The Dread, Deed and Dream of Cyber-Security
Eran Tromer, Tel Aviv University
Computer networks are the lifeblood of modern society, controlling critical physical infrastructure and offering essential virtual infrastructure. However, the rapid growth in computers’ functionality and performance came at a price: our powerful, globally-interconnected systems are vulnerable to malicious manipulation aimed at theft of information and at corruption of virtual and physical assets. Globally-coordinated attacks by malicious, stealthy, self-propagating software agents are, nowadays, a daily reality that threatens personal privacy, commercial interests and natural security. Cyber-security is the study and remediation of these threats.
Improving this state of affairs is a challenging endeavor, with its technical core in computer science and engineering. The challenge is multilayered. First, we require better models of users’ needs and of attacker’s capabilities; these are often difficult to capture and analyze, especially when considering real-world complications such as imperfect implementations and misplaced trust in suppliers of services and equipment. Second, we aim to harden existing systems using stop-gap mitigation of known attack types. And third, we seek new methodologies and techniques for constructing inherently-resilient systems.
The third layer – that of designing systems ground-up for security – is in particular now in its renaissance. Powerful techniques such as formal verification and information flow control, which were formerly affordable only for constrained and critical systems, are coming of age and increasing in capabilities and practicality. Moreover, new cryptographic tools bring closer the holy grail of allowing computation and data to reside on untrusted platforms, and even outsourced to “cloud computing”, without compromising confidentiality or integrity.