frederick p. brooks, jr. kenan professor & department founder
DESCRIPTION
Frederick P. Brooks, Jr. Kenan Professor & Department Founder. Some Things that Computer Science can Learn from Nature. Mike Reiter Lawrence M. Slifkin Distinguished Professor Department of Computer Science University of North Carolina at Chapel Hill. Natural Science and Computer “Science”. - PowerPoint PPT PresentationTRANSCRIPT
Frederick P. Brooks, Jr.
Kenan Professor &Department Founder
Some Things that Computer Science can Learn from Nature
Mike Reiter
Lawrence M. Slifkin Distinguished Professor
Department of Computer Science
University of North Carolina at Chapel Hill
Natural Science and Computer “Science”
Natural science: any of the sciences (e.g., physics, chemistry, or biology) that deal with matter, energy, and their interrelations and transformations
In contrast, computer science is a “formal science” Some have even argued that computer science is not a science at all
Computer Science derived from math and engineering primarily, not from the natural sciences
Numerous qualitative differences have been suggested, mostly deriving from their objects of study
Computer Science [Mowry]
Tools:
MathematicalReasoning
Computing(i.e. writing &running code)
Used to Improve:
Computers
Everything Else (e.g., Medicine, Entertainment,
Business, Safety,Science, etc.)
Computer Science [Mowry]
Tools:
MathematicalReasoning
Computing(i.e. writing &running code)
Used to Improve:
Computers
Everything Else (e.g., Medicine, Entertainment,
Business, Safety,Science, etc.)
Systems
TheoryApplications
Computer Science [Mowry]
Tools:
Computing(i.e. writing &running code)
Used to Improve:
Computers
Everything Else (e.g., Medicine, Entertainment,
Business, Safety,Science, etc.)
Computing Systems vs. Natural Systems
“Natural systems are much more complex than computers.” Just because we built computers doesn’t mean we understand them
Computing Systems vs. Natural Systems
“Natural systems adapt.”
email propagation of malicious code
“stealth”/advanced scanning techniques
widespread attacks using NNTP to distribute attack
widespread attacks on DNS infrastructure
executable code attacks (against browsers)
automated widespread attacks
GUI intruder tools
hijacking sessions
Internet social engineering attacks
automated probes/scans
widespread denial-of-service
attackstechniques to analyze code for vulnerabilities
without source code
DDoS attacks
increase in worms
sophisticated command
& control
anti-forensic techniques
home users targeted
distributed attack tools
increase in wide-scale Trojan
horse distribution
Windows-based remote
controllable Trojans (Back
Orifice)
Intruder Knowledge
1990 2004
packet spoofing
Atta
ck S
op
his
ticatio
n
Computing Systems vs. Natural Systems
Source: http://www.caida.org
This is not a depiction of any biological phenomenon It’s the geographic spread of Sapphire worm 30 minutes after
release
Can CS Learn from Nature?
Modularity
Can CS Learn from Nature?
Diversity
Can CS Learn from Nature?
Redundancy
Modularity
Decomposing a system into components separated by narrow interfaces at which access control is applied Often separation is enforced by physical constraints
Modularity least privilege (in my view) Can be thought of as a method of damage containment
13
Modularity:
Trusted Computing Base (TCB)14
CPU, RAMTPM, Chipset
CPU, RAMTPM, Chipset
DMA Devices (Network, Disk,
USB, etc.)
OS
App
SS
App1 …
DMA Devices (Network, Disk,
USB, etc.)
OS
AppApp1 …
SS
ShimShim
Modularity:
TPM Background The Trusted Platform Module (TPM) is a dedicated
security chip It can provide an attestation to remote parties
Platform Configuration Registers (PCRs) summarize the computer’s software state
PCR_Extend(N, V): PCRN SHA-1(PCRN | V)
TPM provides a signature over PCR values TPM spec v1.2 includes dynamic PCRs
Values can be reset without a reboot
15
Modularity:
Late Launch Background Supported by new commodity CPUs
SVM for AMD TXT (formerly LaGrande) for Intel
Designed to launch a VMM without a reboot Hardware-based protections ensure launch integrity
New CPU instruction (SKINIT/SENTER) accepts a memory region as input and atomically: Resets dynamic PCRs Disables interrupts Extends a measurement of the region into PCR 17 Begins executing at the start of the memory region
16
Modularity:
The Flicker System [w/ McCune, Parno, Perrig, and Seshadri]
Core technique Pause current execution environment Execute security-sensitive code with hardware-enforced
isolation Resume previous execution
Extensions Preserve state securely across invocations Attest only to code execution and protection Establish secure communication with remote parties
17
Modularity:
Flicker Execution Flow18
TPMTPM
PCRs:
K-1
…0 0 0
CPUCPU
OS
App
ShimShim
SSModuleModule
RAM
OS
App
ModuleModule
SKINITReset
InputsOutputsModuleModule
0 h 00 H 00
ShimShim
SS 00 0
Modularity:
Flicker Attestation19
TPMTPM
PCRs: 0
K-1
…
TPMTPM
PCRs:
K-1
…
0 0 0
ShimShim
SS Inputs
Outputs
Modularity:
Flicker Attestation20
TPMTPM
PCRs:
K-1
…
000
ShimShim
SS Inputs
Outputs
What code didyou run?
ShimShim
SS InputsOutputsSign( ), K-1
Diversity
Studied first in the reliability community Goal: Promote failure independence between program versions Manual variant creation by different teams does not necessarily
provide fault independence [Knight & Leveson 1986, Littlewood et al., 1989]
More recently studied in security community Goal: Increase attacker’s effort to compromise systems Has been studied at O/S level, operator/user interface, and others
[Forrest et al. 1997, Deswarte et al. 1998; Bain et al. 2000 …]
Still an active topic of investigation Ex: “Diversity as a computer defense mechanism: A panel” at the
New Security Paradigms Workshop (NSPW) 2005
21
Diversity:
Behavioral Distance [w/ Gao & Song]
22
“Behavioral distance” is a measurement of the extent to which the system calls indicate similar simultaneous behavior A compromise of one variant causes divergence from other variant
ApacheWeb Server
Windows Linux AbyssWeb Server
System calls
Diversity:
Behavioral Distance Diverse Platform (Windows and Linux)
Same system call number in two sequences are not really the “same” System calls may not have a one-to-one correspondence System call sequences may have different length
Diverse Implementation (Apache and Abyss) Difficult to map individual system calls between two sequences
Experimented with two approaches Evolutionary distance originally proposed to evaluate if two DNA
sequences derive from a common ancestral sequence Hidden Markov models
Diversity:
Hidden Markov Models
q1 q2 q3
30 %
70 % 10 %
25 %
65 %
100 %
50 %
10 % 90 %
50 %
30 %TransitionEmission
Diversity:
Hidden Markov Model for Behavioral Distance
-
- -12 7 6
155 76 8 274
“-” representsa dummy symbol
Diversity:
Elements of the Hidden Markov Model
Elements of the HMM Meanings when applied to behavioral distance
Observable SymbolA pair of system calls (possibly one dummy
symbol), one for each replica
Hidden State A task to be performed in processing a request
State TransitionOrder in which tasks are performed in
processing a request
Symbol Emission System calls used to perform any individual task
Once the HMM is trained, the probability that the HMM would have produced an observed sequence can be used to detect intrusions
How Far Does the Analogy Go?
These examples show how we can learn strategies for survival from natural systems
I believe these examples are just a sample of what we can learn from nature about managing systems that we don’t understand Even if we built them ourselves!
There’s also plenty of room for doubt Clearly nature has its failures (extinct species, global warming, …) The tactics (implementations) are quite different
But I hope I’ve encouraged you to think about computer science in the broader context of all sciences, and to look for new opportunities at their intersections