CS News:
Security in Cyberspace: Yesterday, Today and Tomorrow
In 2008, the National Academy of Engineering identified 14 grand challenges that engineers will face in the 21st century. One of those goals — securing cyberspace — invites computer scientists, developers and engineers to strengthen systems and pioneer new processes that will govern information sharing in the modern era.
It’s a goal that aligns with the commitment the Engineering School has made to bring its considerable research capacity to bear in addressing key societal concerns.
Professor Jack Davidson and his colleagues in the computer science department are at the forefront of efforts under way within the School of Engineering and Applied Science to improve the security of computing systems and protect personal privacy. “We rely on computer systems and software for so many aspects of modern life,” says Davidson. “As our reliance has grown, new threats have evolved.”
Early attempts by pranksters to compromise networks and hack into systems were primitive and could be defeated by employing simple protection methods. Over time, however, there has been a co-evolution of the technology: as methods of aggression and attack have gained complexity, engineers have developed more sophisticated countermeasures.
Attackers now target the highly advanced networks that support online payment systems and banking, transportation, aviation, telecommunications and critical civil infrastructure. Researchers are responding by developing new protocols, fortifying software already in use, as well as building new, stronger systems from the ground up. New languages are being written with increased security measures built into the code. “Old protection schemes that relied on static defenses are giving way to dynamic measures that can be implemented at run-time to introduce diversity and detect irregularities,” says Davidson.
Davidson and Professor John Knight head up the CS Security and Dependability group, along with research scientists Michele Co, Jason Hiser and Anh Nguyen-Tuong. This May, at the Institute of Electrical and Electronics Engineers (IEEE) Symposium on Security and Privacy, Hiser will present a paper on a novel technique the group has developed called Instruction Location Randomization (ILR). The operation constantly randomizes the location in memory of every instruction in a program, effectively defeating an attack by continuously repositioning the portions of code that may contain vulnerabilities.
In tests, the ILR transformation proved simple to use and highly effective at preventing intrusion. The technique has another key advantage in that it only adds a nominal amount of run-time overhead, a critical consideration for network managers who must make a business case for security expenditures. “If a measure makes a system more protected but increases the computing power necessary to operate the system, the cost-benefit analysis might not support it,” says Davidson.
The U.Va. Patent Foundation has submitted a provisional patent application for ILR.
In addition to Davidson, computer science Associate Professor Dave Evans and two graduate students will also present research at the IEEE Symposium demonstrating how encrypted data can be used in the exchange of information to produce results that are fully encrypted, which allows users to cooperate in computations without exposing their data.
Encryption methods are also the focus of Abhi Shelat, an assistant professor of computer science, whose recent work on bit encryption resolved a problem in the field of cryptography that has been unresolved for 20 years.