TORONTO (12/19/2003) - Carleton University in Ottawa opened a new computer security research center on last month in part to focus on narrowing the gap between academic-driven theoretical research and practical business applications.
The venture, funded by Ottawa-based Cloakware Corp. and the provincial and federal governments, will focus on improving computer security while still remaining true to academic research. The lab will become the cornerstone of Carleton's security research.
Studying everything from ways to reduce a hacker's ability to reverse engineer software to stopping viruses and worms through better understanding of their characteristics, professor Paul Van Oorschot and his team of computer scientists will delve into the internal workings of computer security.
Traditionally, there has been an uneasy relationship between business and academia as their goals are often at different ends of the spectrum. Trying to make a profit from a technology idea and trying to fundamentally understand the technology are often divergent, and financially mutually exclusive, goals.
"In security there is very little (system-wide) research on the academic side because there is no reward," Van Oorschot said. "I want to change that." Academic research tends to be very narrowly focused, and although Van Oorschot admits he may get some push back from the academic community, he want to focus at least some of the research on broad-scope solutions.
Van Oorschot's own experience as the former chief scientist at Entrust Inc. and an adjunct research professor at Carleton will help him since he understands the constraints of both business and research. Van Oorschot is also the Canada Research Chair in Network Software and Security, a federally funded position with a mandate to research ways to improve software security and authentication.
One solution being explored at the lab is a security metrics tool designed to calculate the security level of a given application. Starting with the assumption that a hacker will eventually get into any application, Van Oorschot said the key is to "raise the bar so the level of effort is so high it is not worth the effort." The tool created will be able to measure how high the security bar is for a given application.
Van Oorschot said this is a good example of research with a very practical use. "That is why there is commercial interest."
Another area of focus is trying to find a way to increase software diversity. "The problem with software is that it is all the same," said Alec Main, chief technology officer with Cloakware. Because of this, once a vulnerability has been found and code written to exploit a particular version of software, all copies are vulnerable to attack. Cloakware is developing a tool for developers to use when they compile software so that a small portion of the code (say, what resides in the memory stores) is varied. In this way, while the functionality will be identical, the underpinnings exploited by the hacker will be far more complex.
When an automated attack sees the same piece of code over and over, it can easily attack thousands of copies, Main explained. Simply shifting 100 bytes would make writing code to take advantage of a buffer overflow vulnerability (the most common software security problem) exceedingly difficult, Van Oorschot explained, since crafting a specific attack has to be very, very precise. A hacker would therefore have to rewrite the attack code for each variation of the software. "This diversity is worth a certain overhead cost," Van Oorschot said.
What does Cloakware get out of its relationship with Carleton? "We get third-party academics proving the foundation behind our technology, so that helps us tremendously," Main said. "As a private company, we can only dedicate so much to research." And the graduate students (there are eight right now) get invaluable business experience, Van Oorschot said.