Beyond hacking: an SOS!

Cyber-security today is focused largely on defending against known attacks. We learn about the latest attack and find a hack to defend against it. So our defenses improve only after they have been successfully penetrated. This is a recipe to ensure some attackers succeed---not a recipe for achieving system trustworthiness. We must move beyond reacting to yesterday\´s attacks and instead start building systems whose trustworthiness derives from first principles. Yet today we lack the understanding to adopt that proactive approach; it\´s not only a matter of engineering, but we lack a science of security (SOS). The SOS landscape would includes attacks, defense mechanisms, and security properties; the science would characterize how these relate. What security properties can be preserved by a given defense mechanism? What attacks are resisted by a given mechanism? How can enforcement mechanisms be viewed as "trust relocators"? Some challenges are reminiscent of problems that software engineering researchers confront; others resemble problems addressed in the fault-tolerance community. In fact, there are significant technical differences for an SOS, deriving from the very different assumptions about requirements and the environment. This talk will attempt clarify the differences. We will also survey recent and promising avenues toward building a SOS and creating a principled basis for the engineering of trustworthy systems.