Computer Science, is it really THAT hard?
I love XKCD. It generally gets me thinking. Especially when it is related to computer science any way shape or form. Which is why this one got me thinking.
I think the obvious questions, both within and outside of the field are; is it really this bad? Can we make it better?
For the first question. Yes and no. Software Engineering is unique in that the raw materials are not as rigidly defined as they are in other fields of engineering. The raw materials for software are commands, written in code. That code then goes through many layers before it finally reaches the CPU (or GPU, or whatever might handle the instructions). If you could write directly in binary and feed that directly to the CPU you could bypass a lot, but not everything. Each generation of CPU is different, and yet they attempt to run the same code.
By contrast, if I'm building a bridge, I choose specific materials based on physical properties. I may not know the EXACT properties, but I can know within a range of values how each piece will react. Beyond that, I'm building my bridge in a specific place, with specific restrictions.
If bridge building were like software, you wouldn't actually build a bridge. You would provide commands for how to build a bridge. Then, people would use those same designs with all different materials, in all different environments, and all different restrictions. All of a sudden, all confidence in the field of bridge building would explode.
A bridge designed with a certain grade of steel in mind might collapse under it's own weight if plastics are used. It would be too big for some crossings and too small for others. Some variants might support a max load of 200 cars, others might support just 10 or even none.
The engineers could publish a list of expected materials and tolerances. But, if they aren't adhered to, it is all for naught.
This is what writing software is like. We have some controls. But there is also much more freedom. And depending on choices made, there may be whole areas totally out of our control. If I write software for Windows, it may be executed on thousands to tens of thousands of computer configurations. What works in the lab may not work in the wild.
I've written code and said "well this will be fine as long as the processor is fast enough, and any reasonable machine should be" only to have QA test on a bogged down VM and hit an issue which shouldn't be possible in the wild.
Sometimes entire systems break down or act in unpredictable ways under certain situations.
And, all of those layers it all rests upon? I don't own them. And they CAN change. Some times by the people who manage them, and sometimes maliciously.
If this were a bridge, it would be like waking up one day to find the tensile strength of steal had changed over night. Or a hacker group had remotely removed 20% of the support structure because your welds weren't reinforced with 256-bit encryption.
Any time you write software and sell it, it is like building a bridge that needs to be usable anywhere and which may be attacked by malicious forces remotely.
So yes, the sorts of fears the article jokes about; totally real. But, is it really a sign that Computer Science is not engineering or not doing enough? That is a harder one to answer.
Computers have been about freedoms. The freedom to run the applications on the hardware you want, when you want, where you want. The internet exacerbates many problems. We communicate over known protocols. Which means in many ways our systems behave in a known fashion. This leads to a lot of exploits which be carried off against numerous targets at once, with little to no cost many times from anywhere in the world.
If I want to compromise a bridge? I have to physically be there (or someone or something else does). I also need to attack it physically. It is also a lot harder to misuse a bridge. And they aren't designed to be used anywhere or under any conditions other than the one they are serving.
If I build software that runs only one exact machine, and I permit it to only be run under very certain conditions. All of a sudden Software Engineering gets a lot closer, if not exceeds traditional engineering forms. It simply isn't how software is managed in the real world.
I think the obvious questions, both within and outside of the field are; is it really this bad? Can we make it better?
For the first question. Yes and no. Software Engineering is unique in that the raw materials are not as rigidly defined as they are in other fields of engineering. The raw materials for software are commands, written in code. That code then goes through many layers before it finally reaches the CPU (or GPU, or whatever might handle the instructions). If you could write directly in binary and feed that directly to the CPU you could bypass a lot, but not everything. Each generation of CPU is different, and yet they attempt to run the same code.
By contrast, if I'm building a bridge, I choose specific materials based on physical properties. I may not know the EXACT properties, but I can know within a range of values how each piece will react. Beyond that, I'm building my bridge in a specific place, with specific restrictions.
If bridge building were like software, you wouldn't actually build a bridge. You would provide commands for how to build a bridge. Then, people would use those same designs with all different materials, in all different environments, and all different restrictions. All of a sudden, all confidence in the field of bridge building would explode.
A bridge designed with a certain grade of steel in mind might collapse under it's own weight if plastics are used. It would be too big for some crossings and too small for others. Some variants might support a max load of 200 cars, others might support just 10 or even none.
The engineers could publish a list of expected materials and tolerances. But, if they aren't adhered to, it is all for naught.
This is what writing software is like. We have some controls. But there is also much more freedom. And depending on choices made, there may be whole areas totally out of our control. If I write software for Windows, it may be executed on thousands to tens of thousands of computer configurations. What works in the lab may not work in the wild.
I've written code and said "well this will be fine as long as the processor is fast enough, and any reasonable machine should be" only to have QA test on a bogged down VM and hit an issue which shouldn't be possible in the wild.
Sometimes entire systems break down or act in unpredictable ways under certain situations.
And, all of those layers it all rests upon? I don't own them. And they CAN change. Some times by the people who manage them, and sometimes maliciously.
If this were a bridge, it would be like waking up one day to find the tensile strength of steal had changed over night. Or a hacker group had remotely removed 20% of the support structure because your welds weren't reinforced with 256-bit encryption.
Any time you write software and sell it, it is like building a bridge that needs to be usable anywhere and which may be attacked by malicious forces remotely.
So yes, the sorts of fears the article jokes about; totally real. But, is it really a sign that Computer Science is not engineering or not doing enough? That is a harder one to answer.
Computers have been about freedoms. The freedom to run the applications on the hardware you want, when you want, where you want. The internet exacerbates many problems. We communicate over known protocols. Which means in many ways our systems behave in a known fashion. This leads to a lot of exploits which be carried off against numerous targets at once, with little to no cost many times from anywhere in the world.
If I want to compromise a bridge? I have to physically be there (or someone or something else does). I also need to attack it physically. It is also a lot harder to misuse a bridge. And they aren't designed to be used anywhere or under any conditions other than the one they are serving.
If I build software that runs only one exact machine, and I permit it to only be run under very certain conditions. All of a sudden Software Engineering gets a lot closer, if not exceeds traditional engineering forms. It simply isn't how software is managed in the real world.
Comments
Post a Comment