1 / 16

2003 UW-MSR-CMU Software Security Summer Institute

2003 UW-MSR-CMU Software Security Summer Institute. Jim Larus Microsoft Research Jeannette Wing Carnegie Mellon John Zahorjan Univ. Washington Scott Dakins Univ. Washington. http:// research.microsoft.com/projects/SWSecInstitute /. History of Summer Institutes.

jarah
Download Presentation

2003 UW-MSR-CMU Software Security Summer Institute

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 2003 UW-MSR-CMUSoftware SecuritySummer Institute Jim Larus Microsoft Research Jeannette Wing Carnegie Mellon John Zahorjan Univ. Washington Scott Dakins Univ. Washington http://research.microsoft.com/projects/SWSecInstitute/

  2. History of Summer Institutes • Jointly organized by Microsoft Research and University of Washington Computer Science Department • Goal • To bring leading researchers to the beautiful Pacific Northwest in the summertime to collaborate on key topics in computer science. • Institutes • 1997 - Data Mining • 1998 - Intelligent Systems • 1999 • Invisible Computing • Technologies to Improve Software Development • 2000 - Sharing Software Tool Infrastructure • 2001 - Specifying and Checking Properties of Software • 2003 – Software Security • Funded by Microsoft Research • This year Carnegie Mellon joins, in both organizing and funding it (Center for Computer and Communications Security C3S). Jeannette M. Wing

  3. Introductions • Software Security Institute • motivation, overview, and goals • To each other Jeannette M. Wing

  4. Why Are We All Here? • Security is important. • Security is hard. • Software keeps growing in size and complexity. • Software users keep growing in number and diversity. How can we build more secure software systems? • Technical challenges. • Professional responsibility to society. Jeannette M. Wing

  5. The Security Elephant • Layers • Cryptography • Protocols (authentication, communication, …) • Computer security (O/S, devices, file system, …) • Network security (distributed systems, firewalls, intrusion detection, …) • Administrators, users, and attackers • Properties (buzzwords) • Confidentiality, integrity, availability, privacy, anonymity, secrecy, trustworthy, high-assurance, … Software Jeannette M. Wing

  6. The Software Elephant • Layers, artifacts • Code, programs • Low-level design, specifications & unit tests • High-level design (architecture), specifications & system tests • Applications, documentation • Users • Properties • Correctness, performance, predictability, ease-of-use, … • Modularity/composability, simplicity/complexity, … Secure? Jeannette M. Wing

  7. Future and Secure Software Past and Present • Some Old Ideas • Orange Book • Military-style classifications • Formal models of security • Complete (top-to-bottom, inside-out) verification • Security perimeter • Securing a single machine • Today’s spectrum Theory Management Crypto can’t solve everything Can’t leave it all to the sysadmins Jeannette M. Wing

  8. Trends Covered Here • Human-computer interfaces (Mon. morn) • Biometrics, usable security, ubiquitous security • Program analysis techniques (Mon. aft) • Overcoming programming language flaws • Detecting specific security flaws (e.g., buffer overrun) • Checking specific security properties (e.g., information flow) • Distributed systems techniques (Tues. morn and eve) • Replication, secret-sharing, naming, network protocols, worms • Measuring and managing security (Tues. aft) • Field reports from CERT, MS Secure Windows Initiative • Computer architecture trends (Wed morn) • NGSCB (Palladium), bit-level integrity, code obfuscation • Software engineering practices (Wed aft) • Open source, software architecture, privacy architecture • New mathematical models • randomization Jeannette M. Wing

  9. Trends (Not Explicitly Covered Here) • E-commerce • E-voting • Spam • Privacy, a la TIA • Digital rights management • Communications, e.g., wireless, broadband • New mathematical models • Game theory • Econometrics ` Jeannette M. Wing

  10. Questions for You • What is the piece of the security puzzle that you are solving? • How does your solution interact with someone else’s? • How can you combine your solutions? • As a practitioner, what design principles do you follow to make your system more secure? • As a researcher, how does your method/language/tool help developers build more secure software systems? • What are your principal unmet technical challenges? Jeannette M. Wing

  11. =s =s =s = =s =s Some Personal Musings • Reliability and Security • Components and Compositionality ? 0 buffer overruns  more reliable code  more secure system a. certainly not  b. and if by how much “more secure” really? ? • M1 and M2 M1 + M2s • For what  might hold? For what +? • For what scale Mi? Function, class, set of …, system of sets of …? • How can we check if holds? • How can we construct Mi and define + to guarantee holds? • Suppose we let s to be different? Jeannette M. Wing

  12. Some Personal Musings • Security by Design a. How can we evaluate one design over another wrt security? b. Are there design rules to follow? Metrics to help evaluation? 4. Security and Privacy a. What’s the technical distinction? security = prevents unauthorized access to data privacy = prevents unauthorized use of data b.Threat models for privacy Jeannette M. Wing

  13. Institute Overview, by the Numbers • 41 participants • 16 industry (11 research labs, 5 other) • 22 academia • 3 government or independent • 6 invited talks • 21 other talks • 5 challenge problems + 1 silly brain teaser • 3 town hall discussions • 1 Five Minute Madness • 1 work-and-play excursion • + …some free time! Jeannette M. Wing

  14. Institute Goals • Educate • Investigate • What is the state of the art in building secure software systems? • How big is the gap between research and practice? • What are the key open problems? • E.g., what would make good Ph.D. thesis topics for today’s graduate students interested in security? • Foster Interaction • Town hall discussions • Discussions during and after each presentation • Half-hour breaks, meals • Tuesday afternoon excursion • Document • Presentations: abstracts and slides by speakers • Challenge problems, solutions • Papers contributed by you • Have Fun! Jeannette M. Wing

  15. Dirk Balfanz (PARC) Steve Bellovin (AT&T) Brian Bershad (UW) Christian Collberg (Univ. of Arizona) Crispin Cowan (Immunix) John DeTreville (Microsoft) Carl Ellison (Intel) Matt Franklin (UC Davis) Li Gong (Sun) Steven Gribble (UW) Matthias Jacob (Princeton) Somesh Jha (Univ. of Wisconsin) Dick Kemmerer (UC Santa Barbara) Angelos Keromytis (Columbia Univ.) Darko Kirovski (Microsoft) Larry Koved (IBM) Jim Larus (Microsoft) Butler Lampson (Microsoft) Steve Lipner (Microsoft) Tom Longstaff (SEI/CERT) Udi Manber (Amazon) John Manferdelli (Microsoft) Gary McGraw (Cigital) Catherine Meadows(NRL) Andrew Myers (Cornell Univ.) Adrian Perrig (CMU) Jon Pincus (Microsoft) Radha Poovendran (UW) Niels Provos (Univ. of Michigan) Mike Reiter (CMU) Jim Roskind (formerly of AOL/Netscape) Stefan Savage (UC San Diego) Fred Schneider (Cornell Univ.) Dan Simon (Microsoft) Dawn Song (CMU) Doug Tygar (UC Berkeley) David Wagner (UC Berkeley) Dan S. Wallach (Rice Univ.) Chenxi Wang (CMU) Jeannette Wing (CMU) John Zahorjan (UW) Institute Participants Jeannette M. Wing

  16. Introductions • Name • Affiliation: institution, title • One short sentence Jeannette M. Wing

More Related