The Paper

IEEE Test of Time Award

Today, various awards were announced at the 41st IEEE Symposium on Security & Privacy, including Test of Time Awards. One of the papers recognized was "Analysis of a Denial of Service Attack on TCP," written by a group of my former students -- Christoph Schuba, Ivan Krsul, Markus Kuhn, Aurobindo Sundaram, Diego Zamboni -- and me. The paper originally appeared in the 1997 S&P conference.

The paperreported results of work done in the COAST Laboratory -- the precursor to CERIAS. In this post, I'll make a few comments about the paper, and provide a little history about COAST.

The Paper & Authors

When we received notice of the award, we were all a bit taken aback. 23 years? At the time, we were one of only two or three recognized academic groups working in cybersecurity (although that word had yet to be used). As such, we managed to attract over a dozen very talented students — including the other authors of this paper.

In the second half of 1996, several network denial-of-service attacks took place across the Internet. We discussed these at one of our regular lab meetings. I challenged the students to come up with ways to mitigate the problem, especially to protect our lab infrastructure. The first step involved replicating the attack so it could be studied. That only took the students a few days of effort.

After a week or two of further work, we had another group discussion that included the students presenting a detailed review of how the attack worked, using the TCP diagram as illustration. There was a discussion of some partial solutions that were disappointing in scale or efficacy. I remember suggesting that if they could model the attack as a state machine, a solution might be developed the same way — noting good and bad hosts.

Within a week, the students had coded a working prototype to test against our model attack. Thereafter, there was some extended tinkering and tuning, and a rush to produce a paper to submit to the conference. Purdue later obtained a patent (U.S. Patent 6725378) on the idea, although it was never licensed for use.

Thereafter, Christoph received his PhD in 1997 with work in firewalls and went on to a career leading to his current position as a Senior Security Architect at Apple Computer. Ivan received his PhD in 1998 with work on security vulnerability classification and he currently runs a company, Artexacta, that he founded in Bolivia. Markus finished his MS in 1997, and after completing his PhD at Cambridge, joined the faculty there. Robin finished his MS in 2017 and is now the Head of Information Assurance and Data Protection at RELX. Diego finished his PhD in 2001 with work in agent-based intrusion detection and is now an Enterprise Security Architect at Swisscom in Switzerland.

The COAST Laboratory

Purdue has a long history of being involved in cybersecurity. Notably, Dorothy E. R. Denning completed her Ph.D. at Purdue in 1975, with a thesis on secure information flow. She then became an assistant professor and offered a graduate course in Data Security, which has been offered continuously to this day as CS 555.

Dorothy was at Purdue until 1983. One of her notable students was Matt Bishop, who completed his M.S. and Ph.D. (1984) in information security on take-grant models. Matt has gone on to also be a major force in the field.

Sam Wagstaff joined the CS department in 1983 and took on the teaching of CS 555 after Dorothy left. His primary area of interest was cryptography, and he has had many notable discoveries and publications during his career at Purdue (Sam retired in 2019). He even has a form of prime number named after him: the Wagstaff Prime!

I joined Purdue's CS department in 1987. My primary research focus was in software engineering and distributed systems. I was involved with the newly-formed Software Engineering Research Center (SERC, an NSF-supported industry-university cooperative research center) at Purdue and the University of Florida. System security was a "hobby" area for me because there was not much of an interest in academia at the time other than in formal methods and cryptography. (I've discussed this elsewhere.)

In 1988, the Internet Worm incident occurred, as did my involvement in responding to it. Soon after that, I was the lead author of the first English-language technical reference book on computer viruses and co-authored the 1st edition of Practical Unix Security with Simson Garfinkel. I also was doing some highly visible research, including the work with Dan Farmer on COPS.

My work in the SERC had resulted in some great results, but I never saw them transitioning into practice. Meanwhile, my work in security had some immediate impact. Thus, I gradually started moving the focus of my work to security. This change was a bit risky halfway to my tenure decision, but it was what I felt compelled to do. I continued my work in intrusion detection and began research in software forensics (my work started that as a formal field).

The increased visibility of security also meant that some good students were coming to Purdue to work in the field and that some external funding started becoming available. Most of the students wanted to build systems-oriented security tools, but we knew there was potential for a very wide set of topics. So, Sam and I decided to form a laboratory within the CS department. The department head at the time, John Rice, gave us a room for the lab and encouraged us to seek out funding.

The COAST name

We knew that we needed a catchy name for the group. I threw it out as a challenge to a few of my students. Steve Chapin (now at LLNL) -- who was my first Ph.D. student in a security-related topic -- came up with COAST as an acronym for "Computer Operations, Audit, and Security Technologies." It also was a sarcastic reference to how funding agencies thought good computer science only occurred at the coasts. We knew immediately it was the perfect name, and we seldom used anything except for the acronym itself.

I, along with a couple of the students, played a bit with the desktop publishing tools of the day (recall, it was 1992) and came up with the logo:

We knew that we needed funding to make the lab viable and keep the space. I approached several of the current partners of the SERC along with some other friends of the CS department to see if we could get some initial funding to support equipment purchases and support for the students. Four stepped forward: Sun Microsystems, Bell-Northern Telecom (BNR), Schlumberger Laboratories, and Hughes Laboratories.

We were open for business as of spring in 1992!

Over the next six years, COAST grew in faculty, students, and research, establishing itself as the largest research group in computing security in the country, reaching a peak research budget of over one million dollars per year (pretty good for its time).

COAST's success became notable for several innovative and groundbreaking projects, including the Tripwire tool, the IDIOT intrusion detection system, vulnerability classification work by Aslam and Krsul that influenced the CVE system, the first-ever papers describing software forensics by Krsul, Spafford, and Weeber, the discovery of a serious lurking Kerberos 4 encryption flaw by Dole and Lodin, and the firewall reference model by Schuba -- among others.

Next chapter

As COAST grew and added faculty from across the university, it was clear that it was more than Computer Science. Some of the CS faculty members were hostile to the work, dismissing it as "merely systems administration." (A few still have that attitude.) The CS Ph.D. qualifying exams of the time had mandatory exams in both theory of computation and numerical analysis (the department had its roots -- from 1962 -- in mathematics). Some of the faculty in those two areas were particularly unbending, and as a result, several very promising security grad students exited Purdue with only an M.S. degree. In retrospect, that worked out okay for all of them as they went on to stellar careers in government and industry, all paid much better than any of those professors!

Those factors, and others, led to the transformation of COAST into a university-wide institute, CERIAS, in May of 1998. I've discussed this elsewhere and may do a follow-on post with some of that history.

See some of the recollections in COAST, Machine names, Sun, and Microsoft.