http://www.scientificamerican.com/2002/0502issue/0502profile.html

W. WAYT GIBBS

To defeat cyberterrorists, computer systems must be designed to work
around sabotage. David A. Fisher's new programming language will help
do just that

As one of the primary lines of defense against hackers,
cyberterrorists and other online malefactors, the CERT Coordination
Center at Carnegie Mellon University is a natural target. So like many
high-profile organizations, it beefed up its security measures after
September's audacious terrorist attacks. Before I can enter the glass
and steel building, I have to state my business to an intercom and
smile for the camera at the front door. Then I must sign my name in
front of two uniformed guards and wait for an escort who can swipe her
scan card through a reader (surveilled by another camera) to admit me
to the "classified" area. But these barriers--just like the patting
down I endured at the airport and like the series of passwords I must
type to boot up my laptop--create more of an illusion of security than
actual security. In an open society, after all, perfect security is an
impossible dream.

That is particularly true of computer systems, which are rapidly
growing more complicated, interdependent, indispensable--and easier to
hack. The tapestries of machines that control transportation, banking,
the power grid and virtually anything connected to the Internet are
all unbounded systems, observes CERT researcher David A. Fisher: "No
one, not even the owner, has complete and precise knowledge of the
topology or state of the system. Central control is nonexistent or
ineffective."

Those characteristics frustrate computer scientists' attempts to
figure out how well critical infrastructures will stand up under
attack. "There is no formal understanding yet of unbounded systems,"
Fisher says, and that seems to bother him. In his 40-year career,
Fisher has championed a rigorous approach to computing. He began
studying computer science when it was still called mathematics, and he
played a central role in the creation of Ada, an advanced computer
language created in the 1970s by the Department of Defense to replace
a babel of less disciplined programming dialects.

In the 1980s Fisher founded a start-up firm that sold software
components, one of the first companies that tried to make
"interchangeable parts" that could dramatically speed up the
development process. In the early 1990s he led an effort by the
National Institute of Standards and Technology (NIST) to push the
software industry to work more like the computer hardware market, in
which many competing firms make standard parts that can be combined
into myriad products.

Fisher's quest to bring order to chaotic systems has often met
resistance. The Pentagon instructed all its programmers to use Ada,
but defense contractors balked. His start-up foundered for lack of
venture capital. A hostile Congress thwarted his advanced technology
program at NIST. But by 1995, the year that Fisher joined CERT,
security experts were beginning to realize, as CERT director Richard
D. Pethia puts it, that "our traditional security techniques just
won't hold up much longer."

The organization was founded as the Computer Emergency Response Team
in 1988, after a Cornell University graduate student released a
self-propagating worm that took down a sizable fraction of the
Internet. There are now more than 100 such response teams worldwide;
the CERT center at Carnegie Mellon helps to coordinate the global
defense against what Pethia calls "high-impact incidents: attacks such
as the recent Nimda and Code Red worms that touch hundreds of
thousands of sites, attacks against the Internet infrastructure
itself, and any other computer attacks that might threaten lives or
compromise national defense."

But each year the number of incidents roughly doubles, the
sophistication of attacks grows and the defenders fall a little
further behind. So although CERT still scrambles its team of crack
counterhackers in response to large-scale assaults, most of its
funding (about half of it from the DOD) now goes to research.

For Fisher, the most pressing question is how to design systems that,
although they are unbounded and thus inherently insecure, have
"survivability." That means that even if they are damaged, they will
still manage to fulfill their central function--sometimes sacrificing
components, if necessary. Researchers don't yet know how to build such
resilient computer systems, but Fisher's group released a new
programming language in February that may help considerably.

Fisher decided a new language was necessary when he started studying
the mathematics of the cascade effects that dominate unbounded
systems. A mouse click is passed to a modem that fillips a router that
talks to a Web server that instructs a warehouse robot to fetch a book
that is shipped out the same day. Or a tree branch takes down a power
line, which overloads a transformer, which knocks out a substation,
and within hours the lights go out in six states.

Engineers generally know what mission a system must perform. The power
grid, for example, should keep delivering 110 volts at 60 hertz. "The
question is: What simple rules should each node in the power grid
follow to ensure that that happens despite equipment failures, natural
disasters and deliberate attacks?" Fisher asks. He calls such rules
"emergent algorithms" because amazingly sophisticated behavior (such
as the construction of an anthill) can emerge from a simple program
executed by lots of autonomous actors (such as thousands of ants).

Fisher and his colleagues realized that they could never accurately
answer their question using conventional computer languages, "because
they compel you to give complete and precise descriptions. But we
don't have complete information about the power grid--or any unbounded
system," Fisher points out. So they created a radically new
programming language called Easel.

"Easel allows us to simulate unbounded systems even when given
incomplete information about their state," Fisher says. "So I can
write programs that help control the power grid or help prevent
distributed denial of service attacks" such as those that knocked out
the CNN and Yahoo! Web sites a few years ago.

Because it uses a different kind of logic than previous programming
languages, Easel makes it easier to do abstract reasoning.
"Computation has traditionally been a commerce in proper nouns: Fido,
Spot, Rex," Fisher notes. "Easel is a commerce in common nouns: dog,
not Fido." This difference flips programs upside down. In standard
languages, a program would include only those attributes of dogs that
the programmer judges are important. "The logic of the programming
language then adds the assumption that all other properties of dogs
are unimportant. That allows you to run any virtual experiment about
dogs, but it also produces wrong answers," Fisher says. This is why
computer models about the real world must always be tested against
observations.

In Easel, Fisher says, "you enumerate only those properties of dogs
about which you are certain. They have four legs, have two eyes, range
from six inches high to four feet high. But you don't specify how the
computer must represent any particular dog. This guarantees that the
simulation will not produce a wrong answer. The trade-off is that
sometimes the system will respond, 'I don't have enough information to
answer that question.' "

Easel makes it easier to predict how a new cyberpathogen or software
bug might cripple a system. CERT researcher Timothy J. Shimeall
recently wrote a 250-line Easel program that models Internet attacks
of the style of the Code Red worm, for example. That model could
easily be added to another that simulates a large corporate network,
to test strategies for stopping the worm from replicating.

Fisher and others have already begun using Easel to look for emergent
algorithms that will improve the survivability of various critical
infrastructures. "You can think of an adversary as a competing system
with its own survival goals," Fisher says. "The way you win that war
is not to build walls that interfere with your goals but to prevent
the opposition from fulfilling its purpose."

-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomoattrition.org with 'unsubscribe isn' in the BODY
of the mail.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]