Survival in an Insecure World

[InfoSec News <isn () c4i org>]

http://www.scientificamerican.com/2002/0502issue/0502profile.html

W. WAYT GIBBS 

To defeat cyberterrorists, computer systems must be designed to work 
around sabotage. David A. Fisher's new programming language will help 
do just that

As one of the primary lines of defense against hackers, 
cyberterrorists and other online malefactors, the CERT Coordination 
Center at Carnegie Mellon University is a natural target. So like many 
high-profile organizations, it beefed up its security measures after 
September's audacious terrorist attacks. Before I can enter the glass 
and steel building, I have to state my business to an intercom and 
smile for the camera at the front door. Then I must sign my name in 
front of two uniformed guards and wait for an escort who can swipe her 
scan card through a reader (surveilled by another camera) to admit me 
to the "classified" area. But these barriers--just like the patting 
down I endured at the airport and like the series of passwords I must 
type to boot up my laptop--create more of an illusion of security than 
actual security. In an open society, after all, perfect security is an 
impossible dream.

That is particularly true of computer systems, which are rapidly 
growing more complicated, interdependent, indispensable--and easier to 
hack. The tapestries of machines that control transportation, banking, 
the power grid and virtually anything connected to the Internet are 
all unbounded systems, observes CERT researcher David A. Fisher: "No 
one, not even the owner, has complete and precise knowledge of the 
topology or state of the system. Central control is nonexistent or 
ineffective."

Those characteristics frustrate computer scientists' attempts to 
figure out how well critical infrastructures will stand up under 
attack. "There is no formal understanding yet of unbounded systems," 
Fisher says, and that seems to bother him. In his 40-year career, 
Fisher has championed a rigorous approach to computing. He began 
studying computer science when it was still called mathematics, and he 
played a central role in the creation of Ada, an advanced computer 
language created in the 1970s by the Department of Defense to replace 
a babel of less disciplined programming dialects.

In the 1980s Fisher founded a start-up firm that sold software 
components, one of the first companies that tried to make 
"interchangeable parts" that could dramatically speed up the 
development process. In the early 1990s he led an effort by the 
National Institute of Standards and Technology (NIST) to push the 
software industry to work more like the computer hardware market, in 
which many competing firms make standard parts that can be combined 
into myriad products. 

Fisher's quest to bring order to chaotic systems has often met 
resistance. The Pentagon instructed all its programmers to use Ada, 
but defense contractors balked. His start-up foundered for lack of 
venture capital. A hostile Congress thwarted his advanced technology 
program at NIST. But by 1995, the year that Fisher joined CERT, 
security experts were beginning to realize, as CERT director Richard 
D. Pethia puts it, that "our traditional security techniques just 
won't hold up much longer."

The organization was founded as the Computer Emergency Response Team 
in 1988, after a Cornell University graduate student released a 
self-propagating worm that took down a sizable fraction of the 
Internet. There are now more than 100 such response teams worldwide; 
the CERT center at Carnegie Mellon helps to coordinate the global 
defense against what Pethia calls "high-impact incidents: attacks such 
as the recent Nimda and Code Red worms that touch hundreds of 
thousands of sites, attacks against the Internet infrastructure 
itself, and any other computer attacks that might threaten lives or 
compromise national defense."

But each year the number of incidents roughly doubles, the 
sophistication of attacks grows and the defenders fall a little 
further behind. So although CERT still scrambles its team of crack 
counterhackers in response to large-scale assaults, most of its 
funding (about half of it from the DOD) now goes to research.

For Fisher, the most pressing question is how to design systems that, 
although they are unbounded and thus inherently insecure, have 
"survivability." That means that even if they are damaged, they will 
still manage to fulfill their central function--sometimes sacrificing 
components, if necessary. Researchers don't yet know how to build such 
resilient computer systems, but Fisher's group released a new 
programming language in February that may help considerably.

Fisher decided a new language was necessary when he started studying 
the mathematics of the cascade effects that dominate unbounded 
systems. A mouse click is passed to a modem that fillips a router that 
talks to a Web server that instructs a warehouse robot to fetch a book 
that is shipped out the same day. Or a tree branch takes down a power 
line, which overloads a transformer, which knocks out a substation, 
and within hours the lights go out in six states.

Engineers generally know what mission a system must perform. The power 
grid, for example, should keep delivering 110 volts at 60 hertz. "The 
question is: What simple rules should each node in the power grid 
follow to ensure that that happens despite equipment failures, natural 
disasters and deliberate attacks?" Fisher asks. He calls such rules 
"emergent algorithms" because amazingly sophisticated behavior (such 
as the construction of an anthill) can emerge from a simple program 
executed by lots of autonomous actors (such as thousands of ants).

Fisher and his colleagues realized that they could never accurately 
answer their question using conventional computer languages, "because 
they compel you to give complete and precise descriptions. But we 
don't have complete information about the power grid--or any unbounded 
system," Fisher points out. So they created a radically new 
programming language called Easel.

"Easel allows us to simulate unbounded systems even when given 
incomplete information about their state," Fisher says. "So I can 
write programs that help control the power grid or help prevent 
distributed denial of service attacks" such as those that knocked out 
the CNN and Yahoo! Web sites a few years ago.

Because it uses a different kind of logic than previous programming 
languages, Easel makes it easier to do abstract reasoning. 
"Computation has traditionally been a commerce in proper nouns: Fido, 
Spot, Rex," Fisher notes. "Easel is a commerce in common nouns: dog, 
not Fido." This difference flips programs upside down. In standard 
languages, a program would include only those attributes of dogs that 
the programmer judges are important. "The logic of the programming 
language then adds the assumption that all other properties of dogs 
are unimportant. That allows you to run any virtual experiment about 
dogs, but it also produces wrong answers," Fisher says. This is why 
computer models about the real world must always be tested against 
observations.

In Easel, Fisher says, "you enumerate only those properties of dogs 
about which you are certain. They have four legs, have two eyes, range 
from six inches high to four feet high. But you don't specify how the 
computer must represent any particular dog. This guarantees that the 
simulation will not produce a wrong answer. The trade-off is that 
sometimes the system will respond, 'I don't have enough information to 
answer that question.' "

Easel makes it easier to predict how a new cyberpathogen or software 
bug might cripple a system. CERT researcher Timothy J. Shimeall 
recently wrote a 250-line Easel program that models Internet attacks 
of the style of the Code Red worm, for example. That model could 
easily be added to another that simulates a large corporate network, 
to test strategies for stopping the worm from replicating.

Fisher and others have already begun using Easel to look for emergent 
algorithms that will improve the survivability of various critical 
infrastructures. "You can think of an adversary as a competing system 
with its own survival goals," Fisher says. "The way you win that war 
is not to build walls that interfere with your goals but to prevent 
the opposition from fulfilling its purpose."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.