Research in cybersecurity may seem reactive, specific, ephemeral, and indeed ineffective. Despite decades of innovation in defense, even the most critical software systems turn out to be vulnerable to attacks. Time and again. Offense and defense forever on repeat. Even provable security, meant to provide an indubitable guarantee of security, does not stop attackers from finding security flaws. As we reflect on our achievements, we are left wondering: Can security be solved once and for all? In this paper, we take a philosophical perspective and develop the first theory of cybersecurity that explains what *fundamentally* prevents us from making reliable statements about the security of a software system. We substantiate each argument by demonstrating how the corresponding challenge is routinely exploited to attack a system despite credible assurances about the absence of security flaws. To make meaningful progress in the presence of these challenges, we introduce a philosophy of cybersecurity.

翻译：网络安全研究似乎呈现出反应性、特定性、短暂性乃至无效性的特征。尽管防御技术历经数十年创新，即使最关键的软件系统仍反复暴露出攻击漏洞。攻防对抗周而复始，永无止境。即便是旨在提供无可置疑安全保证的可证明安全，亦未能阻止攻击者发现安全漏洞。当我们反思已有成就时，不禁要问：安全能否被一劳永逸地解决？本文从哲学视角出发，首次构建了能够解释*从根本上*阻碍我们对软件系统安全性作出可靠论断的网络安全理论。我们通过具体案例论证：在已获得可信安全缺陷缺失保证的系统中，相应挑战如何被常规性地利用以实施攻击。为在这些挑战存在的情况下取得实质性进展，我们提出了网络安全哲学框架。