Challenges of Engineering Cybersecurity: A Government Perspective
TOMAS VAGOUN
National Coordination Office for Networking and
Information Technology R&D
The US government is a principal source of funding for basic research in cybersecurity, and as such is in a position to direct research on fundamental issues in cybersecurity toward novel and game-changing solutions. Among the federal strategic cybersecurity research themes, Moving Target Defense and Science of Security are great examples of engineering- and science-based efforts to significantly improve the security of information technology (IT) systems.
CALL FOR GAME-CHANGING CYBERSECURITY RESEARCH
The nation’s security, economic progress, and social fabric are now inseparably dependent on cyberspace. But the digital infrastructure and its foundations are not secure. Cybervulnerabilities can be exploited by criminals for illicit financial gains, by state-sponsored mercenaries to compromise national security interests, and by terrorist groups to cause large-scale disruptions in critical national infrastructures.
The status quo is unacceptable. Recognizing this problem, the federal government has been a champion of high-risk, high-payoff cybersecurity research. Its strategy, set forth in Trustworthy Cyberspace: Strategic Plan for the Federal Cybersecurity Research and Development Program (NSTC 2011), directs federal agencies and challenges the research community at large to pursue game-changing advances in cybersecurity.
MOVING TARGET DEFENSE
In the current environment, cyberattackers win by taking advantage of the relatively static nature of systems. They can plan at their leisure, relatively safe in the assumption that key IT assets will look the same for a long time. They can map out likely responses and stockpile a set of exploits that escalate in sophistication as better defenses are deployed. They can afford to invest significant resources in their attacks because they expect to persist for a long time and reuse the attacks across many targets.
To reverse this asymmetry, it is essential to decrease both the predictability of systems and the return on investment for developing and executing attacks. A cyberterrain that is made to appear chaotic to attackers will force them to do reconnaissance and launch exploits anew for every desired penetration—ideally, they will enjoy no amortization of development costs.
The federal cybersecurity R&D community has proposed the development of such capabilities under the rubric of Moving Target Defense (MTD). This strategy calls for the development of technologies such as nonpersistent execution environments, randomized execution of code, randomized network and host identities, randomizing compilers, dynamic address spaces, and automated patch synthesis and installation.
Many natural systems are far more complex than cybersystems but nonetheless extremely robust, resilient, and effective. The biological immune system, for example, functions remarkably well in distributed, complex, and ever-changing environments, even when subject to a continuous barrage of attacks. Immune systems exhibit a wealth of interesting mechanisms that could be the inspiration for new methods relevant to MTD objectives, such as distributed processing, pathogenic pattern recognition, multilayered protection, decentralized control, diversity, and signaling. Designing and developing computing systems that implement such capabilities could bring about game-changing advances in cybersecurity.
DARPA CRASH PROGRAM
Announced in 2010 and ending in 2015, the Clean-Slate Design of Resilient, Adaptive, Secure Hosts (CRASH) Program of the Defense Advanced Research Projects Agency (DARPA) promotes novel ways of thinking about enhancing computing system security, taking inspiration from immune systems. The objective is to design systems that can adapt to continue rendering useful services after a successful attack, learn from previous attacks, and repair themselves after the attack.
The program’s multipronged approach looks at hardware, programming languages, operating systems, and theorems.
Hardware was designed to enforce operating rules by tagging every individual piece of data with its type, size, and ownership to enforce access and use restrictions on data at the hardware level.
Newly developed programming languages are explicit about information flows and access control rights. These languages allow programmers to state exactly what rules apply to each module of code, and the operating systems enforce these rules dynamically when the program runs.
Similarly, a new type of operating system has been developed based on a large number of cooperative but mutually independent modules. Each module is designed with a specific purpose and the lowest level of access privileges needed. The modules are also designed to be suspicious of each other, checking one another’s results to make sure they conform to the rules and policies that govern them. This creates a system where more than one component would have to be specifically compromised for an attacker to succeed.
When these self-monitoring systems detect a violation, they invoke built-in system services that attempt to diagnose the problem, using replay and reasoning techniques to isolate and characterize it; recover from the problem by having multiple redundant methods to achieve any given goal; synthesize filters to detect the same type of attack in the future and prevent it from succeeding; and automatically generate a patch to fix the underlying vulnerability.
The DARPA CRASH program successfully demonstrated that it is possible to develop significantly more secure computing systems that incorporate game-changing ideas that address core deficiencies of today’s cyberspace, as summarized in Table 1.
SCIENCE OF SECURITY
Prioritized by the federal cybersecurity R&D strategy and supported by research funding from a number of federal agencies, MTD has become an active area of R&D. At least 40 moving target techniques have been proposed, at all levels of a computing system—hardware, operating system, applications, network, and system of systems (for examples see Okhravi et al. 2013).
While the techniques propose innovative approaches to increasing agility, diversity, and redundancy of computing systems, and hence increase attackers’ workload and decrease their return on investment, MTD techniques are subject to the same limitations as others: lack of knowledge about how to systematically assess the efficacy of security techniques, how to measure security benefits, how to compare different techniques, or how to provably determine the security characteristics of the techniques.
MTD techniques can make systems appear chaotic and unpredictable to attackers, but they do so at the cost of increased complexity. What are the best ways to assess whether the benefits outweigh the costs? Some approaches have been proposed—for example, incorporating MTD into formal security models such as the Hierarchical Attack Representation Model (HARM; Hong and Kim 2015)—but it remains to be seen whether they provide the foundations necessary for formally assessing MTD.
TABLE 1 Cybersecurity Improvements Developed Under the DARPA Clean-Slate Design of Resilient, Adaptive, Secure Hosts (CRASH) Program Based on Aspects of Biological Immunity.
| Cybersecurity problem | Biological approach | DARPA CRASH innovation |
| Systems are easily penetrated |
Innate immunity
|
New hardware and OS that eliminate common technical vulnerabilities. Examples:
|
| Cleanup and repair are slow, unpredictable, and costly |
Adaptive immunity
|
Adaptive software that determines causes of vulnerabilities and dynamically repairs flaws. Example:
|
Computing homogeneity
|
Diversity
|
Techniques that increase entropy, make systems unique, and raise work factor for attackers: instruction set randomization, address space randomization, functional redundancy. Example:
|
The inability to assess the strengths and weaknesses of security measures, MTD or otherwise, in a systematic, measurable, and repeatable manner, points to a fundamental weakness: There is no foundation to ground the development of secure systems in a rigorous and scientific approach that would facilitate the discovery of laws, hypothesis testing, repeatable experiments, standardized metrics, and common terminology. The lack of scientific foundations is a critical problem and barrier to achieving effective and sustained improvements in cybersecurity. Nurturing the development of a science of security is therefore another key objective of the federal cybersecurity R&D strategy.
The most focused science-of-security research initiative funded by the federal government is the set of Science of Security Lablets, funded by the National Security Agency and launched in 2012. Four universities—Carnegie Mellon University, University of Illinois at Urbana-Champaign, North Carolina State
University, University of Maryland—were selected to lead research and education projects specifically aimed at investigating scientific foundations of cybersecurity. The projects are initially targeting five areas of interest: resilient architectures, scalability and composability, secure collaboration, metrics, and human behavior.
The growing emphasis on the science of security is strengthening foundations of security across many areas, including MTD. Efforts to develop and evaluate MTD techniques from a theoretical basis are growing, including, for example, a project that assesses how MTD techniques increase a system’s entropy and decrease the predictability of its behavior (Zhuang et al. 2014).
SUMMARY
Dependence on cyberinfrastructure is far too great to hope that incremental enhancements will bring about substantial security improvements. In the absence of market-driven solutions, the federal government has initiated high-risk/high-payoff R&D programs that focus on game-changing advances in security. The government’s strategy of MTD techniques and the development of the field of science of security show promising results in both areas.
REFERENCES
Anderson J, Watson R, Chisnall D, Gudka K, Davis B, Marinos I. 2014. TESLA: Temporally Enhanced System Logic Assertions. Proceedings of the 2014 European Conference on Computer Systems (EuroSys 2014), April 14–16, Amsterdam, Article No. 19.
Hong JB, Kim DS. 2015. Assessing the effectiveness of moving target defenses using security models. IEEE Transactions on Dependable and Secure Computing 99.
Le Goues C, Dewey-Vogt M, Forrest S, Weimer W. 2012. A systematic study of automated program repair: Fixing 55 out of 105 bugs for $8 each. Proceedings of the 2012 International Conference on Software Engineering (ICSE), June 2–9, Zurich, pp. 3–13.
NSTC [National Science and Technology Council]. 2011. Trustworthy Cyberspace: Strategic Plan for the Federal Cybersecurity Research and Development Program. Washington, DC. Available at http://www.nitrd.gov/subcommittee/csia/fed_cybersecurity_rd_strategic_plan_2011.pdf.
Okhravi H, Rabe MA, Mayberry TJ, Leonard WG, Hobson TR, Bigelow D, Streilein WW. 2013. Survey of cyber moving targets. Technical Report 1166, ESC-EN-HA-TR-2012-109, MIT Lincoln Laboratory. Available at http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA591804.
Pal P, Schantz R, Paulos A, Benyo B. 2014. Managed execution environment as a Moving-Target Defense infrastructure. IEEE Security and Privacy 12(2):51–59.
Watson R, Woodruff J, Neumann PG, Moore SW, Anderson J, Chisnall D, Dave N, Davis B, Gudka K, Laurie B, Murdoch SJ, Norton R, Roe M, Son S, Vadera M. 2015. CHERI: A hybrid capability-system architecture for scalable software compartmentalization. Proceedings of the 2015 IEEE Symposium on Security and Privacy, May 18–20, San Jose, pp. 20–37.
Zhuang R, DeLoach SA, Ou X. 2014. Towards a theory of moving target defense. Proceedings of the First ACM Workshop on Moving Target Defense, November 3, Scottsdale, pp. 31–40.
This page intentionally left blank.
