8
Research Topics and Funding

Earlier chapters of this report included discussions of the state of the art in computer security that also addressed a variety of research activities. This chapter addresses the broader issue of the state and structure of the research community and also outlines some areas of research where the current level of effort seems insufficient. In addition, the committee also addresses directions for federally funded extramural research programs.

The committee believes that there is a pressing need for a stronger program of university-based research in computer security. Such a program should have two explicit goals: addressing important technical problems and increasing the number of qualified people in the field. This program should be strongly interconnected with other fields of computer science and cognizant of trends in both theory and uses of computer systems.

In the 1970s the Department of Defense (DOD) aggressively funded an external research program that yielded many fundamental results in the security area, such as the reference monitor and the Bell and La Padula model (Bell and La Padula, 1976). But with the establishment of the National Computer Security Center (NCSC) in the early 1980s, the DOD shifted its emphasis from basic research to the development and application of evaluation criteria and the development of applications that meet mission needs. The specific focus of most DOD funding for basic research has been related to nondisclosure of information. Furthermore, relatively little of the DOD-funded research on computer security is currently being done at universities.

The committee reviewed (unclassified) research on information security conducted by the National Security Agency (NSA), and the



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 206
Computers at Risk: Safe Computing in the Information Age 8 Research Topics and Funding Earlier chapters of this report included discussions of the state of the art in computer security that also addressed a variety of research activities. This chapter addresses the broader issue of the state and structure of the research community and also outlines some areas of research where the current level of effort seems insufficient. In addition, the committee also addresses directions for federally funded extramural research programs. The committee believes that there is a pressing need for a stronger program of university-based research in computer security. Such a program should have two explicit goals: addressing important technical problems and increasing the number of qualified people in the field. This program should be strongly interconnected with other fields of computer science and cognizant of trends in both theory and uses of computer systems. In the 1970s the Department of Defense (DOD) aggressively funded an external research program that yielded many fundamental results in the security area, such as the reference monitor and the Bell and La Padula model (Bell and La Padula, 1976). But with the establishment of the National Computer Security Center (NCSC) in the early 1980s, the DOD shifted its emphasis from basic research to the development and application of evaluation criteria and the development of applications that meet mission needs. The specific focus of most DOD funding for basic research has been related to nondisclosure of information. Furthermore, relatively little of the DOD-funded research on computer security is currently being done at universities. The committee reviewed (unclassified) research on information security conducted by the National Security Agency (NSA), and the

OCR for page 206
Computers at Risk: Safe Computing in the Information Age NCSC in particular. Now the research activities of the two are combined, owing to NCSC's recent reorganization, and the committee is not in a position to comment on the newly structured program. Although NSA supports active research at several private centers (e.g., SRI International and MITRE Corporation), its support for academic research in computer security appears to have been quite limited in scope and level. That support cannot be tracked straightforwardly, because some of it is passed through other agencies and some recipients have been asked not to divulge NSA's support. NSA has provided some funding for programs, such as the outside cryptographic research program (OCREAE) and DOD's University Research Initiative (URI), that seek to increase the pool of appropriately trained American graduates. In late August 1990, NSA announced a new Computer Security University Research Program, a modest effort aimed at supporting university summer study projects (which are inherently limited in scope and scale). At the same time, the other agencies with significant agendas related to research in computer security, such as the Department of Energy (DOE), the Navy's Office of Naval Research (ONR), and the National Institute of Standards and Technology (NIST), have had limited programs in funded external research.1 In the area of information integrity, NIST has attempted to establish a role for itself by holding a series of workshops, but no significant research funding has resulted.2 Not-for-profit and vendor laboratories are pursuing a variety of projects, many of which are discussed elsewhere in this report (e.g., see Chapter 4). However, support for these activities fluctuates with both government interest in security and short-term business needs. Although many of the topics proposed below are relevant to industrial research conducted independently or in collaboration with universities, the committee focused on the need to stimulate academic research. University-based research in computer security is at a dangerously low level.3 Whereas considerable research is being done on theoretical issues related to security—for example, number theory, cryptology, and zero-knowledge proofs—few research projects directly address the problem of achieving system security. This lack of direct attention to system security is particularly serious given the ongoing dramatic changes in the technology of computing (e.g., the emergence of distributed systems and networks) that make it necessary to rethink some of the current approaches to security. High-risk and long-term research, a traditional strength of universities, is essential. Furthermore, the small number of academicians with research interests in the area of computer security makes it impossible to train a sufficient number of

OCR for page 206
Computers at Risk: Safe Computing in the Information Age qualified experts capable of participating in commercial research and development projects. Various issues contribute to the lack of academic research in the computer security field. One is the occasional need for secrecy, which conflicts with the tradition of open publication of research results. Another is the holistic nature of security. There is a risk in studying one aspect of security in isolation; the results may be irrelevant because of changes or advances in some other part of the computer field. In many academic environments, it is difficult to do the large demonstration projects that provide worked examples (proofs of concepts) of total security solutions. Meanwhile, evidence suggests a growing European research and development effort tied to national and regional efforts to develop the European industrial base. Although not focused specifically on security, several of these projects are developing advanced assurance techniques (e.g., formal methods and safety analysis). The Portable Common Tool Environment (PCTE) consortium of vendors and universities has proposed extensions to PCTE that allow programming tools to utilize common security functions, modeled after but more general than those outlined in the Orange Book (IEPG, 1989; European Commission, 1989a, p. 8). On another front, Esprit funding is establishing a pattern of collaboration that could pay off significantly in systems-oriented fields such as security and safety, as researchers learn to work effectively in relatively large academic and industrial teams.4 Although MITI in Japan is conducting a study of security problems in networks, the committee has found no widespread Japanese interest in developing indigenous security technology at this time. A PROPOSED AGENDA FOR RESEARCH TO ENHANCE COMPUTER SECURITY The committee identified several specific technical issues currently ripe for research. It is expected that the issues described will have aspects that are best addressed variously by universities, contractors, nonprofit research laboratories, government laboratories, and vendor laboratories. The key is to develop a broad range of system security expertise, combining the knowledge gained in both academic and industrial environments. The list that follows is by no means complete (rather, a research agenda must always reflect an openness to new ideas) but is provided to show the scope and importance of relevant research topics and to underscore the need to cultivate progress in areas that have received insufficient attention.

OCR for page 206
Computers at Risk: Safe Computing in the Information Age Security modularity: How can a set of system components with known security properties be combined or composed to form a larger system with known security properties? Security models: The disclosure control problem has benefited from a formal model, the Bell and La Padula model, which captures some of the desired functionality in an abstract manner. Other security requirements, such as integrity, availability, and distributed authentication and authorization, do not have such clean models. Lacking a clean model, it is difficult to describe what a system does or to confirm that it does so. For example, models are needed that deal with separation of duty and with belief and trust in situations of incomplete knowledge. Efforts should be directed at establishing a sound foundation for security models. The models that have been used in the past lack, for the most part, any formal foundation. The Franconia workshops (IEEE, 1988–1990) have addressed this issue, but more work is necessary. Security models should be integrated with other systems models, such as those related to reliability and safety. Cost/benefit models for security: How much does security really cost, and what are its real benefits? Both the cost of production and the cost of use should be addressed. Benefit analysis must be based on careful risk analysis. This is particularly difficult for computer security because accurate information on penetrations and loss of assets is often not available, and analyses must depend on expert opinion. The recommended reporting and tracking function envisioned for the Information Security Foundation proposed in Chapter 7 would facilitate model generation and validation. New security mechanisms: As new requirements are proposed, as new threats are considered, and as new technologies become prevalent, new mechanisms will be required to maintain security effectively. Recent examples of such mechanisms are the challenge-response devices developed for user authentication. Among the mechanisms currently needed are those to support critical aspects of integrity (e.g., separation of duty), distributed key management on low-security systems, multiway and transitive authentication (involving multiple systems and/or users), availability (especially in distributed systems and networks), privacy assurance, and limitations on access in networks, to permit interconnection of mutually suspicious organizations. Assurance techniques: The assurance techniques that can be applied to secure systems range from the impractical extremes of exhaustive testing to proofs of all functions and properties at all levels of a system. It would be beneficial to know the complete spectrum of assurance techniques, the practicality of their application, and to what

OCR for page 206
Computers at Risk: Safe Computing in the Information Age aspects of security they best apply. For instance, formal specification and verification techniques can be applied to some encryption protocols but may be more useful for testing formal specifications in an effort to discover design weaknesses (Millen et al., 1987; Kemmerer, 1989a). Also, formally specifying and verifying an entire operating system may not be cost-effective, yet it may be reasonable to thoroughly analyze a particular aspect of the system using formal specification and verification techniques. (This is one of the reasons for grouping the security-relevant aspects of a secure operating system into a security kernel that is small enough to be thoroughly analyzed.) Identifying effective and easily usable combinations of techniques, particularly ones that can be applied early in software production, is a current area of interest in the field of testing, analysis, and verification. In addition, attention must be given to modernizing the existing technology base of verification and testing tools, which are used to implement the techniques, to keep pace with new technology. Alternative representations and presentations: New representations of security properties may yield new analysis techniques. For example, graphics tools that allow system operators to set, explore, and analyze proposed policies (who should get access to what) and system configurations (who has access to what) may help identify weaknesses or unwanted restrictions as policies are instituted and deployed systems are used. Automated security procedures: A practical observation is that many, if not most, actual system penetrations involve faults in operational procedures, not system architecture. For example, poor choice of passwords or failure to change default passwords is a common failure documented by Stoll (1989). Research is needed in automating critical aspects of system operation, to assist system managers in avoiding security faults in this area. Examples include tools to check the security state of a system (Baldwin, 1988), models of operational requirements and desired controls, and threat assessment aids. Fault-tree analysis can be used to identify and assess system vulnerabilities, and intrusion detection (Lunt, 1988) through anomaly analysis can warn system administrators of possible security problems. Mechanisms to support nonrepudiation: To protect proprietary rights it may be necessary to record user actions so as to bar a user from later repudiating these actions. Research into methods of recording user actions in a way that respects the privacy of users is difficult. Control of computing resources: Resource control is associated with the prevention of unauthorized use and piracy of proprietary software or databases owned or licensed by one party and legitimately installed in a computing system belonging to another. It has attracted little

OCR for page 206
Computers at Risk: Safe Computing in the Information Age research and implementation effort, but it poses some difficult technical problems and possibly privacy problems as well, and it is, therefore, an area that warrants further research. Systems with security perimeters: Most network protocol design efforts have tended to assume that networks will provide general interconnection. However, as observed in Chapter 3, a common practical approach to achieving security in a distributed system is to partition the system into regions that are separated by a security perimeter. This is not easy to do. If, for example, a network permits mail but not directory services (because of security concerns about directory searches), the mail may not be deliverable due to the inability to look up the address of a recipient. To address this problem, research is needed in the area of network protocols that will allow partitioning for security purposes without sacrificing the advantages of general connectivity. DIRECTIONS FOR FUNDING SECURITY RESEARCH There are several strategic issues basic to broadening computer security research and integrating it with the rest of computer science: funding agencies' policies, cross-field fertilization, and the kinds of projects to be undertaken. The areas of study sketched above are suitable for funding by any agency with a charter to address technical research topics. The committee recommends that the relevant agencies of the federal government (e.g., DARPA and NSF) undertake funded programs of technology development and research in computer security. These programs should foster integration of security research with other related research areas, such as promoting common techniques for the analysis of security, safety, and reliability properties. The committee recommends that NIST, in recognition of its interest in computer security (and its charter to enhance security for sensitive but unclassified data and systems), work to assure funding for research in areas of key concern to it, either internally or in collaboration with other agencies more traditionally associated with research. NIST may be particularly effective, under its current regime, at organizing workshops that bring together researchers and practitioners and then widely disseminating the resulting workshop reports. Although federal agencies have traditionally been viewed as the primary source of funding for computer science research, many states, such as Texas, Virginia, and California, have substantial funding programs geared toward regional industry and academic needs. The proposed research agenda should be brought to the attention of state funding

OCR for page 206
Computers at Risk: Safe Computing in the Information Age agencies, especially in those states where industrial support and interaction are likely. Both the Defense Advanced Research Projects Agency (DARPA) and the National Science Foundation (NSF) should proceed to justify a program in extramural computer security research. However, because of differences in the traditional roles of DARPA and NSF, this committee has identified specific activities that it recommends to each. Funding by the Defense Advanced Research Projects Agency The Defense Advanced Research Projects Agency has traditionally been willing to fund significant system-development projects. The committee believes that this class of activity would be highly beneficial for security research. Security is a hands-on field in which mechanisms should be evaluated by deploying them in real systems. Some examples of suitable projects are the following: Use of state-of-the-art software development techniques and tools to produce a secure system. The explicit goal of this effort should be to evaluate the development process and to assess the expected gain in system quality. Development of distributed systems with a variety of security properties. A project now under way, and funded by DARPA, is aimed at developing encryption-based private electronic mail. Another candidate for study is decentralized, peer-connected name servers. Development of a system supporting an approach to ensuring the integrity of data. There are now some proposed models for integrity, but without worked examples it will be impossible to validate them. This represents an opportunity for a cooperative effort by DARPA and NIST. Funding by the National Science Foundation The National Science Foundation has tended to fund smaller, less development-oriented projects. A key role for NSF (and for DARPA, as well), beyond specific funding of relevant projects, is to facilitate increased interaction between security specialists and specialists in related fields (such as distributed computing, safety, and fault-tolerant computing). Examples of areas in which creative collaboration might advance computer security include: Safety: Concern about the safety-related aspects of computer processing is growing both in the United States and internationally. Great Britain has already formulated a policy that requires the use of

OCR for page 206
Computers at Risk: Safe Computing in the Information Age stringent assurance techniques in the development of computer systems that affect the safety of humans (U.K. Ministry of Defence, 1989a,b). Unfortunately, safety and related issues pertaining to computer systems—unlike security—have no constituency in the United States. Fault-tolerant computing: Over the years a great deal of research has been directed at the problem of fault-tolerant computing. Most of this work has addressed problems related to availability and integrity; little attention has been directed to the problems of malicious surreptitious attacks. An attempt should also be made to extend this work to other aspects of security. Code analysis: Researchers working on optimizing and parallelizing compilers have extensive experience in analyzing both source and object code for a variety of properties. Some of their techniques have been used for covert channel analysis (Haigh et al., 1987; Young and McHugh, 1987). An attempt should be made to use similar techniques to analyze code for other properties related to security. Security interfaces: People experienced at writing careful specifications of interfaces and verifying high-level properties from these specifications should be encouraged to specify standardized interfaces to security services and to apply their techniques to the specification and analysis of high-level security properties. Theoretical research: Theoretical work needs to be properly integrated in actual systems. Often both theoreticians and system practitioners misunderstand the system aspects of security or the theoretical limitations of secure algorithms. Practitioners and theoreticians should be encouraged to work together. Promoting Needed Collaboration Both DARPA and NSF have a tradition of working with the broad science community and should initiate programs to facilitate collaboration. Some suggestions for specific actions are the following: Start a program aimed specifically at bringing together people with different backgrounds and skills, for example, by providing grants to support visiting researchers for a period of one to two years. Show a willingness to support research in computer security by people with complementary expertise (in accounting or distributed systems, for example), although they may have no track record in the security area. Run a series of one- or two-week-long workshops for graduate students who are interested in doing research on problems related to computer security. Prior experience in security should be secondary

OCR for page 206
Computers at Risk: Safe Computing in the Information Age to interest and evidence of accomplishment in related fields. Workshops should, where possible, include laboratory experience with security products and assurance technology. Traditionally, computer security research has been performed in computer science and engineering departments. However, another research approach that seems relevant is the methodology of the business school. Although business schools have in the past shown little interest in security research, obvious study topics include: Value of security: A current research topic in business schools is assessing information technology's actual value to an organization. As a part of these studies, it might be possible to develop models for the value of the security aspects of information technology from a business perspective, for example, drawing on the value of a corporate information base to be protected. Privacy in information systems: The use of a computer system in the corporate environment will be influenced by the degree to which the users perceive the information in the system as public or private. The sociological aspects of privacy may have a strong impact on the effective use of information technology. A valuable contribution would be case studies leading to a working model that relates perceived protection of privacy to an application's effectiveness. Those involved in the emerging field of computer-supported cooperative work (also known as collaboration technology or groupware) should be made aware of (1) the need for security mechanisms when information is shared and (2) the influence of requirements for privacy on the processes being automated or coordinated. In general, any study of information flow in an organization should also note and assess the security and privacy aspects of that information flow. NOTES 1.   The Office of Naval Research, however, has an ongoing internal program (at the Naval Research Laboratory) in applied security research that includes such projects as methodologies for secure system developers and tools for secure software development. The lack of appropriately trained individuals has been cited by ONR as a major impediment to expanding their research efforts. The Department of Energy has responded to the recent spate of computer security breaches with an effort centered at their Lawrence Livermore National Laboratory to develop tools, techniques, and guidelines for securing computer systems. Areas currently under investigation include viruses, intrusion detection systems, and security maintenance software tools. The DOE also created a Computer Incident Advisory Capability (CIAC) similar to DARPA's Internet CERT, but specifically to support DOE. Further effort is being expended on developing guidelines for system security testing, incident handling, and others. DOE is also supporting efforts to develop a university-based research capability.

OCR for page 206
Computers at Risk: Safe Computing in the Information Age 2.   A limited computer security budget has hampered even internal NIST efforts to date, although several programs are under development that would group funds from private industry or other federal agencies to address mutual security concerns (see Chapter 7 for a more complete discussion of NIST activities). 3.   Consider, for example, the following indicators of low academic participation in the field of computer security. At the January 1989 NIST integrity workshop, of the 66 listed attendees, only 6 were from U.S. academic institutions. At the 1988 Institute of Electrical and Electronics Engineers Symposium on Security and Privacy, a more general security conference with considerable attention to DOD interests, less than 6 percent were academic attendees out of an approximate total of 316. In contrast, at a broad conference on computer systems, the 1989 Association of Computing Machinery Symposium on Operating System Principles, approximately 36 percent of the attendees were from U.S. academic institutions. 4.   Examples include provably correct systems (ProCoS), a result of basic research oriented toward language design, compiler systems, and so on, appropriate for safety-critical systems; Software Certification On Programs in Europe (SCOPE), which will define, experiment with, and validate an economic European software certification procedure applicable to all types of software and acceptable and legally recognized throughout Europe; and Demonstration of Advanced Reliability Techniques for Safety-related computer systems (DARTS), whose aim is to facilitate the selection of reliable systems for safety-critical applications (European Commission, 1989a, pp. 27 and 55; 1989b).