Software Engineering Institute

For many years, security on the Internet has been a rapidly escalating arms race between automated malware (worms, viruses, and web) and commercial security product updates that detect and block attacks. Vendors no longer have the luxury of time in preparing fixes for these newly propagated threats. What is worse, advances in phishing, pharming, and other attacks that blend automated threats with social engineering have forced security professionals to search for yet another set of signatures and firewall features that will prove effective.

The CERT Program has been involved in this arms race at many levels, from analysis of vulnerabilities and malware to shared resolution of vendor problems across competitors. We have trained system administrators to be more knowledgeable, helped large enterprises evaluate their security improvement processes, and assisted system professionals in understanding the traffic on their networks. The SEI website provides details on these activities and many others related to this work.

CERT researchers are looking beyond these current approaches toward a next-generation approach to security engineering. Our driving vision is a networked world in which software and systems can be understood far better and faster than is possible today, not only as they typically behave but how they always behave. In this view of the future, system responses to attacks, accidents, and failures are simply modes of their programmed behavior, modes that must be more thoroughly designed and analyzed than is practical with today’s traditional methods. Next-generation security engineering will require automated support for this new level of behavior analysis. CERT projects on function extraction and secure coding, for example, help build a more complete understanding of how systems will behave before they are delivered. Similarly, automation for analyzing malicious code will speed the development of effective countermeasures.

Beyond today’s world, we visualize software in new generations of ubiquitous computing and communication products, many of which we will not immediately recognize as networked computers. Cell phones provide a glimpse into this developing world by placing in our hands a combined audio-visual communications device, network browser, secure purchasing agent, geographic locator, gaming and entertainment system, and trusted wallet. We will see similar capabilities in cars, homes, offices, and more systems unimaginable today. All will be enabled by software and, in our vision, all will be subject to a full understanding of their behavior as a basis for engineering security into their operational features.

While system components will become smaller and more ubiquitous, systems themselves will become larger and more complex through integration and interconnection. Large-scale systems will continue to evolve and become ever more essential to modern society. In these systems, it is not only important to know the behavior of individual components but also of the assembled systems as whole entities. The CERT Research group is also focused on the integrated enterprise and (larger) environments of tomorrow. Our goal is to ensure that as these systems grow we approach a securely connected world, not untrustworthy networks of untrustworthy applications.

The vision is clear, but the path to achieving it is full of challenges. CERT research must take advantage of the most advanced theory and practice available, yet be flexible and adaptable in addressing a rapidly changing set of problems and constraints in the real world. These challenges have led to formation of the CERT Security Technology Automation and Research Laboratory (STAR*Lab), a new software development laboratory that will move concepts from theory to application to practice in a rapid and integrated approach. STAR*Lab researchers are dedicated to making a difference in the networked environments of the future through development of theory-based security engineering tools, not just through studies and publications that stop short of implemented solutions. 

For CERT Research, 2006 will be a year of change as we focus on the problems in the computing environments of our customers and collaborators while maintaining the rigorous research approaches embraced by our scientists. This report begins to chronicle this change, and we hope you will find the results of our work as exciting as we find the journey.