[23]   

Telephone 1-415-859-2375 and 1-415-859-3232, respectively
Fax 1-415-859-2844 for both of us
Neumann@CSL.sri.com and Porras@CSL.sri.com, respectively


The problems of attaining survivability throughout a complex information infrastructure are broadly based, and require far-reaching approaches. Survivability is a global property of systems and networks in the large. Its attainment in turn requires that systems and subsystems -- both collectively and individually -- satisfy stringent requirements for the features and assurances that achieve survivability. While survivability is a global property, application of survivability requirements must first be applied locally, necessitating satisfaction of lower-layer component properties. The view that we espouse considers requirements hierarchically, determines their interrelationships and hierarchical dependencies, and provides corresponding insights into decisions regarding system design and implementation, networking protocols, choice of hardware, operating systems and programming languages, and software engineering methods.

Designing survivable information infrastructures requires a thorough understanding of how to specify and integrate the key properties from the various disciplines on which survivability ultimately depends -- for example, the many aspects of security, fault tolerance, and reliability. We need to define survivability relative to properties within these various disciplines, and similarly attain the relevant functionality needed to satisfy our survivability requirements as compositions of components. We also need to establish metrics for evaluating the degree to which information survivability is attained. Most importantly, we need a deep understanding of the interdependencies among our survivability properties, and among the mechanisms deployed to achieve survivability.

As in the disciplines on which survivability depends, implementing a survivable network begins with building components that achieve the lower-layer properties of survivability. With respect to security, efforts that contribute to survivability include those to design more robust communication protocols that incorporate mechanisms to provide confidentiality, message integrity, and some level of accountability among cooperative entities. Also important are efforts to make network interconnectivity more adaptive to dynamic environments and able to respond to both malicious and natural exceptional conditions with alternative strategies to ensure some level of availability of resources. Efforts to integrate wide-scale self-monitoring and response capability both at the system layer and network-wide would also be of great benefit to information survivability. Lastly, we must recognize that there will continue to be COTS products and legacy systems populating our information infrastructures that are deficient with respect to robustness, security, and reliability. We need to consider efforts intended to investigate the structured (and in some cases mediated) integration of systems in ways that help to minimize the exposure of inherent weaknesses in individual products.

PERSONAL BACKGROUNDS:

Our relevant backgrounds together span requirements, criteria, design, specifications, system evaluation, languages, software engineering methodologies including formal methods, and risk management, with respect to security, cryptography, reliability, fault tolerance, and safety, and critical systems generally. We are currently co-PIs for a DARPA project on detecting and responding to network misuse and other adverse behavior [9].

Neumann was the principal author of the Army survivability report [1]. He has long been involved in abstraction and constructively structured system design for reliability and security (Multics, SRI's Provably Secure Operating System, and SRI's MLS database system SeaView, as well as research articles and reports [2,3,4,5]), and in risk management [6]. Porras has extensive relevant experience in system design and evaluation, as well as detection and analysis of security flaws [7,8]. Our backgrounds are strongly complementary, and thus we believe that having both of us attend would be strongly beneficial to your workshop.

A FEW RELEVANT REFERENCES:

1.

A. Barnes, A. Hollway, and P.G. Neumann. Survivable computer-communication systems: The problem and working group recommendations. Technical report VAL-CE-TR-92-22 (revision 1), U.S. Army Research Laboratory, AMSRL-SL-E, White Sands Missile Range, NM 88002-5513, May 1993. For Official Use Only.

2.

P.G. Neumann. On Hierarchical Design of Computer Systems for Critical Applications. IEEE Transactions on Software Engineering. SE-12, 9, September 1986, pp. 905--920.

3.

P.G. Neumann. On the Design of Dependable Computer Systems for Critical Applications. Computer Science Laboratory, SRI International, CSL Technical Report CSL-90-10, October 1990.

4.

P.G. Neumann, N.E. Proctor, and T.F. Lunt. Preventing Security Misuse in Distributed Systems. Computer Science Laboratory, SRI International, issued as Rome Laboratory report RL-TR-92-152, Rome Laboratory C3AB, Griffiss AFB NY 13441-5700. June 1992.

5.

P.G. Neumann. Architectures and Formal Representations for Secure Systems, Final Report, Project 6401, SRI International, Menlo Park, California, CSL report 95-05, October 1995.

6.

P.G. Neumann. Computer-Related Risks. Addison-Wesley, 1995.

7.

P.A. Porras. STAT: A State Transition Analysis Tool for Intrusion Detection. Master's Thesis, Computer Science Department, University of California, Santa Barbara, July 1992.

8.

O. Sibert and P.A. Porras and R. Lindell. An Analysis of the Intel 80x86 Security Architecture and Implementations. IEEE Transactions on Software Engineering, SE-22, 4, May 1996, pp. 283--293.

9.

IDES/NIDES/EMERALD webpages for our new DARPA project on detecting improper system/network use <http://www.csl.sri.com/intrusion.html>.

Back to the Table of Contents
   [23]