Saturday, June 12, 2010

Notes on TIW 2010: CyLab Director Virgil Gligor Issues "A Challenge for Trustworthy Computing"

TIW 2010: CyLab Director Virgil Gligor Issues "A Challenge for Trustworthy Computing"

By Richard Power

After the Trustworthy Computing 101 sessions were concluded, CyLab Director Virgil Gligor led off the main body of TIW 2010, with a provocative talk, offering personal perspectives and insights, based on work done in collaboration with Jonathan McCune, Bryan Parno, Adrian Perrig, Amit Vasudevan and Z. Zhou.

Gligor's compelling remarks were organized around four themes:

Axioms of (in)Security

Axioms Human-Usable Security

(Ir)relevancy of Fashionable Security Architecture

Relevancy: A Challenge for Trustworthy Computing

Here are a couple of excerpts:

Axioms of (in)Security

"There will always be bugs and operator errors that will lead to security vulnerabilities; and these bugs and operator errors will be taken advantage of by adversaries who are always willing to exploit the vulnerabilities caused by these bugs. So we will live with adversaries forever.
(By the way, I put 'axioms' in quotes; these are observations, of course, but I expect them to be true for a long time, so when I say 'always,' I mean fifteen plus years.)
There will always be rapid innovation in information technology, and what this means it that there will be rapid change, as we have witnessed already, in the boundaries of the trusted computing base, however that is defined. The immediate implication is that unless we do something about it, we will have a high degree of uncertainty of assurances in the trusted base. Unless we really architect systems differently, this is going to be with us.
The next implication of this rapid innovation is that operating systems and applications will compromise components of diverse provenance; which means at best, we will have non-uniform security assurances, because different components are going to be provided by different suppliers, using different assurance techniques, possibly non-uniform and even non-compatible with each other.
Also, there will be more attack surfaces. If you build applications out of different components, well, the components that are on the interior of an application will still have an interface, which might be discovered by an outside adversary ... So we are not just talking about a single application interface, but multiple interfaces, including interfaces of the components used in the applications.
"Finally, there will always be large, complex systems in which security is not fully understood by most users. To quote Butler Lampson, in different context, in software,'only the giants survive.' In other words, what you see now, in terms of giants, you will see in the future as well; it may be different giants, but they will be giants nevertheless."

Relevancy: A Challenge for Trustworthy Computing

“I would like to issue a challenge for Trustworthy Computing, namely, relevance; that is, relevance to practice. In particular, I emphasize two things: first, the trustworthy computing base has to be immutable, i.e., it has to be as stable as the hardware itself, in order to make a difference in practice; and second, that all the security properties of the trusted base have to be understandable to human users, not just to developers. Without these two things, Trustworthy Computing will see much of the same fate as Trustworthy Computing has seen for roughly last thirty years, it won’t be usable.”

NOTE: We will be posting video from this and other CyLab's contributions to the TIW 2010 program to CyBlog, so stay tuned.