trend is moving to cut off people from the virtual world. This is equally dangerous for human race and a disgrace for us. We cannot let it happen, people have to be connected the way they are now but without any fear of being exiled. I can ensure that our professionals may change their views, but they cannot contribute; so it is all upon us. I like to follow up few points from my observation:
- The technology moving a lot faster than ensuring its stability. We are aiming to travel space while we have not yet ensured driver-less vehicle system. We should not slow down our evolution, but more people have to be focused on ensuring the stability of the system. Every year, maybe 5% of graduate student choose to research on security research. It is not because the field does not have fund but because the prospective people see it as a hard job than other research. I don’t know how to relate more people in this field because their consideration is fair, it is a challenging field to work. Maybe other fields have to impose strictness on their research. As an example, machine learning research should have to be passed 90% security guarantee in practical. This way it will both reduce the pressure on security and equal the challenge bar for every field.
- Traditionally, security researchers have to consider both performance and scalability of their system to implement in practice. I believe this is not the right order to follow. First of all, the implementation has to be 100% correct. The implementation can have 90% security guarantee due to the complex system that they will work on. By this, I mean, a system can have limitation but the part is cover should be 100% correct. It is always possible to overcome limitations but when a system grows up, it is not anymore possible to correct it. Performance should be the third factor to consider. I acknowledge that if a security feature causes 100% performance overhead, it is useless. But if it causes 50% overhead, after 5 years this will be only 20% because of the advancement of computation machinery. So, let accept the system and move forward with it. Only by this strategy, we may avoid questions like why decade-old issues are still around us. Overall, it is correctness, scalability, and then performance.
- Change the view is the most urgent. We know static analysis is overapproximated means, not 100% correct. It is meaningless to stick to it. Let use it as a secondary tool, focus on more precise dynamic and symbolic analysis. These tools need to be improved considering they are the ultimate future to resolve our issues in real.
- Usually, in research, we target an issue and theoretically designed a system to prevent it. When we get into deep with the initial design, we have found more complicated design problems. Hence, sometimes, we design a subsystem that actually creates another issue, stupidly even the issue we are trying to resolve. If you try to provide a security guarantee to indirect jumps and have a design in your minds but have found a technical design problem, don’t design a sub-system that creates more indirect jumps when you cannot ensure 100% code coverage. This is complete stupidity. If you cannot see a way out, kill your idea and move forward with another.
- In security research, we all see two division: academic and hacker. This division is extremely visible (they even attend the different conference of their own). Both sides of researchers are responsible for this situation. This tradition needs to be changed. The blame game is not good for humanity. Both sides have to fix their shortcomings and move forward together. The academic researcher should be impartial whatever their representative institution is. Hacker have to be passionate because a system can only suvive through years of dedication.