CERIAS Seminar Presentation: David Bell (Symposium Summary)
Wednesday, March 31, 2010
Summary by Robert Winkworth
“Everything I Needed to Know About Security I Learned in 1974”
Security luminary David Bell concluded this year’s Information Security Symposium with a lecture in which he argued that while the speed and size of computers has changed greatly across the decades, the principles underlying the issue of security have been remarkably constant.
With the exception of one noted MULTICS covert channel hack, the speaker asserted no fundamentally new innovation in computer security appeared from 1974 until 2005 (when he retired.) Dr. Bell had done a great deal of conceptual modeling, particularly near the beginning of his career. This, he explained, influenced his later work in security. In 1971, Bell, having read many classic MULTICS papers, felt even then that “all the good stuff” had already been done and made public. He recalled, with some amusement, that government facilities did not always share his awareness of these facts. Material freely available in research libraries, when cited in military security reports, often becomes classified as though somehow it might be made secret anew.
Commenting on the 1972 Anderson Report, Dr. Bell noted that a core collection of only about a dozen critical infiltration tactics proved successful in almost every documented penetration test. Clearly by better abstracting these procedures into general categories of attack we could better understand and predict them. So, Bell was called to produce a mathematical model of computer security, but no other details of his assignment were specified. This, he explained, turns the technical process of testing and setting conditions in the machine into a cultural process of negotiating policies. “Security” is not meaningful until defined. Likewise, threats to security must be discussed before we can discuss their remedies. General principles of a security model are not useful until somehow applied, and Bell prefers to see these concrete examples before signing off on a policy, however academically sound it may seem.
Along with Len La Padula, David Bell is probably most widely recognized for his contribution to the Bell-La Padula Model of secure systems. This widely influential set of conceptual tools appears frequently in the fundamentals of IA curricula at Purdue and probably throughout the world.
Our host was critical of those that see security as a personnel problem, noting that this approach fails to recognize the technical weaknesses that remain regardless of the people involved. And coordinating the technology is possible; Bell shows us computer systems that have never suffered a documented breach and never required a security patch. Unfortunately, the process of replacing an existing infrastructure is difficult, particularly for an entrenched bureaucracy, so the challenge facing many security modelers is producing a plan that outlines not only the destination but all the intermediary steps necessary to transform an existing system to one that approaches the level of security desired.
Many evaluators are assigned to networks the technology of which they cannot explain. Since they cannot articulate an effective policy for interactions between such a network and its trusted neighbors, a common reaction to this is to simply isolate them. As internetworking becomes pervasive, however, this cannot remain a practical strategy. Networks must be connected, but such connections introduce weaknesses if they are not thoroughly documented and regulated. How we can possibly manage the explosive complexity of internetworks remains a daunting question.
“We are not safe and secure today,” concludes our eminent guest. Those that claim otherwise are “either misinformed or lying.” Bell called upon us to implement more of the sound ideas in information assurance that hitherto have existed only as concept, and to fully acknowledge the extent to which models such as BLP have not been fully embodied.
Gene Spafford was on hand for today’s session, and asked for Dr. Bell’s comments on the software solutions of Rogers and Green Hills (two of the best-rated security platforms.) Bell found both quite sound. He was concerned, however, that neither had achieved the market “traction” that he would like to see. He provided some examples of how each could be more effectively introduced to companies that might use them in live networks.
As of March 31, 2010, the media presented in this lecture is available.