By Bill Steele
More and more, our society depends on systems of many computers linked together. From banking and medical information systems to the nationwide power grid to the seeming simplicity of a Google search, thousands or even hundreds of thousands of computers, often in widely separated locations, may be involved.
Now, with a $1.6 million grant from the National Science Foundation (NSF), a team of Cornell computer scientists with extensive credentials in the field hope to find ways to make such systems both reliable and secure. The funding is part of NSF's $32.2 million "Cyber Trust" initiative.
"Cornell has a history of significant research accomplishments in information assurance and security. The NSF commitment to funding research in secure computing is an important cornerstone for addressing national security concerns," said Robert C. Richardson, senior vice provost for research at Cornell.
"There are two kinds of things people try to do to make more trustworthy computer systems," explained Andrew Myers, Cornell assistant professor of computer science and leader of the team. "Failures are inevitable, so we want systems that tolerate failures and keep information available. And we want systems that are more secure and can survive attacks."
Unfortunately, he added, the two goals don't mesh. For example, one approach to reliability is to have many computers that provide the same data or service -- but that decreases security. Instead of having one computer to break into, intruders have a thousand. On the other hand, increased security measures often make it harder to get to the data.
The other two members of the team each have extensive experience in those two conflicting areas. Both are Cornell professors of computer science.
Fred Schneider is director of the Information Assurance Institute, a joint project of Cornell and U.S. Air Force researchers, and is chair of Microsoft Corp.'s recently formed security advisory board. From 1998 to 2000 he chaired the National Academy of Sciences' study committee on information systems trustworthiness, leading to the publication of the book Trust in Cyberspace, which he edited.
Kenneth Birman has designed fault-tolerant software for the New York Stock Exchange, the AEGIS missile-firing warship and the French air control system.
All three have worked closely with the operators of some of the largest distributed systems, including a consortium of operators for the nation's electric power grid, the U.S. military, and corporate researchers at companies like Amazon.com, which reportedly operates from five to ten thousand computers.
Birman and Schneider have developed what Birman calls "a toolbox of techniques." Myers hopes to combine these into new tools for building systems in which security and reliability are inherent from the ground up.
Myers has already created an extension of the Java programming language, called Jif, that enforces security even as a program is being written. He thinks that idea can be extended to large distributed systems. "We want to build something to build systems by hiding the fact that the toolbox is there," he explained. "The way people build now, they use lots of complicated protocols and encryption, then argue that they've got security, but it's impossible to prove."
One way the language could work, he suggests, might be to keep the idea of duplication for reliability, but not necessarily trust that all the duplicates are reliable -- that is, if computers disagree, trust only the majority of those that produce the same answer. It's not as simple as that, of course: one loophole is that someone who has broken into one computer on the system may then know how to compromise all of them. An answer to that, the researchers suggest, might be randomization of the code.
Or the solution may involve "completely new science," Birman said. "The reason we think we can do this is that we've learned a lot in what we've done over the last few years. We've reached the point where we bring a lot of understanding together. Now we may put that all aside and say, 'What's the best way to solve a problem like monitoring the power grid?'"
"We need new approaches to building the systems," Schneider agreed. "The Cornell effort will be to develop new technologies and a science base that make construction of such trustworthy systems a reality."
| Cornell Chronicle Front Page | | Table of Contents | | Cornell News Service Home Page |