Our computers are insecure and too easily compromised, but they are managing everything in our modern society (business, communications, transportation, appliances, health…). Today’s computers cannot tell good from bad; they are unable to differentiate intended use vs. abuse. As a result, they are too easily fooled into working against the owner of the system and their intent. At best, today’s security is a poorly practiced, undisciplined art. Today’s computer systems design approach leaves protection to every individual contributor—we just ask each programmer to write bug free software and hardware at every level—even as we continue to grow the size of our systems. Any bug in any component has the potential to compromise the security of the whole system. Fundamentally, the advantage goes to the attacker—the attacker only needs to find one flaw, while the defender must make sure every component and line-of-code is flawless (does not allow unintended use).
Change the game in computer protection, making computers worthy of the trust we place in them and turning security into an engineering discipline.
We introduce four fundamental elements of a new engineering discipline to support this goal: mechanisms, policies, metrics, and optimizations.
To flexibly and efficiently enforce a wide range of security policies and abstractions, we co-design hardware-rooted mechanisms across the stack. Our hardware-rooted mechanisms embrace and exploit now inexpensive silicon resources, working with the system software, to enforce foundational security policies and OS/programming-language abstractions without compromising performance and without discarding all the software and systems that exist today. Our mechanisms are expressive and flexible to support new policy innovations to adapt to threats and lessons and to support system tuning and optimization. Our cross-stack co-desgin solves problems at the right level in the system for a given technology and system goals while not leaving seams and weaknesses between layers that undermine enforcement.