point problems—and too little effort
devoted to systems aspects of solutions
that include considerations of human
behavior. Furthermore, many problems discussed long ago8, 9 still have
not been adequately addressed today.
In addition, underlying principles for
trustworthy systems have been posited
since the 1960s and recently revisited,
but widely ignored in practice. 10 A recent book also has more relevant suggestions for the future. 12
It is time to get serious about the
dearth of trustworthy systems and the
lack of deeper understanding of the
risks that result from continuing on a
1. Abelson, H. et al. The risks of key recovery, key
escrow, and trusted third-party encryption.
WorldWide Web Journal 2, 3 (Summer 1997), 241–257.
2. Abelson, H. et al. Keys under doormats: Mandating
insecurity by requiring government access to all data
and communications. Journal of Cybersecurity 1, 1
(Nov. 2015), Oxford University Press; http://www.
3. Bellovin, S. M. The key to the key. IEEE Security and
Privacy 13, 6 (Nov.–Dec. 2015), 96–96.
4. Clark, D.D. et al. Computers at Risk: Safe Computing
in the Information Age. National Research Council,
National Academies Press, Washington, D. C., 1990.
5. Dam, K. W. and Lin, H.S., Eds. Cryptography’s role in
securing the information society. National Research
Council, National Academies Press, Washington, D.C.,
6. Goodman, S.E. and Lin, H.S., Eds. Toward a safer and
more secure cyberspace. National Research Council,
National Academies Press, Washington, D. C., 2007.
7. Landau, S. et al. Codes, Keys, and Conflicts: Issues in
U. S. Crypto Policy. (ACM-sponsored study), 1994.
8. Neumann P. G. Computer-Related Risks.
Addison-Wesley and ACM Press, 1995.
9. Neumann, P.G. Principled assuredly trustworthy
composable architectures, final report. SRI
International, 2004; http://www.csl.sri.com/neumann/
10. Neumann, P.G. Fundamental trustworthiness
principles in CHERI. In New Solutions for
Cybersecurity, MI T Press, Cambridge, MA, 2018.
11. Schneider, F.B. and Blumenthal, M., Eds. Trust in
Cyberspace. National Research Council, National
Academies Press, 2101 Constitution Ave., Washington,
D. C., 1998.
12. Shrobe, H. et al., Eds. Solutions for Cybersecurity. MIT
13. Van Bulck et al. Foreshadow: Extracting the keys to
the Intel SGX kingdom with transient out-of-order
execution. USENIX Security (Aug. 14–17, 2018); http://
14. Watson, R. N. M. et al. Capability hardware enhanced
RISC instructions (CHERI): Notes on the Meltdown
and Spectre attacks. University of Cambridge
Technical Report 916, 2017; http://www.cl.cam.ac.uk/
15. Weisse, O. et al. Foreshadow-NG: Breaking the virtual
memory abstraction with transient out-of-order
execution (Aug. 14, 2018); http://foreshadowattack.eu/.
Steven M. Bellovin ( firstname.lastname@example.org) is a professor
of Computer Science at Columbia University, and affiliate
faculty at its law school.
Peter G. Neumann ( email@example.com) is Chief
Scientist of the SRI International Computer Science Lab,
and moderator of the ACM Risks Forum. Both Peter and
Steven have been co-authors of several of the cited NRC
study reports, and co-authors of Keys Under Doormats.
Copyright held by authors.
better define the problem and lay out
a suitable research agenda.
One vital approach would be a unified theory of predictable subsystem
composition that can be used to develop hardware-software systems for a
wide range of applications out of demonstrably trustworthy components.
Formal methods could be useful selectively. What is essential, though, is that
the properties being composed are actually useful in real-world systems.
However, systems design is not a
formal discipline today. Therefore,
carefully documented open success
stories that illustrate the power of an
approach are also acceptable, especially if they enable constructive opportunities for the future.
On a smaller scale, developing
mechanisms and tools that advance
the goal of secure systems would also
be useful. Thus, a scheme that provides strong protection for cryptographic keys while still leaving them
useful for authorized uses is valuable. 3
This may be facilitated by specialized
hardware—if that hardware is trustworthy (including available as needed).
Thus, a variety of clean-slate hardware
architecture specifications that can
be implemented by multiple organizations and that can facilitate total
systems that are much more trustworthy would also be useful. Again,
formal methods could be useful selectively to prove critical properties
of some of the specifications.
Research and its funding have often
failed us. There is too much focus on
narrow problems—point solutions to
is very complex,
to simplify it
are generally fraught
Students and faculty
can take advantage of
to invite renowned
thought leaders in
to deliver compelling
and insightful talks
on the most important
topics in computing
and IT today.
ACM covers the cost
for the speaker
to travel to your event.