NSF Activities in Cyber Trust NSF Activities in Cyber Trust NSF - - PowerPoint PPT Presentation

NSF Activities in Cyber Trust NSF Activities in Cyber Trust NSF Activities in Cyber Trust

For ACM CCS I ndustry/ Govt Track Oct. 26, 2004

Carl Landwehr (clandweh@nsf.gov) Cyber Trust Coordinator National Science Foundation

What What’ ’s the Problem? s the Problem?

• Today

Today’ ’s software s software-

• based systems are far too vulnerable to attack,

based systems are far too vulnerable to attack, misuse, and abuse misuse, and abuse – – Inadequate attention to security requirements Inadequate attention to security requirements – – Weak security design Weak security design – – Poor user interfaces Poor user interfaces – – Flawed implementations Flawed implementations – – Complex configuration and control Complex configuration and control – – Poor accountability Poor accountability – – Inadequately trained operators and users Inadequately trained operators and users

• Evidence?

Evidence? – – Worm, virus attacks, Worm, virus attacks, misconfigured misconfigured systems, systems, – – patch, patch, patch patch, patch, patch

We spend too much on patching broken technology! We spend too much on patching broken technology!

Hardware Firmware Operating System Utilities Applications

System Architecture

H.323 SNMP

Cyber Security R&D Act (PL 107 Cyber Security R&D Act (PL 107-

• 305)

305)

• Recognizes

Recognizes – – interdependencies of cyber and other infrastructures, interdependencies of cyber and other infrastructures, – – lack of preparedness for coordinated physical and cyber attacks, lack of preparedness for coordinated physical and cyber attacks, – – lack of needed research capacity; lack of needed research capacity;

• Calls for expanded Federal investment in computer and network

Calls for expanded Federal investment in computer and network security research. security research.

• Authorizes NSF to

Authorizes NSF to – – award research grants in cyber security areas award research grants in cyber security areas – – establish multidisciplinary research centers establish multidisciplinary research centers – – build research capacity build research capacity – – take a leading role in research and education to improve take a leading role in research and education to improve security of networked information systems security of networked information systems

• FY03 – FY07

Cyber Trust Vision Cyber Trust Vision

Society in which Society in which

• People can justifiably rely on computer

People can justifiably rely on computer-

• based systems to perform

based systems to perform critical functions securely critical functions securely – – national scale infrastructures: water, power, communication, national scale infrastructures: water, power, communication, transportation, ... transportation, ... – – localized systems: cars, homes, ... localized systems: cars, homes, ...

• People can justifiably rely on systems to process and

People can justifiably rely on systems to process and communicate sensitive information securely communicate sensitive information securely – – health, banking, libraries, e health, banking, libraries, e-

• commerce, government records

commerce, government records must conform to public policy must conform to public policy

• People can rely on a well

People can rely on a well-

• trained and diverse workforce to

trained and diverse workforce to develop, configure, and operate essential computer develop, configure, and operate essential computer-

• based

based systems systems

Without fear of sudden disruption by cyber attacks Without fear of sudden disruption by cyber attacks

Homeland Security Homeland Security Critical Infrastructure Protection Critical Infrastructure Protection Cyber Security Cyber Security Cyber Trust Cyber Trust

Homeland Security CIP CS

Cyber Trust

CS

Range of Cyber Trust Solicitation Range of Cyber Trust Solicitation

• Multi

Multi-

• Disciplinary

Disciplinary – – Spanning technical disciplines Spanning technical disciplines – – Exploring relations among technical and social, economic, Exploring relations among technical and social, economic, regulatory, legal domains regulatory, legal domains

• Basic Research

Basic Research – – Information/Applications Information/Applications – – Systems Software Systems Software – – Communication Networks Communication Networks – – Fundamentals Fundamentals

• Education and Workforce Development: required component

Education and Workforce Development: required component

• f every proposal
• f every proposal

– – For technical specialists and generalists For technical specialists and generalists – – For the general public For the general public

FY04 Cyber Trust Solicitation Summary FY04 Cyber Trust Solicitation Summary

CAREERS ~ $2M Co-funding ~ $5M (DARPA ATO,ITO)

Cyber Trust FY04 Competition Statistics Individual/ small group Team Center- Scale Activity Total # Projects received 230 135 25 390 # Projects awarded 18 14 2 34 Success rate 8% 10% 8% 9% # Proposals received 255 189 45 489 # Proposals awarded 22 23 3 48 Success rate 9% 12% 7% 10% Total $ awarded (includes co- funding, excludes CAREERs) $6.5M $17.3M $12.6M $36.4M Total $ Cyber Trust only $6.3M $12.1M $12.6M $31M

What What’ ’s next? s next?

• Revised Cyber Trust solicitation planned for release in October

Revised Cyber Trust solicitation planned for release in October – – Largely similar to last year Largely similar to last year’ ’s content s content – – Some tweaks to the submission process Some tweaks to the submission process

• No

No LOIs LOIs for center for center-

• scale

scale

• Education

Education-

• only proposals permitted
• nly proposals permitted

– – Possible name change Possible name change

• Deadline expected to be early Feb., 2005

Deadline expected to be early Feb., 2005

• Resources available

Resources available – – planned for similar level to this year, planned for similar level to this year, pending appropriations, as always pending appropriations, as always

FY04 Award Highlights FY04 Award Highlights

• Center

Center-

• scale awards

scale awards – – CMU for Security Through Interaction Modeling CMU for Security Through Interaction Modeling – – UCSD/ICSI for Internet Epidemiology UCSD/ICSI for Internet Epidemiology

• Many strong team and individual/small group awards, e.g.

Many strong team and individual/small group awards, e.g.

• Economics of security deployment

Economics of security deployment

• Studies of user adoption of security mechanisms

Studies of user adoption of security mechanisms

• Software flaw detection/removal

Software flaw detection/removal

• Cryptographic foundations

Cryptographic foundations

• Protocols for managing distributed/replicated systems

Protocols for managing distributed/replicated systems

• New hardware/software architectures and

New hardware/software architectures and OS OS’ ’s s

• New methods for evaluating biometrics

New methods for evaluating biometrics

• Further details:

Further details:

– – See NSF awards search page: See NSF awards search page: – – http://www http://www-

• livecds.nsf.gov/awardsearch/tab.do?dispatch= 2

livecds.nsf.gov/awardsearch/tab.do?dispatch= 2 – – select select “ “Program Information Program Information” ” tab tab – – Enter in program field: CYBER TRUST Enter in program field: CYBER TRUST

NSF Cyber Security Investments NSF Cyber Security Investments

Active Center Scale Awards (prior years) Active Center Scale Awards (prior years)

• Large ITR award ($12.5M total, 5 years):

– Sensitive Information in a Wired World (Stanford, Yale, Stevens, UNM, NYU): multi-disciplinary investigation of long term issues in automated information handling

• Large scale network testbed established for investigating network attacks,

with major support from DHS: – Defense Technology Experimental Research (DETER) network, $5.45M total, led by UC-Berkeley, with USC/ISI and others – Testing and Benchmarking Methodologies for Future Network Security Mechanisms, to develop attack simulators, traffic generators, datasets for DETER, $5.6M total, (UC-Davis, Penn State, Purdue, ICSI).

• I/UCRCs:

– Center for Identification Technology Research (Biometrics)(WVU) – Cyber Protection Center (Iowa State U, U Kansas, Miss State U) – Center for Experimental Research in Computer Systems (Ga Tech)

• Physical Random Functions

Physical Random Functions -

• >

> – – Physical Physical Unclonable Unclonable Functions = Functions = PUFs PUFs

• Controllable

Controllable PUFs PUFs: PUF accessible only : PUF accessible only via algorithm physically bound to PUF in via algorithm physically bound to PUF in an inseparable way an inseparable way

• Exploit manufacturing variations in

Exploit manufacturing variations in silicon wires and gate delays silicon wires and gate delays

• Even the manufacturer can

Even the manufacturer can’ ’t clone the t clone the device device

DO NOT DUPLI CATE

NSF 0309562: S. NSF 0309562: S. Devadas Devadas, MIT , MIT Physical Random Functions and Secure Hardware Architectures Physical Random Functions and Secure Hardware Architectures

How to make an How to make an uncopyable uncopyable key? key?

DO NOT DUPLI CATE

How to compute public statistics How to compute public statistics without revealing private inputs? without revealing private inputs?

• Suppose you want to collect accurate statistics on

Suppose you want to collect accurate statistics on salary distributions, but contributors don salary distributions, but contributors don’ ’t want to t want to (or aren (or aren’ ’t allowed to) reveal individual salary t allowed to) reveal individual salary information information

• Privacy

Privacy-

• preserving computation: users jointly

preserving computation: users jointly compute the statistics compute the statistics

How to limit the damage from How to limit the damage from password compromise on the web? password compromise on the web?

• Crypto

Crypto-

• Hash the password with the domain name

Hash the password with the domain name

• Compromise of password on one site does not

Compromise of password on one site does not compromise other sites compromise other sites

• Pwdhash

Pwdhash: see : see http://crypto. http://crypto.stanford stanford. .edu edu/ / PwdHash PwdHash/ /

NSF Organization NSF Organization

National Science Board Office of the Director

Directorate for Biological Sciences Directorate for Computer and Information Science and Engineering Directorate for Education & Human Resources Directorate for Engineering Office of Integrative Activities Directorate for Mathematical & Physical Sciences Directorate for Social, Behavioral, & Economic Sciences Directorate for Geosciences Office of Polar Programs

Cyber Trust in CISE Cyber Trust in CISE

Office of the Assistant Director for CI SE Computer and Communications Foundations (CCF) Computer and Network Systems (CNS) I nformation and I ntelligent Systems (I I S) Shared Cyber I nfrastructure (SCI )

Cyber Trust

Science of Design I nformation I ntegration (SEI I I ) CI SE-wide Emphasis Areas

Thank You Thank You