Reducing Complexity to Increase Security

Reducing Complexity to Increase Security

In collaboration with Carnegie-Mellon University and Stanford, Penn Engineers Receive $7.5M Office of Naval Research Grant on software complexity reduction.

It’s simple to send a WhatsApp message, log in to Gmail or open up Snapchat, but what lies behind all of these applications and systems is not so simple. Many complex security protocols govern how data is sent over the internet, ensuring that the only accounts users can access are their own. But if a bug gets into any part of these complex software systems underlying the internet, it could result in undesirable consequences.

With this problem in mind, the University of Pennsylvania has received a five-year, $7.5 million grant from the Office of Naval Research (ONR) in collaboration with Carnegie-Mellon University (CMU), and Stanford University, under the Total Platform Cyber Protection (TPCP) program, on software complexity reduction, or simplifying complex internet protocols to build greater security. The project will create fundamentally new ways to provide greater security and resilience for legacy Navy software.

The joint project, named Accountable Protocol Customization (APC) aims to reduce the complexity of legacy software, by identifying lean protocol subsets that are sufficient to meet the functional and security needs of relevant clients and servers while preserving backward compatibility.

The Penn team consists of faculty members in the School of Engineering and Applied Science’s Department of Computer and Information Science (CIS): Professor Boon Thau Loo; Henry Salvatori Professor Benjamin Pierce; Professor Andre Scedrov; and Professor Steve Zdancewic. Scedrov is also Professor and Chair of the Department of Mathematics in Penn’s School of Arts & Sciences.

The Penn team combines expertise in the Distributed Systems Laboratory, Programming Languages group, and the formal methods group spanning the Math and CIS departments.

“Modern network protocol standards often contain a dizzying array of options with perplexing and unpredictable potential interactions. Over time, these pieces of software become hard to maintain and also easy to compromise,” says Loo. “We plan to explore real-world software that can benefit from APC’s protocol subsetting techniques, leveraging our combined strengths in systems and formal methods. The real-world use cases are immense, ranging from cloud applications, network infrastructure, and the Internet of Things.”

The collaborative project is led by Carnegie Mellon, with Penn and Stanford as collaborating institutions. The CMU team consists of Professors Anupam Datta, Matthew Fredrikson, Limin Jia, Bryan Parno, and Corina Pasareanu. The Stanford team is led by Professor John Mitchell.

“The benefit is in the high assurance,” says Anupam Datta of CMU, who is the overall lead investigator for the project. “It’s very hard to give high assurance to a very large, complex system. The goal of this project is to identify smaller subsets of the system to see, if those parts operate correctly, we can still get security guarantees irrespective of what happens in other parts of the system.”

“The project will create a scientific framework for accountable protocol customization that reliably improves security of contemporary and future networked computing environments,” says John Mitchell of Stanford. “Through this project, we aim to create principled techniques for synthesis, testing and verification of protocols. We look forward to fruitful collaborations with all participating institutions.”

APC is one of the two software complexity reduction projects at Penn that are funded under the TPCP program. The other project, called ASPIRE, is led by Associate Professor Mayur Naik, with participation from Zisman Family Professor Rajeev Alur; Professor Boon Thau Loo; Research Associate Professor Oleg Sokolsky; as well as Cecilia Fitler Moore Professor Insup Lee.