DAVID BRUMLEY
Carnegie Mellon University
DANIELA OLIVEIRA
University of Florida
How can systems be engineered to be both secure and respectful of user privacy? Societal dependence on computers makes this question not only extremely relevant, but also nuanced. A series of well-understood steps is involved in engineering highly secure, privacy-respecting systems.
First, an engineer rigorously states the security and privacy goals of the system. Typical goals include the confidentiality of system data and system integrity and availability.
Second, the engineer defines what type of threats the system should be resilient to. For example, will an adversary attempt to infect the system through software vulnerabilities in applications? Or try to compromise the integrity of the operating system, which manages how applications access hardware resources? Worse still, is the adversary targeting the hardware, the lowest level of abstraction? Attacks on hardware render all security solutions at the operating system and application levels useless. Alternatively, the attacker may discover side channels, such as the system’s electromagnetic radiation, to find cryptographic keys. The attacker can also leverage weaknesses in network protocols that were designed in the 1960s and still used today to compromise system availability.
Third, the engineer proves that the system design achieves the security goals in the presence of the adversary. And the last step is implementation of the system and formal verification that the implementation is correct.
Rigorous models and proofs, however, are performance expensive and problem specific. You get what you pay for, and highly secure systems are not cheap.
Furthermore, the Internet era exposes the challenge of protecting people’s privacy, such as personal information, life habits, social networks, health conditions, and personal beliefs. Who owns and can profit from people’s data? How
can people delete or hide information from the Internet? Or should they? Isn’t that rewriting history?
In practice the question is often not how to build a secure system, but how to engineer a system that is as secure as possible given practical construction constraints. New systems are almost always built on top of existing hardware, operating systems, software, and network protocols that provide fixed capabilities and have both known and unknown weaknesses. A well-engineered system follows a defense in depth strategy that incorporates layered protection and mechanisms for detecting and mitigating the effects of successful attacks. For example, a web server handling credit card numbers may use a network firewall to restrict access to only authorized computers, an intrusion detection system for detecting suspicious behaviors, and a secure communication protocol with its clients to encrypt the credit card numbers.
The best results come when security and privacy are engineered into the design from the beginning. Experience shows that retrofitting security and privacy measures into existing systems is difficult and often results in relatively weak security guarantees.
The user is often just as important to security and privacy as the technology. Users make decisions about what to share, what links to click, and what software to install. Recent research shows that existing systems often have unintuitive security and privacy mechanisms, and thus ultimately make the user the weakest link. Research has also shown that user-centric designs help the user make good security and privacy decisions.
In this session, Bryan Payne (Netflix) started with a talk explaining various security and abstraction levels of modern systems and security consequences at each layer. Franziska Roesner (University of Washington) then described the role of users and how interfaces can be designed to help them make better security decisions, with a focus on mobile platforms. Next, Kevin Fu (University of Michigan) addressed security in medical devices, which have different characteristics and pose different challenges to a security engineer. Tomas Vagoun (National Coordination Office for Networking and Information Technology R&D) concluded the session with a talk on the US government’s view of challenges and frontiers in engineering cybersecurity.