![Back to [1]](../all_the_pictures/arrow_left.jpg) [2]
![Forwards to [3]](../all_the_pictures/arrow_right.jpg)
The following is a reprint of a message from the 1996 President of the IEEE Computer Society that appeared in the November 1996 issue of Computer. Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other words must be obtained from the IEEE.
Survivability in the age of vulnerable systems
Mario Barbacci
Carnegie Mellon University
As we all become more connected, system survivability, an issue that used to concern mostly business or government, is now routinely covered in the mainstream press. Survivability is defined as a system's capacity to complete its mission in a timely matter, even if significant portions are incapacitated by attack or accident. Now that we construct information systems from off-the-shelf components, communication protocols, and other systems that are no secret, no amount of system "hardening" can guarantee that it is invulnerable to attack. In spite of our best efforts, systems will be breached.
Sense of vulnerability
Four fundamental problems contribute to an increasing sense of vulnerability.First, most people are either not aware of or don't understand the concepts and practices associated with system survivability. This includes systems designers, managers, administrators, and users. And although traditional computer security techniques are reasonably well-understood, they typically are poorly applied.Second, systems are rarely designed with security in mind. Instead, security, if it is addressed at all, is implemented with postdesign patches and add-ons.Third, system security typically is not assessed in the context of other software quality attributes such as performance, ease of use, extensibility, maintainability, and interoperability. As a result, developers do not make explicit trade-offs among critical software attributes.Finally, most of security and (very limited) survivability research and practice to date have been based on a bounded system paradigm, which assumes a centralized administrative control over all of a system's computational and communication resources. The approach does not support the design of systems which must survive in an unbound network domain such as the Internet or its future incarnation.
Enabling technology
The CERT Coordination Center's collection of software vulnerability data provides empirical evidence that vendors continue to release software containing essentially the same classes of security flaws, repeatedly, year after year. Vendors respond to these flaws typically by issuing a patch that addresses the immediate problem but not the design problem that is often the cause of the flaw. A recent report ("Is the US Prepared for Cyberwar?" Thomas Kanshige, Computer, July 1996, pp 20-21.) summarizes the findings of a Rand Corp. study on attacks to US Department of Defense networks. Admittedly, the DoD is a very large target but the reported 250,000 attacks last year should give us pause. Attackers range from teenagers
trying to emulate fiction to agents of foreign governments. Resources are not even an issue, a laptop and a modem is all an attacker needs. If the DoD with all its resources and experience in traditional security techniques is concerned, shouldn't the rest of us be concerned? Emerging products, while they make computing more accessible, also sow massive survivability problems. For example, Microsoft plans to integrate the multimedia capabilities of the World Wide Web with its Windows 95 operating system. Microsoft's new paradigm will abandon files and folders kept in local storage in favor of stand-alone Web pages. Every document, everywhere, would potentially be accessible through hypertext links. If the Network Computer (essentially a keyboard/screen/modem combination) takes off, even turning off our machine won't prevent attacks because the information won't be in the machine to begin with. Network servers will become a rich, inviting target.
Encouraging cooperation
Where do we go from here? Panic won't do any good. The good news is that there is a great deal of research on issues related to survivability. The bad news is that different researchers don't hear from each other. This is a major problem, because the concepts and practices associated with system survivability span almost the entire range of computer science and engineering (reliability, testing, fault-tolerance, availability, program verification, performance, and security, to name a few). It is unlikely that any one research team will get it right.One of the most valuable services the IEEE Computer Society provides is a strong program of technical meetings. Each year we sponsor more than 120 technical meetings around the world, ranging in size from thousands to a few dozen participants. If you are concerned about survivability, I have just the event for you, a CS workshop is scheduled to take place in a couple of months. The price of admission is a short position statement. I encourage you to visit their home page for further information and consider participating in this event.
http://www.cert.org/research/isw97.html
Back to the Table of Contents
[2]
|
