Background: The security of DoD systems as well as civilian systems (systems of systems connected across large scale networks with rich connectivity between network domains including the internet) from a Cyber Security perspective has been a reactive technology effort, for the most part. As attackers invent new attacks, defenders develop defenses but the attackers are always ahead of the defenders. Most have come to believe this is a cycle that cannot be broken because these systems (the hardware, software, human user and the network that connects them) are too complicated to ever be modeled and their properties formally defined and verified. In fact no formal definition of Cyber Security directly related to the properties of such a system has been produced, let alone metrics devised that measure those properties.
Objective: This MURI’s objective is to begin the development of an architecture or first principle foundation to define Cyber Security for such a system. The intent is to discover and define basic system properties that compose system security and other useful attributes, system properties that can be verified and validated through theoretical proof and/or experiment. The research concentration areas below represent one view of a potential architecture/foundation. Other views, such as network based views, are welcome.
Research Concentration Areas: The Cyber Security research may address any or all of the system components (the hardware, software, human user and the network that connects them). Areas of interest include but are not limited to the following: (1) formally define basic system properties from which one can determine whether such a system can enforce desired security policies, including rigorous techniques for composing component properties to derive properties of the whole system (2) formally define classes of cyber security attacks that cover all known attacks (3) formally define classes of cyber security policies and mechanisms (including defense, monitoring, response, etc.) that address those classes of attacks (4) formally define the adversarial process model with respect to the development of new classes of attacks (5) formally define classes of cyber protection (mixture of policies and mechanisms) that enforce those policies (6) formally develop metrics that measure areas 1 through 5 throughout a system (7) formally define other system properties and their metrics such as scalability, adaptability, ease of use, mission assurance, etc so that potential system designs can be compared against these properties and the cyber security property.
Impact: The development of the theoretical underpinnings (system properties and relationship to policies) and the theories and metrics (relationships between attacks, defenses, policies) will allow development methods to compare the Cyber Security and other properties of a system and consider the trade-offs among them for current and future systems. In addition, this research will enable the development of new technologies and supporting tools grounded on sound principles; it could help comparing capabilities among vendors of their technologies; it would encourage the creation of a new industry for security software engineering technologies; it will reduce costs by providing scientifically supported evidence of security properties rather than applying exhaustive testing to look for evidence of insecurity.
TEAM
Anupam Datta (CMU)
Joe Halpern (Cornell University)
John C. Mitchell (Stanford University, PI)
Andrew Myers (Cornell University)
Andre Scedrov (University of Pennsylvania)
Fred B. Schneider (Cornell)
David Wagner (UC Berkeley)
Jeannette Wing (Microsoft)
Top Chief: Dr. Robert Herklotz, AFOSR
ONR BAA 10-026