To lock down easy-to-breach computer systems, pour a little LAVA on them.
Computer scientist Nathan Dautenhahn of Rice University’s George R. Brown School of Engineering has been granted a prestigious National Science Foundation CAREER Award, funding his “Least-Authority Virtual Architecture” strategy. The award, only given to young faculty making significant contributions within their fields, consists of $630,000 over five years starting in July.
Dautenhahn, who earned a bachelor’s degree in computer engineering at the University of New Mexico and a doctorate in computer science at the University of Illinois at Urbana-Champaign, and his students seal security gaps that would otherwise cost industry and the public billions of dollars each year.
“The challenge with baking security into products by default is that without users there’s no money to invest in security,” Dautenhahn said. “This ends up forcing bad security practices in exchange for more functionality and users, because if people aren’t using your product, it doesn’t matter how secure it is.
“You end up having a scenario I call over-privilege, where users and software can access data or information they shouldn’t have,” he said.
“The metaphor I typically like to use is the Titanic,” Dautenhahn said. “It’s this nice vehicle that does amazing work for you but is easy to penetrate. And once a bad guy gets in, since the insides are overprivileged, he basically has access to everything and can sink the ship.”
Dautenhahn proposes a kind of compartmentalization, in this case the enforcement of “least authority” (the LA in LAVA). “Each component within a computing system should only have access to the resources they need to do the job they’ve been given. We borrow this principle from the military. There it’s known as ‘need to know,’” he said.
“The big idea for the grant—and why it’s a 20-year and not just a five-year project—is to figure out if we can systematically retrofit least-authority security boundaries into existing products,” Dautenhahn said. “Since we are not going to change the economics of security, is it possible to retrofit security boundaries in to provide meaningful firewalling?”
His lab’s early prototypes suggest it is possible to build LAVA into an end-to-end framework capable of analyzing, optimizing, transforming and enforcing compartmentalized systems on the fly, “so your developers don't have to be security experts,” he said.
Dautenhahn said the CAREER Award is a promising investment for the future of practical security and a great morale booster for he and his team after two years of working remotely during the pandemic.
“This is a great opportunity to showcase the excellent work our students have been doing in these areas,” he said. “I’ve been working on this idea since graduate school and I am very excited to receive this support from the NSF, which validates the research we’ve already done and provides the resources to show concrete solutions to this fundamental problem.”