Networked Computing for the 21st Century High Confidence Systems

	Overview Information Survivability Information Security TableWise Assurance Technologies Protecting privacy for medical records Secure Internet programming National Information Assurance Partnership program and Role-Based Access Control FAA High Confidence Systems Future HCS R&D
Overview	HCS R&D focuses on the critical technologies necessary to achieve high levels of availability, reliability, security, protection, and restorability of information services. Systems that employ these technologies will be resistant to component failure and malicious manipulation and will respond to damage or perceived threat by adaptation or reconfiguration. HCS R&D supports interagency collaborations for Federal high confidence systems.   Applications requiring HCS technologies include national security, law enforcement, life- and safety-critical systems, personal privacy, and the protection of critical elements of the National Information Infrastructure. Systems for power generation and distribution, banking, telecommunications, medical implants, automated surgical assistants, and transportation also need reliable computing and telecommunication technologies. This section highlights some recent accomplishments in HCS R&D.
Information survivability	DARPA's Information Survivability program is developing technologies that can be used to create survivable systems. These technologies will create strong barriers to attack, will detect malicious and suspicious activity, will isolate and repel such activity, and can be used to guarantee minimum essential continued operation of critical system functions in the face of concerted information warfare attacks. The program aims to create affordable, verifiable, scalable technologies for a robust and secure Defense infrastructure -- technologies that will enable the construction of secure enclaves and allow distributed computing to span such enclaves.   This program is creating advanced technologies that can be used to protect DoD's mission-critical capabilities as well as critical national infrastructures against electronic attack upon or through their supporting computing infrastructure. The technologies developed by the program will provide the strength needed for DoD while retaining the cost savings resulting from the use of commercial technologies. Following are a few highlights: Under DARPA funding, the Boeing Corporation has developed and successfully demonstrated the Intruder Detection and Isolation Protocol. This involves a cooperative exchange of information about intrusion attacks by network components in order to isolate and cut off an attack. In a successful demonstration, ten attacks on the demonstration environment were detected and isolated. DARPA has funded Reliable Software Technologies, Inc. to develop a tool for whitebox analysis of security vulnerabilities in source code. This tool has been used to identify potential security flaws in one of the most common servers in use on the Internet. Analysis revealed how a dozen simple perturbations and three buffer overflow flaws could compromise the security of the FTP server's system, allowing unauthorized retrievals of sensitive files. The results demonstrate that automated tools can be used to detect potential areas of weakness, enabling developers to take preventive actions to fortify their products against malicious attacks. DARPA has funded Secure Computing Corporation (SCC) to develop an approach for protecting users browsing the Web from malicious attacks on their systems. The approach allows users to run their favorite browser in a confined manner so that any actions initiated by the browser or its children are restricted to only those files that the user has specifically permitted. In particular, rogue Java applets, JavaScripts, Netscape plug-ins, and Microsoft ActiveX components cannot access portions of the system that the user has declared off-limits to them. The code used to implement the protection is called a kernel hypervisor. To illustrate the approach, SCC has prototyped a Netscape Navigator kernel hypervisor. The prototype was developed for a Linux system, but the approach is applicable to many other modern operating systems, including Sun's Solaris and Windows NT. The kernel hypervisor is not bypassable, since it runs in the kernel. Also, since it is a loadable module, it does not require the kernel to be modified or even rebooted when it is loaded. SCC is currently investigating other potential applications.   DARPA information survivability research focuses on technology that will guarantee that critical information systems continue to function adequately in the face of attack, even when the precise type of attack has not been anticipated.
Information security	NSA's Information Security (INFOSEC) Research Program continues to deliver a broad range of security technology solutions. Fundamental mathematical work in cryptography, including elliptic curve technology, has produced more secure and efficient algorithms for privacy protection and authentication, while analytic work in electronic cash technology has provided valuable guidance to the financial and legal communities. NSA has provided demonstrations and standards developments to ease the integration of security services into commercial products and services. Engineering breakthroughs in high speed/low power electronics and in optical encryption technology will provide the foundation for emerging high performance communication systems. Improved biometric authentication techniques are finding widespread acceptance for improving government and commercial access control systems. Security enhancements for next generation operating systems and for object technology have been developed and transferred to the R&D community. New visualization and risk assessment tools have been developed and applied to assessing system security. Finally, NSA has established cooperation across the INFOSEC research community to address network security.   NSA has developed a technology forecast and set of challenge problems that focus on the development of a high assurance computing platform, technology for secure internetworking, and technologies needed for a high assurance security management infrastructure. The technology needs and gaps of these challenge problems will direct the bulk of NSA's INFOSEC research resources. Problem areas that need to be addressed include the development of system security engineering methods to specify and design security characteristics into a system; the management of network security and the development of an infrastructure to support that management; tools and techniques to detect and respond to local and national level attacks on critical information systems and infrastructure components; the development of strong mechanisms to allow the controlled sharing of information among disparate communities; and improved assurance technology for increasing the level of trust in the secure operation of system hardware, software, and procedures. Following are some highlights: NSA is conducting research on technologies for high-speed encryption. In 1997, NSA engineers, in collaboration with DOE's Sandia National Laboratory, completed the design for an ATM encryptor that operates at 10 Gbps. In 1998 they evaluate the vulnerability of the chip, which will be a follow-on to the FASTLANE ATM encryptor. This design is capable of context (key, algorithm, mode) agility rather than simply key agility. NSA scientists have invented a process for fabricating etched mirrors on semiconductor laser surfaces, a process necessary to cascade optical logic gates on a single chip, and an advancement needed for the development of an all-optical encryptor. NSA has authored the Internet Security Association and Key Management Protocol (ISAKMP), an Internet draft standard. NSA researchers are modeling ISAKMP and analyzing it for completeness and security. The model contains more than 100 different data flow diagrams, state transition diagrams, and mini-specifications. Included within the more than 50 state transition diagrams are 250 states and over 600 state transitions. Future modeling will include interaction of ISAKMP with other protocols. NSA contracted with Virtual Motion Inc. to deliver a driver with a protocol structure that enables a laptop user to encrypt network data independent of the particular vendor's wired or wireless PC card. This improves the original idea of modifying each vendor's device driver to operate with a Fortezza encryption card. A wireless local-area network was also developed that uses the Fortezza card for security.
Assurance technologies	NASA is developing several technologies to help achieve high confidence in system safety. Following are some highlights: NASA has funded Odyssey Research Associates (ORA) and Honeywell Air Transport Systems Division to study the incorporation of formal methods into the company's software development processes. In particular, ORA developed TableWise, a prototype tool to analyze the characteristics of decision tables. A decision table is a tabular format for defining the rules that choose a particular action to perform based on the values of certain parameters. TableWise generalizes binary decision diagrams to determine if a particular table is exclusive (for every combination of parameter values, at most one action can be chosen) and exhaustive (for every combination of parameter values, at least one action can be chosen). The tool can automatically generate documentation and Ada code from a decision table. Honeywell is evaluating TableWise in developing their commercial autopilots, where the bulk of the creative effort is in developing and validating the mode selection logic. NASA has initiated a joint project with Rockwell Collins to investigate the use of formal methods to reduce mode confusion in the cockpit. The project focuses on a composite flight guidance system appropriate for business jets. Using a formal model to drive an animation of the user interface while at the same time displaying the system's behavior is intended to help users and designers develop an architecture that matches the mental model of the flight crew. The investigation will look to formal methods to model the behavior of the system, visualize the internal states of the model, drive an animation of the user interface directly from the formal model, and analyze the models for desired properties such as consistency, completeness, and safety.
Protecting privacy for medical records	In FY 1998 and FY 1999, NLM and AHCPR will continue to support research in technologies for storing and transmitting patients' medical records while protecting the accuracy and privacy of those records. Projects will promote the application of HCS technologies to healthcare, telemedicine evaluation, and the testing of methods for protecting the authenticity, integrity, confidentiality, and privacy of electronic health data.
Secure Internet programming	NSF is supporting a secure Internet programming project at Princeton University that focuses on the security of mobile code systems such as Java, JavaScript, and ActiveX. Software-based protection can allow for more extensible security models that improve performance over hardware-based solutions. Extensible security mechanisms can protect subsystems and implement policies created after the original system has been shipped. This project has identified and analyzed different software-based security schemes and has popularized the extended stack inspection model.   Systems and networks are trusted to perform their intended functions with a high degree of confidence. Systems and networks performing mission-critical functions or managing high-value assets or embedded systems require unprecedented levels of reliability and quality. Two NIST programs focus directly on these needs.
National Information Assurance Partnership program and Role-Based Access Control	Under the NIAP program, NIST has partnered with NSA to establish a center to foster the development of formal laboratories to test and certify security products against published formal specifications. This program will help ensure that both vendors and users can cite third-party assurance of the functionality and quality of security products and systems.   In the complex information technology environment, the careful and correct specification of rules to control access to online documents, capabilities, or systems has become critical -- and increasingly difficult. While traditional access control methods focus on individual users, files, or other system objects, management of access in the real world is more often based on the role that a user assumes. NIST has pioneered the new RBAC model that better meets the needs of user organizations and is implementing it in environments, including a Web-based application.
FAA High Confidence Systems	Beginning in FY 1997, the FAA has participated in the coordinated CIC R&D process, particularly through the HCS Working Group. The FAA is interested in high confidence systems from two viewpoints: Achieving a higher degree of system dependability Assuring the integrity and security of aviation information systems. The FAA has established "Streamlining Software Aspects of Certification," a program to obtain faster certification at reduced cost while maintaining high confidence and reliability. Other FAA-funded research is investigating how to rigorously define architecture constraints for protecting safety-critical processes (performed by SRI International), and approaches for structural test coverage analysis (performed by NASA and Boeing).
Future HCS R&D	The high confidence community is in the process of defining a future multiagency research program that would address the following research needs: Architectural approaches to isolate safety-critical system components from non-safety-critical components Approaches to achieving survivability for collections of autonomous entities Approaches and techniques for testing and verifying integrity. For example, automated testing could lower the cost while increasing the level of assurance of high confidence systems. Measuring confidence in integrity, availability, and overall security of highly complex systems. Metrics are needed to identify whether confidence has been increased or decreased over time. Evaluation methods that would shorten the security product evaluation cycle. Such methods should allow evaluation to be completed within a fraction of the half-life of the product. Strategies for securing a system of systems, including intrusion detection and monitoring techniques. Examples include the use of intelligent agents for security administration and monitoring; one-time sign-on for large systems of systems; verified secure communication protocols; key management and key distribution for very large systems; and techniques to identify and contain denial of service attacks in high-speed networks. Non-intrusive access control technology to protect individual privacy Technology for performing information warfare situation assessment, in order to discern whether an attack against the Nation's critical infrastructure may be in progress.