The INFOSEC Research Council

1
The INFOSEC Research Council

• November 2001
• John Davis
• Mitretek Systems
• John.Davis_at_mitretek.org 703-610-1945

2
IRC Charter - Informal

• The INFOSEC Research Council (IRC) consists of
  U.S. Government sponsors of information security
  research from the Department of Defense, the
  Intelligence Community, and Federal Civil
  Agencies.
• The IRC provides its membership with a
  community-wide forum to
• discuss critical information security issues,
• convey the research needs of their respective
  communities, and
• describe current research initiatives and
  proposed courses of action for future research
  investments.
• By participating in the IRC, sponsors obtain and
  share valuable information that will help them
  focus their information security research
  programs, identify high-leverage, high-value
  research targets of opportunity, and minimize
  duplication of research.
• The IRC will be a collective effort for the
  mutual benefit and collaboration of the
  participating organizations and is intended to
  promote intelligent information security research
  investments.
• While it is understood that each participating
  agency will have its own research priorities, it
  is anticipated that the IRC will be able to
  identify high priority areas of research to
  develop a common, shared appreciation of the
  important and challenging information security
  problems of the day.

3
Charter - Who is the IRC?

• The INFOSEC Research Council (IRC) consists of
  U.S. Government sponsors of information security
  research from the Department of Defense, the
  Intelligence Community, and Federal Civilian
  Agencies.
• First meeting May 1996, NSA R2 as facilitator
• Target Federal RD Managers
• Department of Defense DARPA, NSA, and OSD
• Air Force AFRL and AFIWC
• Army ARL and CECOM
• Navy NRL, ONR, and SPAWAR
• Intelligence Community CIA and NRO
• Civilian Agencies DOE, FAA, FBI, NIST, NRC, and
  NSF

4
IRC Methods

• Bimonthly meetings
• Program discussions
• Relevant technical presentations
• Review new developments
• Events
• Hard Problems List
• Program rollup
• Protected websites for members and meeting guests
• Infosec Science and Technology Study Group (ISTSG)

5
Program Roll-up Database

• Original version hardcopy
• Moving to automation online database
• Each member organization provides RD summary
  info
• Project records will target
• Summary technical info / URL
• Contact information
• Non-sensitive budget info
• Relationship to Hard Problems list
• Relationship of requirements to hard problems
• Benefits identify resources being applied to
  hard problems, support gap analysis

6
Infosec Science and Technology Study Group

• ISTSG Studies
• Issues of particular import
• Issues of shared interest
• Benefit from the contributions of recognized
  experts
• Technology Transition
• Self-Healing Networks
• Information Assurance Vision / End State
• Malicious code

7
IRC Vision
INFOSEC Science and Technology Study Groups
U.S. Government Sponsors INFOSEC Research Council
Roll Up DB
Hard Problems List
National Security Needs
DARPA
DoE
CIA
SPAWAR
CECOM
ARL
AFIWC
ONR
Warfighter Needs
NSF
NRO
Fed Lab FFRDC RD
prospective member
8
Thank You

• IRC Contact information
• Carl Piechowski
• Chair, Infosec Research Council
• U.S. Department of Energy
• SO-212.4
• 19901 Germantown Rd
• Germantown, MD 20874-1290
• Phone 301-903-4053
• carl.piechowski_at_hq.doe.gov

IRC Executive Agent Mitretek Systems, Inc 3150
Fairview Park South Falls Church VA 22042 Phone
(703) 610-1945 Fax (703) 610-1699

• IRC public web site
• http//www.infosec-research.org/

9
IRC Hard Problems List

• November 2001

10
What makes INFOSEC problems hard?

• Technical factors
• Users require Infosec solutions that permit COTS
  use
• Need for wide deployment of security technology
• Need to manage complex, networked systems
  securely
• Need to support dynamic security policy
  environments
• Growing technical sophistication of threats (even
  from ankle-biters)
• IT Market and user perception factors
• COTS provides more function, less assurance
• Declining government influence on COTS IT
• User belief COTS security will suffice
• Unrealistic assumptions (e.g. detect unprevented
  attack)

11
INFOSEC Hard Problems Functional

• Intrusion and misuse detection
• Intrusion and misuse response
• Security of foreign and mobile code
• Controlled sharing of sensitive information
• Application security
• Denial of service
• Communications security
• Security management infrastructure
• Infosec for mobile warfare

12
INFOSEC Hard Problems Design and Development

• Secure system composition
• Techniques for building highly secure systems
  from components not designed for such purposes
• High assurance development
• Techniques for building IT components whose
  security properties are known with high
  confidence
• Metrics for security
• techniques for measuring the security properties
  of IT systems and components

13
Non-technical Hard ProblemInfluencing Vendors

• Could this be the ultimate hard problem?
• Influence via procurement policy has not
  succeeded
• government market share declining
• government buyers have ignored or circumvented
  regulations to please users
• Standards processes may help
• Open publication of research results can help

14
Hard Problem List Details

15
Intrusion and Misuse Detection

• Requirement tools that can detect and localize
  both intrusions (by outsiders) and misuse (by
  insiders) of computer systems and networks
• Current state
• commercial products based either on signature
  recognition or anomaly detection
• are weak - Type I and II errors both too large
  saturation attacks can blind sensors, slow
  attacks can come in under the radar
• a few novel research approaches (e.g. immune
  system) but the results are weak
• deception schemes (honey pots) depend on
  secrecy
• fusion problem reappears
• evaluation is difficult
• Research funding justified, but only for novel
  approaches

16
Intrusion and Misuse Response

• Requirement tools and techniques for responding
  to intrusion/misuse, preferably in time to limit
  damage
• Current state
• conventional backup and recovery techniques can
  help but are vulnerable to high latency attacks
• often difficult to identify ultimate source of
  attack
• hard to determine extent of damage, thus level of
  response warranted
• even if attacker identified, policy and legal
  issues limit response options
• if responses are known, attacker may purposely
  evoke them (e.g. to deny service)
• New ideas, ability to analyze current approaches,
  are needed

17
Security of Foreign and Mobile Code

• Requirement Ability to use foreign and mobile
  code technology without opening unacceptable
  system vulnerabilities
• Current state
• Components of unknown provenance in COTS (or
  custom) software are foreign code
• Executable content (ActiveX, Java, Visual Basic
  macros) may be downloaded, e-mailed
• Virus scanners can recognize known threats users
  can disable functions (but may be unwilling)
• Sandboxes are sandboxes -- limit function and can
  leak
• Code signing means trusting the signer --
  completely
• New approaches proof carrying code, software
  fault isolation may help
• Needed further development of PCC, SFI
  approaches to resolve security policy conflicts
  between host and mobile code

18
Controlled sharing of sensitive information

• Requirement Effective control of classified
  information without inhibiting needed sharing
  among authorized people
• Current state
• decades of research have yielded technical
  approaches but not fielded solutions
• current architectures rely largely on
  discretionary controls within security levels,
  with guards and filters between level
• dynamic coalitions, dealing with COIs, are hard
• Candidate approaches include SLAT architectures,
  specialized components, VMMs for multi COIs
• Strong need for research, demonstrations

19
Application Security

• Requirement provide secure information
  processing for the application user
• Current state
• security requirements specific to the application
  often exceed those the underlying OS supports
  (e.g., distributed collaboration, database
  applications)
• yet policies implemented by the application may
  be compromised by attacks on the OS
• Needed research
• are there breakthrough approaches supporting
  application security without secure OS base?
• If secure OS base is unavoidable, what mechanisms
  best support application requirements?

20
Denial of Service

• Requirement prevent or resist denial of service
  attacks
• Current state
• many paths are open to network attacks against
  clients and servers
• traditional robustness mechanisms sometimes make
  DoS problems worse (e.g. by propagating bad data
  to backups)
• existing strategies are not always deployed
• Needed
• general models, architectures for DoS resistance
• systems that could maintain critical function
  under attack
• theory to describe best conceivable responses as
  benchmark

21
Communication Security

• Requirement military/intel grade communications
  protection, including traffic flow security
• Current state widespread use of COTS
  communication infrastructure limits ability to
  achieve security goals
• full period encryption impractical on shared
  links
• cleartext headers needed for packet switching
• Needed
• assessment of govt. needs for high assurance
  anonymity services
• releasable cryptography for coalition operations
• technology for sanitizing, neutralizing critical
  systems in case of compromise or overrun
• high speed IP cryptography

22
Security Management Infrastructure

• Requirement ability to manage security
  mechanisms in large scale, distributed systems
• Current state
• many network management mechanisms lack security
• security management mechanisms are complex, may
  not scale to the large systems government
  requires
• commercial providers lack incentive to provide
  mechanisms needed
• Needed
• attack-resistant security management mechanisms
• research to assure evolving high assurance
  systems can be manged when deployed on large
  scale

23
INFOSEC for Mobile Warfare

• Requirement improved, secure connectivity among
  land, sea, and air nodes in tactical warfare,
  plus connectivity to logistics and intelligence
• Current state
• increasing use of wireless communication
• increasing attempts to leverage commercial
  technologies for tactical applications
• yet COTS TCP/IP stacks will suffer in low
  bandwidth, jammed environment
• acceptable performance from COTS may force
  abandoning secure operation
• Needed
• security protocols, crypto mechanisms to achieve
  security dynamically in low bandwidth,
  unreliable, multi-medium comm environment
• mechanisms to restore service under attack

24
Security Engineering MethodologiesSecure System
Composition

• Needed methodology for constructing secure
  systems from a mix of highly assured components
  and COTS
• Current state
• general composability problem has resisted
  determined efforts
• some specific components and architectures that
  use some high assurance components have been
  explored
• Needed
• Exploration of new ideas, e.g., moving
  insecurity around
• tools to aid security architecture and
  engineering by tracking dependencies, etc.

25
Security Engineering MethodologiesHigh Assurance
Development

• Requirement maintain and increase ability to
  develop high assurance systems
• Current state
• experience with formal and structured design,
  security analysis, gained over 25 years in danger
  of being lost
• still no consensus best practice methodology
  for developing and maintaining high assurance
  systems
• Needed
• explore multiple approaches with aim of
  developing and maintaining a capability for
  building and maintaining high assurance secure
  systems
• relate to HPCCs HCS working group research
  agenda

26
Security Engineering MethodologiesMetrics for
Security

• Requirement practical and defensible ways to
  measure the security of a component or system
• Current state
• current discussions of managing risk suggest a
  precision that is lacking in practice
• this problem has resisted attacks over many
  years, but success would bring high payoff
• Needed
• new ideas on how to address security metrics for
  overall systems and for components
• HCS working group research agenda

27

• QUESTIONS ???
• www.infosec-research.org