National Academies Press: OpenBook

Frontiers of Engineering: Reports on Leading-Edge Engineering from the 2015 Symposium (2016)

Chapter: Cybersecurity and Privacy-Introduction--David Brumley and Daniela Oliveira

« Previous: CYBERSECURITY AND PRIVACY
Suggested Citation:"Cybersecurity and Privacy-Introduction--David Brumley and Daniela Oliveira." National Academy of Engineering. 2016. Frontiers of Engineering: Reports on Leading-Edge Engineering from the 2015 Symposium. Washington, DC: The National Academies Press. doi: 10.17226/21825.
×

Cybersecurity and Privacy

DAVID BRUMLEY
Carnegie Mellon University

DANIELA OLIVEIRA
University of Florida

How can systems be engineered to be both secure and respectful of user privacy? Societal dependence on computers makes this question not only extremely relevant, but also nuanced. A series of well-understood steps is involved in engineering highly secure, privacy-respecting systems.

First, an engineer rigorously states the security and privacy goals of the system. Typical goals include the confidentiality of system data and system integrity and availability.

Second, the engineer defines what type of threats the system should be resilient to. For example, will an adversary attempt to infect the system through software vulnerabilities in applications? Or try to compromise the integrity of the operating system, which manages how applications access hardware resources? Worse still, is the adversary targeting the hardware, the lowest level of abstraction? Attacks on hardware render all security solutions at the operating system and application levels useless. Alternatively, the attacker may discover side channels, such as the system’s electromagnetic radiation, to find cryptographic keys. The attacker can also leverage weaknesses in network protocols that were designed in the 1960s and still used today to compromise system availability.

Third, the engineer proves that the system design achieves the security goals in the presence of the adversary. And the last step is implementation of the system and formal verification that the implementation is correct.

Rigorous models and proofs, however, are performance expensive and problem specific. You get what you pay for, and highly secure systems are not cheap.

Furthermore, the Internet era exposes the challenge of protecting people’s privacy, such as personal information, life habits, social networks, health conditions, and personal beliefs. Who owns and can profit from people’s data? How

Suggested Citation:"Cybersecurity and Privacy-Introduction--David Brumley and Daniela Oliveira." National Academy of Engineering. 2016. Frontiers of Engineering: Reports on Leading-Edge Engineering from the 2015 Symposium. Washington, DC: The National Academies Press. doi: 10.17226/21825.
×

can people delete or hide information from the Internet? Or should they? Isn’t that rewriting history?

In practice the question is often not how to build a secure system, but how to engineer a system that is as secure as possible given practical construction constraints. New systems are almost always built on top of existing hardware, operating systems, software, and network protocols that provide fixed capabilities and have both known and unknown weaknesses. A well-engineered system follows a defense in depth strategy that incorporates layered protection and mechanisms for detecting and mitigating the effects of successful attacks. For example, a web server handling credit card numbers may use a network firewall to restrict access to only authorized computers, an intrusion detection system for detecting suspicious behaviors, and a secure communication protocol with its clients to encrypt the credit card numbers.

The best results come when security and privacy are engineered into the design from the beginning. Experience shows that retrofitting security and privacy measures into existing systems is difficult and often results in relatively weak security guarantees.

The user is often just as important to security and privacy as the technology. Users make decisions about what to share, what links to click, and what software to install. Recent research shows that existing systems often have unintuitive security and privacy mechanisms, and thus ultimately make the user the weakest link. Research has also shown that user-centric designs help the user make good security and privacy decisions.

In this session, Bryan Payne (Netflix) started with a talk explaining various security and abstraction levels of modern systems and security consequences at each layer. Franziska Roesner (University of Washington) then described the role of users and how interfaces can be designed to help them make better security decisions, with a focus on mobile platforms. Next, Kevin Fu (University of Michigan) addressed security in medical devices, which have different characteristics and pose different challenges to a security engineer. Tomas Vagoun (National Coordination Office for Networking and Information Technology R&D) concluded the session with a talk on the US government’s view of challenges and frontiers in engineering cybersecurity.

Suggested Citation:"Cybersecurity and Privacy-Introduction--David Brumley and Daniela Oliveira." National Academy of Engineering. 2016. Frontiers of Engineering: Reports on Leading-Edge Engineering from the 2015 Symposium. Washington, DC: The National Academies Press. doi: 10.17226/21825.
×
Page 3
Suggested Citation:"Cybersecurity and Privacy-Introduction--David Brumley and Daniela Oliveira." National Academy of Engineering. 2016. Frontiers of Engineering: Reports on Leading-Edge Engineering from the 2015 Symposium. Washington, DC: The National Academies Press. doi: 10.17226/21825.
×
Page 4
Next: Security at Different Layers of Abstractions: Application, Operating Systems, and Hardware--Bryan D. Payne »
Frontiers of Engineering: Reports on Leading-Edge Engineering from the 2015 Symposium Get This Book
×
Buy Paperback | $49.00 Buy Ebook | $39.99
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

This volume presents papers on the topics covered at the National Academy of Engineering's 2015 US Frontiers of Engineering Symposium. Every year the symposium brings together 100 outstanding young leaders in engineering to share their cutting-edge research and innovations in selected areas. The 2015 symposium was held September 9-11 at the Arnold and Mabel Beckman center in Irvine, California. The intent of this book is to highlight innovative developments in engineering research and technical work.

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    Switch between the Original Pages, where you can read the report as it appeared in print, and Text Pages for the web version, where you can highlight and search the text.

    « Back Next »
  6. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  7. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  8. ×

    View our suggested citation for this chapter.

    « Back Next »
  9. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!