Survival in an Insecure World
To defeat cyberterrorists, computer systems must be designed to work around sabotage. David A. Fisher's new programming language will help do just that
 |
| Image: STEVE MELLON |
DAVID A. FISHER:
|
|
That is particularly true of computer systems, which are rapidly growing more complicated, interdependent, indispensable--and easier to hack. The tapestries of machines that control transportation, banking, the power grid and virtually anything connected to the Internet are all unbounded systems, observes CERT researcher David A. Fisher: "No one, not even the owner, has complete and precise knowledge of the topology or state of the system. Central control is nonexistent or ineffective."
Those characteristics frustrate computer scientists' attempts to figure out how well critical infrastructures will stand up under attack. "There is no formal understanding yet of unbounded systems," Fisher says, and that seems to bother him. In his 40-year career, Fisher has championed a rigorous approach to computing. He began studying computer science when it was still called mathematics, and he played a central role in the creation of Ada, an advanced computer language created in the 1970s by the Department of Defense to replace a babel of less disciplined programming dialects.
In the 1980s Fisher founded a start-up firm that sold software components, one of the first companies that tried to make "interchangeable parts" that could dramatically speed up the development process. In the early 1990s he led an effort by the National Institute of Standards and Technology (NIST) to push the software industry to work more like the computer hardware market, in which many competing firms make standard parts that can be combined into myriad products.
Fisher's quest to bring order to chaotic systems has often met resistance. The Pentagon instructed all its programmers to use Ada, but defense contractors balked. His start-up foundered for lack of venture capital. A hostile Congress thwarted his advanced technology program at NIST. But by 1995, the year that Fisher joined CERT, security experts were beginning to realize, as CERT director Richard D. Pethia puts it, that "our traditional security techniques just won't hold up much longer."
The organization was founded as the Computer Emergency Response Team in 1988, after a Cornell University graduate student released a self-propagating worm that took down a sizable fraction of the Internet. There are now more than 100 such response teams worldwide; the CERT center at Carnegie Mellon helps to coordinate the global defense against what Pethia calls "high-impact incidents: attacks such as the recent Nimda and Code Red worms that touch hundreds of thousands of sites, attacks against the Internet infrastructure itself, and any other computer attacks that might threaten lives or compromise national defense."
But each year the number of incidents roughly doubles, the sophistication of attacks grows and the defenders fall a little further behind. So although CERT still scrambles its team of crack counterhackers in response to large-scale assaults, most of its funding (about half of it from the DOD) now goes to research.
For Fisher, the most pressing question is how to design systems that, although they are unbounded and thus inherently insecure, have "survivability." That means that even if they are damaged, they will still manage to fulfill their central function--sometimes sacrificing components, if necessary. Researchers don't yet know how to build such resilient computer systems, but Fisher's group released a new programming language in February that may help considerably.
Fisher decided a new language was necessary when he started studying the mathematics of the cascade effects that dominate unbounded systems. A mouse click is passed to a modem that fillips a router that talks to a Web server that instructs a warehouse robot to fetch a book that is shipped out the same day. Or a tree branch takes down a power line, which overloads a transformer, which knocks out a substation, and within hours the lights go out in six states.
Engineers generally know what mission a system must perform. The power grid, for example, should keep delivering 110 volts at 60 hertz. "The question is: What simple rules should each node in the power grid follow to ensure that that happens despite equipment failures, natural disasters and deliberate attacks?" Fisher asks. He calls such rules "emergent algorithms" because amazingly sophisticated behavior (such as the construction of an anthill) can emerge from a simple program executed by lots of autonomous actors (such as thousands of ants).
 |
| SOURCE: CERT COORDINATION CENTER (WWW.CERT.ORG) |
| CALLS TO CERT reporting new computer viruses, worms and hacker attacks--or new software flaws that allow bad guys to break in--have been doubling every year. |
"Easel allows us to simulate unbounded systems even when given incomplete information about their state," Fisher says. "So I can write programs that help control the power grid or help prevent distributed denial of service attacks" such as those that knocked out the CNN and Yahoo! Web sites a few years ago.
Because it uses a different kind of logic than previous programming languages, Easel makes it easier to do abstract reasoning. "Computation has traditionally been a commerce in proper nouns: Fido, Spot, Rex," Fisher notes. "Easel is a commerce in common nouns: dog, not Fido." This difference flips programs upside down. In standard languages, a program would include only those attributes of dogs that the programmer judges are important. "The logic of the programming language then adds the assumption that all other properties of dogs are unimportant. That allows you to run any virtual experiment about dogs, but it also produces wrong answers," Fisher says. This is why computer models about the real world must always be tested against observations.
In Easel, Fisher says, "you enumerate only those properties of dogs about which you are certain. They have four legs, have two eyes, range from six inches high to four feet high. But you don't specify how the computer must represent any particular dog. This guarantees that the simulation will not produce a wrong answer. The trade-off is that sometimes the system will respond, 'I don't have enough information to answer that question.' "
Easel makes it easier to predict how a new cyberpathogen or software bug might cripple a system. CERT researcher Timothy J. Shimeall recently wrote a 250-line Easel program that models Internet attacks of the style of the Code Red worm, for example. That model could easily be added to another that simulates a large corporate network, to test strategies for stopping the worm from replicating.
Fisher and others have already begun using Easel to look for emergent algorithms that will improve the survivability of various critical infrastructures. "You can think of an adversary as a competing system with its own survival goals," Fisher says. "The way you win that war is not to build walls that interfere with your goals but to prevent the opposition from fulfilling its purpose."
--W. WAYT GIBBS