Reducing complexity to increase security
Carnegie Mellon University team receives $7.5M Office of Naval Research grant in collaboration with Penn and Stanford on software complexity reduction, or simplifying complex internet protocols to build greater security.
It’s simple to send a WhatsApp message, log in to Gmail, or open up Snapchat with one simple tap of your finger. But what lies behind all of these applications and systems is not so simple. Many complex security protocols that govern how data is sent over the internet ensure that it’s you who is logging into your account and not anyone else. But if a bug gets into any part of these complex software systems underlying the internet, it could result in undesirable consequences.
To combat the complexity of these systems and put higher security guarantees into the applications billions of people use every day, Carnegie Mellon University (CMU) has received a five-year, $7.5 million grant from the Office of Naval Research (ONR), in collaboration with the University of Pennsylvania (Penn), and Stanford University, under the Total Platform Cyber Protection (TPCP) program. The project will create fundamentally new ways to provide greater security and resilience for legacy navy software.
The joint project, named Accountable Protocol Customization (APC), aims to reduce the complexity of software by identifying smaller subsets of protocols. The team will develop tools that guarantee high security assurance for those subsets, rather than looking at one big, complex network of protocols.
“The benefit is in the high assurance,” said Carnegie Mellon Professor Anupam Datta. “It’s very hard to give high assurance to a very large, complex system. The goal of this project is to identify smaller subsets of the system to see, if those parts operate correctly, we can still get security guarantees irrespective of what happens in other parts of the system.”
The benefit is in the high assurance.Anupam Datta, Professor, Electrical and Computer Engineering, Carnegie Mellon University Silicon Valley
The collaborative project is led by Carnegie Mellon, with Penn and Stanford as collaborating institutions.
The Carnegie Mellon team includes Electrical and Computer Engineering Professors Anupam Datta, Limin Jia, Bryan Parno, and Corina Pasareanu, and Computer Science Assistant Professor Matthew Fredrikson. The faculty members, from both Pittsburgh and Silicon Valley, are all affiliated with CyLab.
“CMU is thrilled to be leading this effort in collaboration with the University of Pennsylvania and Stanford University. The combined team has a long history of doing collaborative research together,” said Datta, who is the lead PI. “A major component of our project is to ensure protocol customization is accountable, i.e. we will carefully account for properties of customized protocols by tightly coupling protocol customization operations with rigorous analysis.”
Collaborating from Penn are Professors Boon Thau Loo, Benjamin Pierce, Andre Scedrov, and Steve Zdancewic. The Stanford team is led by Professor John Mitchell.
“Modern network protocol standards often contain a dizzying array of options with perplexing and unpredictable potential interactions. Over time, these software become hard to maintain and also easy to compromise,” said Professor Boon Thau Loo. “We plan to explore real-world software that can benefit from APC’s protocol subsetting techniques, leveraging our combined strengths in systems and formal methods. The real-world use cases are immense, ranging from the cloud applications, network infrastructure, the Internet of Things, and blockchains.”
“The project will create a scientific framework for accountable protocol customization that reliably improves security of contemporary and future networked computing environments,” said Professor John Mitchell. “Through this project, we aim to create principled techniques for synthesis, testing, and verification of protocols. We look forward to fruitful collaborations with all participating institutions.”