Des contraintes naît la beauté

This quote from Leonardo da Vinci “Beauty is born from constraints” was chosen by Alain Colmerauer as the motto for Prolog IV, the last iteration (for now) of the Prolog language, déveloped by Prologia in the early 1990’s.

Alain Colmerauer passed away this week. I have plenty of memories about him, starting from classes with him in Marseille, where his way to present constraint programming was as strange as it was passionate. Even before that, during my studies at Marseille’s Groupe d’Intelligence Artificielle, heavy on logic and Prolog, Alain Colmerauer was the name that made us all dream about research and fame.

Constraint programming at Prologia was intended to solve practical problems, in scheduling, optimization, and other NP-complete problems. That was fun for me, but Alain didn’t care: for him, what counted most was the beauty of the language, the ability to describe the language with the simplest theory possible. Prolog III, the first constraint language he developed, used linear programming on rational numbers, which could not solve all problems, but was mathematically exact.

In Prolog IV, we wanted to solve more general problems, and we started using intervals on less exact floating-point numbers. Alain was not enthusiastic at first, but things got better when we realized that floating-point numbers are actually rational numbers (i.e., exact numbers, not some approximation).

While I was writing my dissertation, I spent some evenings with Alain discussing potential formalizations of our constraints, and we ended up defining a notion of approximation to map a set to a smaller set of approximated values, and building something on it. I was quite proud of it, and I still am, but Alain was disappointed by the fact that the properties defining an approximation was too complex.

For me, that’s the legacy of Alain Colmerauer: even in the most complex thing, program, or language, a simple and elegant view of it is carefully hidden, and can be uncovered if you look for it carefully enough.

RIP, Alain.

Attacking IoT is really easy

A few days ago, Metasploit has announced that their famous tool is now available to car hackers, and soon for any connected object. Metasploit is a well-known tool for web apps, and extending it to objects simply makes these objects as easy to hack as web apps. Indeed, there are many aspects in common between […]

Fighting poker-winning AIs on IoT Security

Published attacks tend to repeat themselves this year, but in the last few days, there has been a few interesting events and publications, in particular: Adi Shamir has made gloomy predictions about security in the next 15 years. Bruce Schneier has published a long essay about IoT security, with a vibrant and desperate call for […]

Traffic cameras, legal rules, and accusers

A few days ago, I watched Gone Girl on TV, a story about mounting evidence against an innocent person. And then, I looked at an article about challenging a traffic camera citation (in the US). The link between the two stories is evidence, of course. Traffic camera evidence incriminates a car, not a driver. The […]

The lowest hanging card

The latest news on six second card hacking is very entertaining, and frankly, not reassuring. This thing is just as simple that it is stupid. The CVV2/CVC2 is a secret number computed by banks using a secret key, so they are validated by the issuing bank. Apparently, most (all?) of them have chosen not to […]

Resilience for Connected Objects

Attacks occur, especially on IoT. While it is very hard to avoid an attack altogether, we can minimize its consequences. The first factor to consider is the impact of an attack; there are many ways to analyze such impact, for instance from a financial or technical point of view. In a very simple analysis, we […]

IoT Security as Externality: Cluelessness, Denial, and more

Not my problem. That’s the 3-word definition of an externality: something that you don’t need to deal with, because the adverse consequences are not affecting you directly. This has been an issue for cybersecurity forever (Schneier, 2007), and it is widely known that the issue is particularly pressing with IoT (Schneier again, 2016). I have […]

Logical Attacks in the Java Card security landscape

Logical attacks on Java Card have been known for a long time, and they have also been a focus of a lot of academic research, which still continues today. Earlier this week at Cardis 2016, there have been two presentations on logical attacks. I will not discuss the details of the attacks that are being […]

SMS-based 2-factor: Good or Bad?

Wired published recently an article about how SMS-based 2-factor authentication is not good. This article is making a buzz, and an article appeared on that topic in Fortune. The basis for these articles is that SMS-based authentication is not associated to something you have (your phone), but with something you are loosely associated to (your […]

Java Card software attacks

There have been two papers at SSTIC’16 that outline the limits of bytecode verification in the context of Java Card. One of the papers, by Guillaume Bouffard and Julien Lancia, describes a bug found in Oracle’s bytecode verifier through fuzzing (yes, it’s been fixed). The second one, by Jean Dubreuil, outlines several logical and combined […]