Using Contracts to Improve Security through Responsibility Bifurcation

Abstract

As software development has shifted into a “getting to market quickly"[4] philosophy by embracing fast iteration[2] paradigms offered by such practices as “agile", ensuring strong security and verifiability characteristics has become increasingly difficult. One major contributing factor is the tension between getting to market and satisfying the internal quality requirements of the engineering team (often resulting in software released “too soon” from the perspective of the engineers). This paper describes a software development workflow whereby security and verifiability can be wholly or partially offloaded to a contract to be written by security experts on, or partnering with, the development team and associated enforcement library. This contract can be used to reason about certain properties of the software externally from the running software itself and to enforce a subset of its capabilities at runtime, thus ensuring that at the injection points, the software will behave in a predictable and modelable manner.