Is there such a thing anymore as a software system that doesn't need to be secure? Almost every softwarecontrolled system faces threats from potential adversaries, from Internet-aware client applications running on PCs, to complex telecommunications and power systems accessible over the Internet, to commodity software with copy protection mechanisms. Software engineers must be cognizant of these threats and engineer systems with credible defenses, while still delivering value to customers. In this paper, we present our perspectives on the research issues that arise in the interactions between software engineering and security.

In survivability management systems, some management entities reside on application hosts that are not necessarily trustworthy. The integrity of these software entities is essential to the security of the network management scheme. In this talk, I present a novel framework to facilitate software security against malicious execution environments. The approach

We study the hardware cost of implementing hash-tree based verification of untrusted external memory by a high performance processor. This verification could enable applications such as certified program execution.

Query answers from on-line databases can easily be corrupted by hackers or malicious database publishers. Thus it is important to provide mechanisms which allow clients to trust the results from on-line queries. Authentic publication is a novel approach which allows untrusted publishers to securely answer queries from clients on behalf of trusted off-line data owners. Publishers validate answers using compact, hard-to-forge verification objects (VOs), which clients can check efficiently. This approach provides greater scalability (by adding more publishers) and better security (on-line publishers don't need to be trusted).

How do we decide if it is safe to run a given piece of software on our machine? Software used to arrive in shrink-wrapped packages from known vendors. But increasingly, software of unknown provenance arrives over the internet as applets or agents. Running such software risks serious harm to the hosting machine. Risks include serious damage to the system and loss of private information. Decisions about hosting such software are preferably made with good knowledge of the software product itself, and of the software process used to build it. We use the term Trusted Software Engineering to describe tools and techniques for constructing safe software artifacts in a manner designed to inspire trust in potential hosts. Existing approaches have considered issues such as schedule, cost and e#ciency; we argue that the traditionally software engineering issues of con#guration management and intellectual property protection are also of vital concern. Existing approaches #e.g., Java# to this proble...

Query answers from on-line databases can easily be corrupted by hackers or malicious intent by the database publisher. Thus it is important to provide mechanisms which allow clients to trust the results from on-line queries. Authentic publication is a novel scheme which allows untrusted publishers to securely answer queries from clients on behalf of trusted off-line data owners. Publishers validate answers using compact, unforgeable verification objects (VOs), which clients can check efficiently. To make authentic publication attractive it is important for the VOs to be small, efficiently computable and verifiable. This has led to the development of a number of data representations for efficient VO computation. In this paper, we prove the security of VOs for a new general data model called Search DAGs. Our security theorem for Search DAGS gives simple security proofs and efficient VOs for a broad range of known structures including binary trees, multi-dimensional range trees, and skip lists. Our approach also helps to provide a clean separation between the proof of security and efficiency. We also use search DAGs to prove the security of two new and much more complex data models for efficient multi-dimensional range searches. This allows compact VOs to be computed (size O(log N + T)) for typical 1D and 2D range queries, where the query answer is of size T and the database is of size N. We also show I/O efficient schemes to construct the VOs. For a system with disk blocks of size B, we answer 1D and 3-sided range queries and compute the VOs with O(log BN + T/B) I/O operations using linear size data structures.

Data integrity can be problematic when integrating and organizing information from many sources. In this paper we describe efficient mechanisms that enable a group of data owners to contribute data sets to an untrusted third-party publisher, who then answers users' queries. Each owner gets a proof from the publisher that his data is properly represented, and each user gets a proof that the answer given to them is correct. This allows owners to be confident that their data is being properly represented and for users to be confident they are getting correct answers. We show that a group of data owners can efficiently certify that an untrusted third party publisher has computed the correct digest of the owners' collected data sets. Users can then verify that the answers they get from the publisher are the same as a fully trusted publisher would provide, or detect if they are not. The results presented support selection and range queries on multi-attribute data sets and are an extension of earlier work on Authentic Publication which assumed that a single trusted owner certified all of the data.

to secure shared untrusted memory.

Memory integrity verification is a useful primitive when implementing secure processors that are resistant to attacks on hardware components. This paper proposes new hardware schemes to verify the integrity of untrusted external memory using a very small amount of trusted on-chip storage. Our schemes maintain incremental multiset hashes of all memory reads and writes at run-time, and can verify a sequence of memory operations at a later time. We study the advantages and disadvantages of the two new schemes and two existing integrity checking schemes, MACs and hash trees, when implemented in hardware in a microprocessor. Simulations show that the new schemes outperform existing schemes of equivalent functionality when integrity verification is infrequent.

An important and recurring security scenario involves the need to carry out trusted computations in the context of untrusted environments. It is shown how a tamper-detecting interpreter for a programming language – specifically Lisp 1.5 – combined with the use of a secure co-processor can address this problem. The term “tamper-detecting ” means that any attempt to corrupt a computation carried out by a program in the language will be detected on-line and the computation aborted. This approach executes the interpreter on the secure coprocessor while the code and data of the program reside in the larger memory of an associated untrusted host. This allows the co-processor to utilize the host’s memory without fear of tampering even by a hostile host. This approach has several advantages including ease of use and the ability to provide tamper-detection for any program that can be constructed using the language. 1. Computing in a Hostile Environment An important and recurring security scenario involves the need to carry out trusted computations in the context of untrusted environments. One approach is to combine a secure co-processor [6][15] with an untrusted host computer. The secure co-processor provides the environment in which to perform trusted computations, and the insecure host provides additional resources that may be used by the trusted processor. Unfortunately, there is no guarantee that the host will not tamper with the resources used by the secure co-processor in an attempt to corrupt the operation of the secure co-processor. This paper demonstrates a solution where a programming language system – specifically Lisp 1.5 – is used to provide a convenient and general mechanism for tamper-detecting utilization of a specific resource, namely the memory of an untrusted host. An interpreter for the language system resides on the secure co-processor, but the programs and data executed by the interpreter reside in the memory of the untrusted host. In this context, the term “tamper-detecting ” means that any attempt to corrupt a computation carried out by a program in the language will be detected on-line (before