The Workshop's Goal

In 2002, Applied Computer Security Associates (ACSA) called for a workshop to "examine engineering fundamentals, the principles and practice of designing and building secure systems." The declared goal of the workshop was to begin a process of serious thinking about these important issues (and certainly not attempt to tackle and resolve them all in a mere two-day effort).

Position papers and statements were solicited, and quite a number of authors responded with their view on current status and future improvements.

The Workshop on the Application of Engineering Principles to System Security Design (WAEPSSD) was held November 6-8, 2002, in Boston, Massachusetts.

Workings and Findings

The workshop consisted of an initial half day of plenary discussion to define and select the issues to be addressed. The size of the workshop led to two working groups being formed. The designated group leaders (Dick McAllister and Bill Murray) were tasked with leading the discussions toward identifying and prioritizing those engineering principles we (as security professionals) should adopt. The second day was a full day of group discussions, with a few participants floating from one group to another, while the majority stayed with their original group to debate and defend their positions. By the end of the day, each group had its own “list of principles” (not to mention figures, diagrams, etc.). During the final half day, the two lists were discussed in plenary debate. The group leaders were asked to write full reports on their respective groups’ reasoning and findings. Both reports are presented here in the WAEPSSD proceedings.

The main consensus of the participants going into the workshop was that engineers consistently produce better results than we do.

The "engineers” here are defined in the classical sense of professionals coming out of Colleges of Engineering or Polytechnical Institutes. In particular, we discussed scenarios from civil and aeronautical engineering, and the auto industry.

“We” refers to professionals in Information Technology (IT) at large, with focus on software engineering and systems engineering, and even more on security engineering and systems security engineering.

Quoting from one group report, “For purposes of the discussion, the group conceded that the results that we have produced in building, using, and maintaining secure systems are not as good as those produced by such traditional disciplines as civil or aeronautical engineering in producing safe systems. At least for purposes of discussion, the participants were willing to grant that the problems that these disciplines deal with are at least as difficult as that of secure systems and that their results are better.”

However, we identified factors that make security engineering harder than traditional engineering and even general information systems engineering. The essential factor that is particular to security is the adversary component. In general, even if a system is in hostile environments (such as a steel factory, sulfuric acid environment, etc.) the impact is not similar. For security, there is an adversary specifically trying to break the system, and this can make the security problem hard to fully solve. Some theoretical disciplines (such as game theory) consider adversaries and allow them to participate and influence the overall system’s behavior, but this is only from an economic perspective (i.e., gain vs. loss), not as a focused effort to penetrate or destroy the system itself.

We also found that we know many of the “right” solutions, but they were not allowed to dominate; other solutions, inferior technically, dominated due to business interests. Therefore, in many cases the issue is not lack of security engineering, but lack of proper security-specific principles being applied. In such cases, the security problems arise from poor engineering of systems. As shown by participants’ TTEP and TTAP experience, a significant increase in trustworthiness is achieved simply by doing good information systems engineering (e.g., using modularity, layering, and TCB minimization).

The engineering principles we identified as most beneficial to apply to security systems are presented in the two group reports. The principles are not necessarily listed in the order of their importance; as such an ordering depends on the organization that owns the system. We did however select (and present below) the principles we found to be the most relevant among all those identified.

To the interested reader who might wonder why one workshop has two reports and not a single one, we must relate that we attempted a unification of the two texts. However, the said texts proved to be quite resistant to such an aggression, as they are orthogonal in nature to some extent, as focus and presentation. So we left them be and hereby present them to you in their unaltered beauty.

To summarize, the main consensus of the participants after the workshop was that while engineers consistently produce better results than we do, we can benefit from their age-long experience to learn, adopt, and adapt their principles.

The Stats

The workshop had 21 participants. A total of 20 position papers and statements were submitted prior to the workshop. A total of 12 papers are presented in these proceedings, 9 in original form, and 3 updated after the workshop.

Acknowledgments

We need to thank first of all Marshall Abrams and ACSA for getting this workshop started and then persevering through bringing it to life and finally to proceedings stage.

Paul Brusil was most instrumental in selecting a beautiful location that accommodated all of us and was supportive of the workshop’s activities.

Dick McAllister and Bill Murray were outstanding group leaders. WAEPSSD is particularly indebted to them for overseeing the group discussions and the significant time and effort they put into articulating each group’s conclusions as group reports.

All of the authors and workshop participants need to be thanked as well; we would have had no workshop (or fun!) without your enthusiastic contribution.

Last but not least, we acknowledge the ACSAC Webmaster, Daniel Faigin, and Technical Editor, Carol Oakes, who made possible the electronic publication of the WAEPSSD proceedings.

Home | Chair's Perspective | Editor's Notes | Group Reports
Papers| Contributors |Organizing Committee | Original CFP

This document maintained by faigin -at aero.org and ncarlson -at aero.org.
Material Copyright © 2003 Applied Computer Security Associates