[ISN] Survival in an Insecure World

From: InfoSec News (isnat_private)
Date: Wed Apr 17 2002 - 00:24:53 PDT

  • Next message: InfoSec News: "RE: [ISN] Letter to the editor - Token effort on IT security"

    To defeat cyberterrorists, computer systems must be designed to work 
    around sabotage. David A. Fisher's new programming language will help 
    do just that
    As one of the primary lines of defense against hackers, 
    cyberterrorists and other online malefactors, the CERT Coordination 
    Center at Carnegie Mellon University is a natural target. So like many 
    high-profile organizations, it beefed up its security measures after 
    September's audacious terrorist attacks. Before I can enter the glass 
    and steel building, I have to state my business to an intercom and 
    smile for the camera at the front door. Then I must sign my name in 
    front of two uniformed guards and wait for an escort who can swipe her 
    scan card through a reader (surveilled by another camera) to admit me 
    to the "classified" area. But these barriers--just like the patting 
    down I endured at the airport and like the series of passwords I must 
    type to boot up my laptop--create more of an illusion of security than 
    actual security. In an open society, after all, perfect security is an 
    impossible dream.
    That is particularly true of computer systems, which are rapidly 
    growing more complicated, interdependent, indispensable--and easier to 
    hack. The tapestries of machines that control transportation, banking, 
    the power grid and virtually anything connected to the Internet are 
    all unbounded systems, observes CERT researcher David A. Fisher: "No 
    one, not even the owner, has complete and precise knowledge of the 
    topology or state of the system. Central control is nonexistent or 
    Those characteristics frustrate computer scientists' attempts to 
    figure out how well critical infrastructures will stand up under 
    attack. "There is no formal understanding yet of unbounded systems," 
    Fisher says, and that seems to bother him. In his 40-year career, 
    Fisher has championed a rigorous approach to computing. He began 
    studying computer science when it was still called mathematics, and he 
    played a central role in the creation of Ada, an advanced computer 
    language created in the 1970s by the Department of Defense to replace 
    a babel of less disciplined programming dialects.
    In the 1980s Fisher founded a start-up firm that sold software 
    components, one of the first companies that tried to make 
    "interchangeable parts" that could dramatically speed up the 
    development process. In the early 1990s he led an effort by the 
    National Institute of Standards and Technology (NIST) to push the 
    software industry to work more like the computer hardware market, in 
    which many competing firms make standard parts that can be combined 
    into myriad products. 
    Fisher's quest to bring order to chaotic systems has often met 
    resistance. The Pentagon instructed all its programmers to use Ada, 
    but defense contractors balked. His start-up foundered for lack of 
    venture capital. A hostile Congress thwarted his advanced technology 
    program at NIST. But by 1995, the year that Fisher joined CERT, 
    security experts were beginning to realize, as CERT director Richard 
    D. Pethia puts it, that "our traditional security techniques just 
    won't hold up much longer."
    The organization was founded as the Computer Emergency Response Team 
    in 1988, after a Cornell University graduate student released a 
    self-propagating worm that took down a sizable fraction of the 
    Internet. There are now more than 100 such response teams worldwide; 
    the CERT center at Carnegie Mellon helps to coordinate the global 
    defense against what Pethia calls "high-impact incidents: attacks such 
    as the recent Nimda and Code Red worms that touch hundreds of 
    thousands of sites, attacks against the Internet infrastructure 
    itself, and any other computer attacks that might threaten lives or 
    compromise national defense."
    But each year the number of incidents roughly doubles, the 
    sophistication of attacks grows and the defenders fall a little 
    further behind. So although CERT still scrambles its team of crack 
    counterhackers in response to large-scale assaults, most of its 
    funding (about half of it from the DOD) now goes to research.
    For Fisher, the most pressing question is how to design systems that, 
    although they are unbounded and thus inherently insecure, have 
    "survivability." That means that even if they are damaged, they will 
    still manage to fulfill their central function--sometimes sacrificing 
    components, if necessary. Researchers don't yet know how to build such 
    resilient computer systems, but Fisher's group released a new 
    programming language in February that may help considerably.
    Fisher decided a new language was necessary when he started studying 
    the mathematics of the cascade effects that dominate unbounded 
    systems. A mouse click is passed to a modem that fillips a router that 
    talks to a Web server that instructs a warehouse robot to fetch a book 
    that is shipped out the same day. Or a tree branch takes down a power 
    line, which overloads a transformer, which knocks out a substation, 
    and within hours the lights go out in six states.
    Engineers generally know what mission a system must perform. The power 
    grid, for example, should keep delivering 110 volts at 60 hertz. "The 
    question is: What simple rules should each node in the power grid 
    follow to ensure that that happens despite equipment failures, natural 
    disasters and deliberate attacks?" Fisher asks. He calls such rules 
    "emergent algorithms" because amazingly sophisticated behavior (such 
    as the construction of an anthill) can emerge from a simple program 
    executed by lots of autonomous actors (such as thousands of ants).
    Fisher and his colleagues realized that they could never accurately 
    answer their question using conventional computer languages, "because 
    they compel you to give complete and precise descriptions. But we 
    don't have complete information about the power grid--or any unbounded 
    system," Fisher points out. So they created a radically new 
    programming language called Easel.
    "Easel allows us to simulate unbounded systems even when given 
    incomplete information about their state," Fisher says. "So I can 
    write programs that help control the power grid or help prevent 
    distributed denial of service attacks" such as those that knocked out 
    the CNN and Yahoo! Web sites a few years ago.
    Because it uses a different kind of logic than previous programming 
    languages, Easel makes it easier to do abstract reasoning. 
    "Computation has traditionally been a commerce in proper nouns: Fido, 
    Spot, Rex," Fisher notes. "Easel is a commerce in common nouns: dog, 
    not Fido." This difference flips programs upside down. In standard 
    languages, a program would include only those attributes of dogs that 
    the programmer judges are important. "The logic of the programming 
    language then adds the assumption that all other properties of dogs 
    are unimportant. That allows you to run any virtual experiment about 
    dogs, but it also produces wrong answers," Fisher says. This is why 
    computer models about the real world must always be tested against 
    In Easel, Fisher says, "you enumerate only those properties of dogs 
    about which you are certain. They have four legs, have two eyes, range 
    from six inches high to four feet high. But you don't specify how the 
    computer must represent any particular dog. This guarantees that the 
    simulation will not produce a wrong answer. The trade-off is that 
    sometimes the system will respond, 'I don't have enough information to 
    answer that question.' "
    Easel makes it easier to predict how a new cyberpathogen or software 
    bug might cripple a system. CERT researcher Timothy J. Shimeall 
    recently wrote a 250-line Easel program that models Internet attacks 
    of the style of the Code Red worm, for example. That model could 
    easily be added to another that simulates a large corporate network, 
    to test strategies for stopping the worm from replicating.
    Fisher and others have already begun using Easel to look for emergent 
    algorithms that will improve the survivability of various critical 
    infrastructures. "You can think of an adversary as a competing system 
    with its own survival goals," Fisher says. "The way you win that war 
    is not to build walls that interfere with your goals but to prevent 
    the opposition from fulfilling its purpose."
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Wed Apr 17 2002 - 03:33:24 PDT