Trust in Cyberspace Committee on Information Systems Trustworthiness, National Research Council (1999) 352 pages   6 x 9

Contents

Executive Summary 1


1 Introduction 12

Trustworthy Networked Information Systems, 13
What Erodes Trust, 15
This Study in Context, 20
Scope of This Study, 21
References, 23



2 Public Telephone Network and Internet Trustworthiness 26

Network Design, 27
The Public Telephone Network, 27
Network Services and Design, 27
Authentication, 28
The Internet, 29
Network Services and Design, 29
Authentication (and other Security Protocols), 33
Findings, 36
Network Failures and Fixes, 37
Environmental Disruption, 37
Link Failures, 37
Congestion, 38
Findings, 41
Operational Errors, 41
Findings, 45
Software and Hardware Failures, 45
Finding, 47
Malicious Attacks, 47
Attacks on the Telephone Network, 47
Routing Attacks, 48
Database Attacks, 48
Facilities, 50
Findings, 50
Attacks on the Internet, 50
Name Server Attacks, 51
Routing System Attacks, 51
Protocol Design and Implementation Flaws, 54
Findings, 55
Emerging Issues, 55
Internet Telephony, 55
Finding, 56
Is the Internet Ready for "Prime Time"?, 56
Findings, 58
References, 59



3 Software for Networked Information Systems 62

Introduction, 62
Background, 62
The Role of Software, 64
Development of a Networked Information System, 66
System Planning, Requirements, and Top-level Design, 66
Planning and Program Management, 66
Requirements at the Systems Level, 68
Background, 68
The System Requirements Document, 69
Notation and Style, 70
Where to Focus Effort in Requirements Analysis and Documentation, 72
Top-level Design, 74
Critical Components, 76
The Integration Plan, 77
Project Structure, Standards, and Process, 78
Barriers to Acceptance of New Software Technologies, 81
Findings, 81
Building and Acquiring Components, 82
Component-level Requirements, 82
Component Design and Implementation, 84
Programming Languages, 85
Systematic Reuse, 86
Commercial Off-the-Shelf Software, 87
The Changing Role of COTS Software, 87
General Problems with COTS Components, 89
Interfacing Legacy Software, 90
Findings, 91
Integrating Components into a Trustworthy System, 92
System Integration, 92
System Assurance, 94
Review and Inspection, 94
Formal Methods, 95
Testing, 101
System Evolution, 102
Findings, 103
References, 104



4 Reinventing Security 109

Introduction, 109
Evolution of Security Needs and Mechanisms, 110
Access Control Policies, 111
Shortcomings of Formal Policy Models, 115
A New Approach, 118
Findings, 120
Identification and Authentication Mechanisms, 121
Network-based Authentication, 121
Cryptographic Authentication, 122
Token-based Mechanisms, 123
Biometric Techniques, 123
Findings, 124
Cryptography and Public-Key Infrastructure, 124
Findings, 127
The Key-Management Problem, 127
Key-Distribution Centers, 127
Certification Authorities, 128
Actual Deployments of Large-scale Key-Distribution Centers and Certification Authorities, 129
Public-Key Infrastructure, 130
Findings, 132
Network Access Control Mechanisms, 132
Closed User Groups, 132
Virtual Private Networks, 133
Firewalls, 134
Limitations of Firewalls, 135
Guards, 137
Findings, 138
Foreign Code and Application-level Security, 139
The ActiveX Approach, 141
The Java Approach, 142
Findings, 142
Fine-grained Access Control and Application Security, 143
Findings, 145
Language-based Security: Software Fault Isolation and Proof-carrying Code, 146
Findings, 149
Denial of Service, 149
Findings, 150
References, 151



5 Trustworthy Systems from Untrustworthy Components 154

Replication and Diversity, 155
Amplifying Reliability, 155
Amplifying Security, 157
Findings, 158
Monitor, Detect, Respond, 158
Limitations in Detection, 158
Response and Reconfiguration, 159
Perfection and Pragmatism, 160
Findings, 161
Placement of Trustworthiness Functionality, 161
Public Telephone Network, 162
Internet, 163
Minimum Essential Information Infrastructure, 164
Findings, 167
Nontraditional Paradigms, 168
Finding, 169
References, 169



6 The Economic and Public Policy Context 171

Risk Management, 172
Risk Assessment, 173
Nature of Consequences, 174
Risk Management Strategies, 176
Selecting a Strategy, 179
Findings, 180
Consumers and Trustworthiness, 180
Consumer Costs, 181
Direct Costs, 181
Indirect Costs, 182
Failure Costs, 183
Imperfect Information, 184
Issues Affecting Risk Management, 186
Some Market Observations, 188
Findings, 189
Producers and Trustworthiness, 190
The Larger Marketplace and the Trend Toward Homogeneity, 190
Risks of Homogeneity, 191
Producers and Their Costs, 192
Costs of Integration and Testing, 193
Identifying the Specific Costs Associated with Trustworthiness, 193
Time to Market, 194
Other Issues, 194
The Market for Trustworthiness, 196
Supply and Demand Considerations, 197
Findings, 198
Standards and Criteria, 199
The Character and Context of Standards, 199
Standards and Trustworthiness, 201
Security-based Criteria and Evaluation, 204
Findings, 209
Cryptography and Trustworthiness, 210
Export Controls, 210
Key Recovery, 211
Factors Inhibiting Widespread Deployment of Cryptography, 211
Cryptography and Confidentiality, 214
Findings, 214
Federal Government Interests in NIS Trustworthiness, 215
Public-Private Partnerships, 219
The Changing Market-Government Relationship, 220
Findings, 221
The Roles of the NSA, DARPA, and other Federal Agencies in NIS Trustworthiness Research and Development, 221
National Security Agency, 224
Partnerships with Industry, 226
R2 Program, 228
Issues for the Future, 230
Findings, 232
Defense Advanced Research Projects Agency, 232
Issues for the Future, 235
Findings, 236
References, 237



7 Conclusions and Research Recommendations 240

Protecting the Evolving Public Telephone Network and the Internet, 241
Meeting the Urgent Need for Software That Improves Trustworthiness, 244
Reinventing Security for Computers and Communications, 247
Building Trustworthy Systems from Untrustworthy Components, 250
Social and Economic Factors That Inhibit the Deployment of Trustworthy Technology, 251
Implementing Trustworthiness Research and Development, 253



Appendixes
A Study Committee Biographies 259
B Briefers to the Committee 267
C Workshop Participants and Agendas 269
D List of Position Papers Prepared for the Workshops 279
E Trends in Software 281
F Some Related Trustworthiness Studies 285
G Some Operating System Security Examples 291
H Types of Firewalls 293
I Secrecy of Design 296
J Research in Information System Security and Survivability Funded by the NSA and DARPA 298
K Glossary 300


Index 319

Trust in Cyberspace

NATIONAL ACADEMY PRESS
Washington, D.C. 1999

Printed in the United States of America

COMMITTEE ON INFORMATION SYSTEMS TRUSTWORTHINESS

Special Advisor

W. EARL BOEBERT, Sandia National Laboratories

Staff

MARJORY S. BLUMENTHAL, Director
JANE BORTNICK GRIFFITH, Interim Director (1998)
HERBERT S. LIN, Senior Scientist
ALAN S. INOUYE, Program Officer
MARK BALKOVICH, Research Associate (until July 1998)
LISA L. SHUM, Project Assistant (until August 1998)
RITA A. GASKINS, Project Assistant
DAVID PADGHAM, Project Assistant

COMPUTER SCIENCE AND TELECOMMUNICATIONS BOARD

MARJORY S. BLUMENTHAL, Director
JANE BORTNICK GRIFFITH, Interim Director (1998)
HERBERT S. LIN, Senior Scientist
JERRY R. SHEEHAN, Senior Program Officer
ALAN S. INOUYE, Program Officer
JON EISENBERG, Program Officer
JANET BRISCOE, Administrative Associate
NICCI DOWD, Project Assistant
RITA GASKINS, Project Assistant
DAVID PADGHAM, Project Assistant

COMMISSION ON PHYSICAL SCIENCES, MATHEMATICS, AND APPLICATIONS

NORMAN METZGER, Executive Director

The National Research Council was organized by the National Academy of Sciences in 1916 to associate the broad community of science and technology with the Academy's purposes of furthering knowledge and advising the federal government. Functioning in accordance with general policies determined by the Academy, the Council has become the principal operating agency of both the National Academy of Sciences and the National Academy of Engineering in providing services to the government, the public, and the scientific and engineering communities. The Council is administered jointly by both Academies and the Institute of Medicine. Dr. Bruce Alberts and Dr. William A. Wulf are chairman and vice chairman, respectively, of the National Research Council.

Preface

Experts have known for some time that networked information systems are not trustworthy and that the technology needed to make them trustworthy has not, by and large, been at hand. Our nation is nevertheless becoming dependent on such systems for operating its critical infrastructures (e.g., transportation, communication, finance, and energy distribution). Over the past 2 years, the implications of this dependence—vulnerability to attack and susceptibility to disaster—have become a part of the national agenda. Concerns first voiced from within the defense establishment (under the rubric of "information warfare") led the executive branch to create the President's Commission on Critical Infrastructure Protection and, later, the Critical Infrastructure Assurance Office. The popular press embraced the issues, carrying them to a public already sensitized by direct and collateral experience with the failings of computing systems and networks. A subject once discussed only in the technical literature is now appearing regularly on the front pages of newspapers and being debated in the Congress. The present study, initiated at the request of the Defense Advanced Research Projects Agency (DARPA) and the National Security Agency (NSA) some 2 years ago, today informs a discussion of national significance. In particular, this study moves the focus of the discussion forward from matters of policy and procedure and from vulnerabilities and their consequences toward questions about the richer set of options that only new science and technology can provide.

The study committee was convened by the Computer Science and Telecommunications Board (CSTB) of the National Research Council (NRC) to assess the nature of information systems trustworthiness and the prospects for technology that will increase trustworthiness. The committee was asked to examine, discuss, and report on interrelated issues associated with the research, development, and commercialization of technologies for trustworthy systems and to use its assessment to develop recommendations for research to enhance information systems trustworthiness (see Box P.1). This volume contains the results of that study: a detailed research agenda that examines the many dimensions of trustworthiness (e.g., correctness, security, reliability, safety, survivability), the state of the practice, and the available technology and science base. Since economic and political context is critical to the successful development and deployment of new technologies, that too is discussed.

The alert reader will have noted that the volume's title, Trust in Cyberspace, admits two interpretations. This ambiguity was intentional. Parse "trust" as a noun (as in "confidence" or "reliance") and the title succinctly describes the contents of the volume—technologies that help make networked information systems more trustworthy. Parse "trust" as a verb (as in "to believe") and the title is an invitation to contemplate a future where networked information systems have become a safe place for conducting parts of our daily lives.¹ Whether "trust" is being parsed as a noun or the verb, more research is key for trust in cyberspace.

COMMITTEE COMPOSITION AND PROCESS

The study committee included experts from industry and academia whose expertise spanned computer and communications security, software engineering, fault-tolerance, systems design and implementation, and networking (see Appendix A). The committee did its work through its own expert deliberations and by soliciting input and discussion from key officials in its sponsoring agencies, other government officials, academic experts, and representatives of a wide range of developers and users of information systems in industry (see Appendix B). The committee did not make use of classified information, believing that detailed knowledge of threats was not important to the task at hand.

The committee first met in June 1996 and eight times subsequently. Three workshops were held to obtain input from a broad range of experts in systems security, software, and networking drawn primarily from industry (see Appendixes C and D). Since information about the NSA R2 research program is less widely available than for relevant programs at DARPA and other federal agencies, the entire committee visited NSA for a more in-depth examination of R2's research program; subsequent meetings between NSA R2 personnel and a subset of the committee provided still further input to the study. Staff tracked the progress of relevant activities in the legislative and executive branches in government, including the President's Commission on Critical Infrastructure Protection, the Critical Information Assurance Office, and congressional hearings. Staff also sought input from other governmental and quasi-governmental organizations with relevant emphases. Additional inputs included perspectives from professional conferences, the technical literature, and government reports gleaned by committee members and staff.

In April 1997, the committee released an interim report that outlined key concepts and known technologies. That report, subject to the NRC review process, generated a number of comments that helped to guide the committee in its later work.

ACKNOWLEDGMENTS

The committee is grateful to the many thoughtful reviewers of its interim and final reports, and it appreciates the efforts of the review coordinator. The committee would like to acknowledge Thomas A. Berson (Anagram Laboratories), Dan Boneh (Stanford University), Eric A. Brewer (University of California, Berkeley), Dorothy Denning (Georgetown University), Bruce Fette (Motorola), John D. Gannon (University of Maryland), Li Gong (JavaSoft Inc., Sun Microsystems Inc.), Russ Housley (SPYRUS ), John C. Klensin (MCI Communications Corporation), Jimmy Kuo (McAfee Associates Inc.), Steven B. Lipner (Mitretek Systems), Keith Marzullo (University of California, San Diego), Alan J. McLaughlin (Massachusetts Institute of Technology), Robert Morris, Sr. (National Security Agency [retired]), Peter G. Neumann (SRI International), Jimmy Omura (Cylink Corporation), Stewart Personick (Drexel University), Roy Radner (New York University), Morteza Rahimi (Northwestern University), Jeffrey I. Schiller (Massachusetts Institute of Technology), Michael St. Johns (@Home Network), Joseph Sventek (Hewlett-Packard Laboratories), J. Marty Tenenbaum (CNgroup Inc.), Abel Weinrib (Intel Corporation), Jeannette M. Wing (Carnegie Mellon University), and Mary Ellen Zurko (Iris Associates Inc.).

The committee appreciates the support of its sponsoring agencies and especially the numerous inputs and responses to requests for information provided by Howard Frank, now at the University of Maryland, Teresa Lunt, now at SRI International, Robert Meushaw at NSA, and John Davis at NSA and the Critical Infrastructure Assurance Office. The support of K. David Nokes at Sandia National Laboratories was extremely helpful in facilitating this study and the preparation of this report.

In addition, the committee would like to thank Jeffrey Schiller for his valuable perspective on Internet standards setting. The committee would also like to thank individuals who contributed their expertise to the committee's deliberations: Robert H. Anderson (RAND Corporation), Ken Birman (Cornell University), Chip Boylan (Hilb, Rogal, and Hamilton Company), Robert L. Constable (Cornell University), Dale Drew (MCI Security Services), Bill Flanagan (Perot Systems Corporation), Fred Howard (Bell Atlantic Voice Operations), Keith Marzullo (University of California, San Diego), J S. Moore (University of Texas, Austin), Peter G. Neumann (SRI International), John Pescatore (Trusted Information Systems), John Rushby (SRI International), Sami Saydjari (Defense Advanced Research Projects Agency), Dan Shoemaker (Bell Atlantic Data Operations), Steve Sigmond (Wessels Arnold Investment Banking), Gadi Singer (Intel Corporation), Steve Smaha (Haystack Inc.), Kevin Sullivan (University of Virginia), L. Nick Trefethen (Oxford University), and Werner Vogels (Cornell University). The committee would also like to thank the participants at the workshops for their valuable insights.

Several members of the Computer Science and Telecommunications Board provided valuable guidance to the committee and were instrumental in the response-to-review process. For these contributions, the committee would like to thank David D. Clark, Jim Gray, and Butler Lampson. The committee also acknowledges the helpful feedback from CSTB members Donald Norman and Ed Lazowska.

Special thanks are owed Steve Crocker for his seminal role in launching this study and in helping to shape the committee. The committee—and the chairman especially—benefited from Steve's involvement.

Finally, the committee would like to acknowledge all the hard work by the staff of the National Research Council. Marjory Blumenthal's contributions to the content and conduct of this study were pivotal. Not only was Marjory instrumental in moving the committee from its initial discussions through the production of an interim report and then to a first draft of this report, but her insights into the nontechnical dimensions of trustworthiness were also critical for Chapter 6. This committee was truly fortunate to have the benefit of Marjory's insights, and this chairman was thankful to have such a master in the business as a teacher and advisor. Alan Inouye joined the project midstream. To him fell the enormous task of assembling this final report. Alan did a remarkable job, remaining unfailingly upbeat despite the long hours required and the frustrations that accompanied working to a deadline. First Leslie Wade and later Lisa Shum supported the logistics for the committee's meetings, drafts, and reviews in a careful yet cheery fashion. As a research associate, Mark Balkovich enthusiastically embraced a variety of research and fact-finding assignments. Thanks to Jane Bortnick Griffith for her support as the interim director of CSTB who inherited this challenging project midstream and did the right thing. Herb Lin was available when we needed him despite his numerous other commitments. The contributions of Laura Ost (editor-consultant) and Patricia Spellman (copy editor) are gratefully acknowledged. Rita Gaskins, David Padgham, and Cris Banks also assisted in completing the report.

Fred B. Schneider, Chair
Committee on Information Systems Trustworthiness

¹One reviewer, contemplating the present, suggested that a question mark be placed at the end of the title to raise questions about the trustworthiness of cyberspace today. And this is a question that the report does raise.