LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What is the "abstraction dilemma" in security?

Security that holds in high-level code can break at the implementation level — e.g. a "constant-time" password compare that actually leaks the password via timing.

Design level: clean XOR logic C=M⊕K (<2V=0, >3V=1). Implementation level: the analog output voltage is unique per input (0/0→0.5V, 1/0→4V, 0/1→4.5V, 1/1→1V), leaking message and key.

* Abstraction dilemma — logic that looks clean at the design level leaks both message and key at the implementation level, because the analog output voltage is unique to each input combination. *

The abstraction dilemma: security properties proven at one abstraction level may not hold at lower levels, because of implementation details.

Example — Timing attack on password comparison:

Level Security
High-level code if (userPassword == storedPassword) looks constant-time — just a simple comparison
Implementation reality Most string comparisons stop at the first mismatch. Attacker measures response time: wrong first character = instant rejection (1μs), correct first character but wrong second = slightly longer (2μs). This leaks the password character by character

Lessons:

  1. Theoretical security ≠ practical security
  2. Side channels (timing, power, electromagnetic) can leak information
  3. Abstractions hide details — High-level operations may have unsafe low-level behavior
  4. Defense in depth — Use constant-time comparison functions (e.g., hash_equals() in PHP)

Real-world security requires testing actual implementations, not just verifying algorithms.

From Quiz: SPRG / Secure Programming Introduction | Updated: Jul 14, 2026