Presentation is loading. Please wait.

Presentation is loading. Please wait.

Summary of the NSF/IARPA/NSA Workshop on the Science of Security David Evans University of Virginia INFOSEC Research Council 16 July 2009.

Published byJeffrey Bailey Modified over 9 years ago

Similar presentations

Presentation on theme: "Summary of the NSF/IARPA/NSA Workshop on the Science of Security David Evans University of Virginia INFOSEC Research Council 16 July 2009."— Presentation transcript:

1 Summary of the NSF/IARPA/NSA Workshop on the Science of Security David Evans University of Virginia INFOSEC Research Council 16 July 2009

2 Outline Workshop description, participants, format Summary of prevailing consensus Highlight some key ideas What next?

3 Workshop Stated Goals: Identify scientific questions regarding computer security Stimulate new work toward defining and answering those questions. Encourage work that goes beyond ad hoc point solutions and informal security arguments to discover foundational scientific laws for reasoning about and designing secure computing systems. 2-day workshop in Berkeley, CA (Nov 2008) Premise: need new ideas from outside traditional infosec research community

4 44 Participants David Bray, IDA Fred Chang, U. of Texas/NSA Byron Cook, MSR/Cambridge Son Dao, HRL Laboratories Anupam Datta, CMU John Doyle, Caltech Anthony Ephremides, UMd David Evans (organizer), UVa Manfai Fong, IARPA Stephanie Forrest, UNM John Frink, ODUSD Joshua Guttman, MITRE Robert Herklotz, AFOSR Alfred Hero, U. of Michigan Sampath Kannan, NSF Steven King, ODUSD Carl Landwehr, IARPA Greg Larsen, IDA Karl Levitt (organizer), NSF Brad Martin (organizer), NSA John Mallery, MIT CSAIL Roy Maxion, CMU Robert Meushaw, NSA John Mitchell, Stanford Pierre Moulin, U. Illinois Timothy Murphy, IARPA Dusko Pavlovic, Kestrel/Oxford Nick Petroni, IDA Lisa Porter, IARPA Michael Reiter, UNC Phillip Rogaway, UC Davis John Rushby, SRI Stuart Russell, UC Berkeley Fred Schneider, Cornell Jim Silk (organizer), IDA Dawn Song, UC Berkeley Pieter Swart, Los Alamos NL Vicraj Thomas, BBN/GENI Hal Varian, Berkeley/Google Cliff Wang, ARO Rebecca Wright, Rutgers Shouhuai Xu, UT San Antonio Ty Znati, NSF Lenore Zuck, NSF

5 Participant Affiliation David Bray, IDA Fred Chang, U. of Texas/NSA Byron Cook, MSR/Cambridge Son Dao, HRL Laboratories Anupam Datta, CMU John Doyle, Caltech Anthony Ephremides, UMd David Evans (organizer), UVa Manfai Fong, IARPA Stephanie Forrest, UNM John Frink, ODUSD Joshua Guttman, MITRE Robert Herklotz, AFOSR Alfred Hero, U. of Michigan Sampath Kannan, NSF Steven King, ODUSD Carl Landwehr, IARPA Greg Larsen, IDA Karl Levitt (organizer), NSF Brad Martin (organizer), NSA John Mallery, MIT CSAIL Roy Maxion, CMU Robert Meushaw, NSA John Mitchell, Stanford Pierre Moulin, U. Illinois Timothy Murphy, IARPA Dusko Pavlovic, Kestrel/Oxford Nick Petroni, IDA Lisa Porter, IARPA Michael Reiter, UNC Phillip Rogaway, UC Davis John Rushby, SRI Stuart Russell, UC Berkeley Fred Schneider, Cornell Jim Silk (organizer), IDA Dawn Song, UC Berkeley Pieter Swart, Los Alamos NL Vicraj Thomas, BBN/GENI Hal Varian, Berkeley/Google Cliff Wang, ARO Rebecca Wright, Rutgers Shouhuai Xu, UT San Antonio Ty Znati, NSF Lenore Zuck, NSF 14 Government 9Governmentish 21 Academia

6 Participant Background David Bray, IDA Fred Chang, U. of Texas/NSA Byron Cook, MSR/Cambridge Son Dao, HRL Laboratories Anupam Datta, CMU John Doyle, Caltech Anthony Ephremides, UMd David Evans (organizer), UVa Manfai Fong, IARPA Stephanie Forrest, UNM John Frink, ODUSD Joshua Guttman, MITRE Robert Herklotz, AFOSR Alfred Hero, U. of Michigan Sampath Kannan, NSF Steven King, ODUSD Carl Landwehr, IARPA Greg Larsen, IDA Karl Levitt (organizer), NSF Brad Martin (organizer), NSA John Mallery, MIT CSAIL Roy Maxion, CMU Robert Meushaw, NSA John Mitchell, Stanford Pierre Moulin, U. Illinois Timothy Murphy, IARPA Dusko Pavlovic, Kestrel/Oxford Nick Petroni, IDA Lisa Porter, IARPA Michael Reiter, UNC Phillip Rogaway, UC Davis John Rushby, SRI Stuart Russell, UC Berkeley Fred Schneider, Cornell Jim Silk (organizer), IDA Dawn Song, UC Berkeley Pieter Swart, Los Alamos NL Vicraj Thomas, BBN/GENI Hal Varian, Berkeley/Google Cliff Wang, ARO Rebecca Wright, Rutgers Shouhuai Xu, UT San Antonio Ty Znati, NSF Lenore Zuck, NSF Traditional Infosec Researchers Computer Scientists Outside Area

7 Format 2 days Keynotes: Fred Schneider, Frederick Chang Panels: – What is a science of security? – What can we learn from other fields? – How can we reason about impossible things? – Are scientific experiments in security possible? Breakout groups on various topics including: – Metrics, provable security, managing complexity, composition, experimentation

8 Philosophical Questions (Usually Not Worth Discussing) Is there science in computer system security? Yes, but of course there should be more.

9 Meaning of “Science” Systematization of Knowledge – Ad hoc point solutions vs. general understanding – Repeating failures of the past with each new platform, type of vulnerability Scientific Method – Process of hypothesis testing and experiments – Building abstractions and models, theorems Universal Laws – Widely applicable – Make strong, quantitative predictions

10 Realistic Goal Can we be a science like physics or chemistry? Unlikely – humans will always be a factor in security. How far can we get without modeling humans? How far can we get with simple models of human capabilities and behavior? Workshop charge: avoid human behavior issues as much as possible.

11 Alchemy (700-~1660) Well-defined, testable goal (turn lead into gold) Established theory (four elements: earth, fire, water, air) Methodical experiments and lab techniques (Jabir ibn Hayyan in 8 th century) Wrong and unsuccessful...but led to modern chemistry.

12 Questions for a Science of Security Resilience: Given a system P and an attack class A, is there a way to: – Prove that P is not vulnerable to any attack in A ? – Construct a system P' that behaves similarly to P except is not vulnerable to any attack in A ? How can we determine if a system A is more secure than system f(A) (where f is some function that transforms an input program or system definition)?

13 Metrics Scientific understanding requires quantification For most interesting security properties, not clear what to measure or how to measure it Comparative metrics may be more useful/feasible than absolute metrics: – How can we quantify the security of two systems A and B in a way that establishes which is more secure for a given context? – Quantify the security of a system A and a system f(A) (where f is some function that transforms an input program or system definition)?

14 Metrics: Promising Approaches Experimental metrics: more systematic “red team” approaches (hard to account for attacker creativity) Economic metrics: active research community Epidemiological metrics: good at modeling spread over network, but need assumptions about vulnerabilities Computational complexity metrics: define attacker search space (promising for automated diversity)

15 Formal Methods and Security Lots of progress in reasoning about correctness properties – Byron Cook: reasoning about termination and liveness Systems fail when attackers find ways to violate assumptions used in proof – Need formal methods that make assumptions explicit in a useful way – Combining formal methods with enforcement mechanisms that enforce assumption

16 Formal Methods Questions Refinement: Can we use refinement approaches (design →... → implementation) that preserve security properties the way they are used to preserve correctness properties now? Program analysis: What security properties can be established by dynamic and static analysis? How can computability limits be overcome using hybrid analysis, system architectures, or restricted programming languages?

17 Experimentation Security experiments require adversary models Need to improve adversary models – Coalesce knowledge of real adversaries – Canonical attacker models (c.f., crypto) Design for reproducibility Roy Maxion later today

18 Some Highlights Caveat: I won’t do justice to these ideas...but (almost) all the presentation materials are here: http://sos.cs.virginia.edu/agenda.html

19 Towards Scientific Defenses Target for 2015: “Defense class D enforces policy class P when facing attacks from class A.” Defining classes of policies: – System behavior: infinite trace of states (or events) t = s 0 s 1 s 2... s i... – System property: set of traces P = { t | pred(t) } – A system S satisfies property P if S  P Due to Fred Schneider Formal way to reason about what system properties different mechanisms can enforce

20 Example: Execution Monitoring Ideal reference monitor: sees all policy-relevant events, cannot be circumvented, can block execution immediately EM-enforceable policies  Safety Properties Implementation approaches: – Inlined reference monitor (SASI, Naccio) – Proof-carrying code: prove the automaton necessary to enforce policy is correctly embedded in program – Combine approaches for improved performance and small TCB Due to Fred Schneider

21 Limitations of Execution Monitoring Liveness properties: something good eventually happens – Requires reasoning about all possible future paths Non-interference: low-level users get same outputs regardless of high-level actions – Requires reasoning about all possible executions Due to Fred Schneider

22 Hyper-Properties Hyper-property: set of sets of traces System satisfies HP is set of traces it can produce is in the HP set Claim: can define all security properties as Hyper- properties Open questions: – Is there a way to enforce/verify them? – Are there restricted property classes between EM- enforceable and Hyper-properties? k -safety hyperproperties: property that can be refuted by observing ≤ k traces Clarkson & Schneider, 2008

23 Formal Methods vs. Complexity (Loosely) Due to Fred Chang Time Pessimist’s View Complexity Formal Techniques Capability Deployed Systems 2009 2050

24 Formal Methods vs. Complexity (Loosely) Due to Fred Chang Time Optimist’s View Complexity Deployed Systems Formal Techniques Capability TCB of Deployed 2009 2050

25 Ideas from Networks and Biological Systems Bowtie architecture in: – Internet Applications – TCP/IP – Link – Power distribution Power plants – Stan – Many Devices – Biological Systems Cell Metabolism (next slide) Due to John Doyle Diverse function Diverse components Universal Control “Constraints that De-Constrain”

26 Co-factors Fatty acids Sugars Nucleotides Amino Acids Catabolism Precursors Taxis and transport Nutrients Carriers Core metabolism Huge Variety Same 12 in all cells Same 8 in all cells  100  same in all organisms John Doyle’s slide

27 Robustness/Fragility Tradeoff Systems tradeoff robustness and fragility: – Robustness for some set of permutations implies fragility for other set of permutations – Some fragilities are inevitable for complex systems Seems to hold for biological evolved systems, must it for engineered systems? Due to John Doyle Robust Fragile

28 Recap Summary Systematization of Knowledge – Ad hoc point solutions vs. general understanding – Repeating failures of the past with each new platform, type of vulnerability Scientific Method – Process of hypothesis testing and experiments – Building abstractions and models, theorems Universal Laws – Widely applicable – Make strong, quantitative predictions Valuable and achievable: need the right incentives for community Uncertainty if such laws exist; long way to go for meaningful quantification. Progress in useful models; big challenges in constructing security experiments

29 What Next?: Systematization of Knowledge IEEE Symposium on Security and Privacy (Oakland 2010): call for systematization papers “The goal of this call is to encourage work that evaluates, systematizes, and contextualizes existing knowledge. These papers will provide a high value to our community but would otherwise not be accepted because they lack novel research contributions.”

30 Discussion What next? – Metrics – Experimentation – Formal methods Challenge problems?

Download ppt "Summary of the NSF/IARPA/NSA Workshop on the Science of Security David Evans University of Virginia INFOSEC Research Council 16 July 2009."

Similar presentations

W ashington A rea T rustworthy C omputing H our

W ashington A rea T rustworthy C omputing H our
Next steps towards a Science of Security David Evans University of Virginia IARPA Visit 11 January 2010.

Next steps towards a Science of Security David Evans University of Virginia IARPA Visit 11 January 2010.
Design of Experiments Lecture I

Design of Experiments Lecture I
© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
GENI: Global Environment for Networking Innovations Larry Landweber Senior Advisor NSF:CISE Joint Techs Madison, WI July 17, 2006.

GENI: Global Environment for Networking Innovations Larry Landweber Senior Advisor NSF:CISE Joint Techs Madison, WI July 17, 2006.
Jenkins — Modular Perception and Control Brown Computer — ROUGH DRAFT (05.19.2005) 1 Workshop Introduction: Modular Perception.

Jenkins — Modular Perception and Control Brown Computer — ROUGH DRAFT ( ) 1 Workshop Introduction: Modular Perception.
Cryptography and Data Security: Long-Term Challenges Burt Kaliski, RSA Security Northeastern University CCIS Mini Symposium on Information Security November.

Cryptography and Data Security: Long-Term Challenges Burt Kaliski, RSA Security Northeastern University CCIS Mini Symposium on Information Security November.
1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.
Automated Analysis and Code Generation for Domain-Specific Models George Edwards Center for Systems and Software Engineering University of Southern California.

Automated Analysis and Code Generation for Domain-Specific Models George Edwards Center for Systems and Software Engineering University of Southern California.
A Type System for Expressive Security Policies David Walker Cornell University.

A Type System for Expressive Security Policies David Walker Cornell University.
Scientific method - 1 Scientific method is a body of techniques for investigating phenomena and acquiring new knowledge, as well as for correcting and.

Scientific method - 1 Scientific method is a body of techniques for investigating phenomena and acquiring new knowledge, as well as for correcting and.
What has been will be again, what has been done will be done again; there is nothing new under the sun. Ecclesiastes 1:9 NOT.

What has been will be again, what has been done will be done again; there is nothing new under the sun. Ecclesiastes 1:9 NOT.
Control of Personal Information in a Networked World Rebecca Wright Boaz Barak Jim Aspnes Avi Wigderson Sanjeev Arora David Goodman Joan Feigenbaum ToNC.

Control of Personal Information in a Networked World Rebecca Wright Boaz Barak Jim Aspnes Avi Wigderson Sanjeev Arora David Goodman Joan Feigenbaum ToNC.
The Road to a Good Science Project Dr. Michael H. W. Lam Department of Biology & Chemistry City University of Hong Kong Hong Kong Student Science Project.

The Road to a Good Science Project Dr. Michael H. W. Lam Department of Biology & Chemistry City University of Hong Kong Hong Kong Student Science Project.
The Impact of Programming Language Theory on Computer Security Drew Dean Computer Science Laboratory SRI International.

The Impact of Programming Language Theory on Computer Security Drew Dean Computer Science Laboratory SRI International.
Towards a Logic for Wide- Area Internet Routing Nick Feamster Hari Balakrishnan.

Towards a Logic for Wide- Area Internet Routing Nick Feamster Hari Balakrishnan.
Foundations of Educating Healthcare Providers

Foundations of Educating Healthcare Providers
Unit 2: Engineering Design Process

Unit 2: Engineering Design Process
Ciarán O’Leary Wednesday, 23 rd September 2009. Ciarán O’Leary School of Computing, Dublin Institute of Technology, Kevin St Research Interests Distributed.

Ciarán O’Leary Wednesday, 23 rd September Ciarán O’Leary School of Computing, Dublin Institute of Technology, Kevin St Research Interests Distributed.
Biology—the science of life  Study the origins and history of life and once-living things  Study the structures of living things Chapter 1 The Study.

Biology—the science of life  Study the origins and history of life and once-living things  Study the structures of living things Chapter 1 The Study.

Similar presentations

Ads by Google