Volume 3, Issue 1 Jan/Feb 2003

2002
2001

Filling The Holes in Swiss Cheese Cybersecurity by David Pescovitz Printer-friendly version David Wagner is also the co-chair of the 2003 International Institute of Electrical Engineers (IEEE) Symposium on Security and Privacy taking place this May. Peg Skorpinski photo David Wagner is a cypherpunk of the finest order. In 1995, at age 21, he cracked Netscape's software security code that was designed to protect users' credit card numbers. In 1997 and 1998, he devised a method to eavesdrop on supposedly encrypted conversations made with digital cellular telephones, and later cracked the security system preventing thieves from charging cellular calls to someone else's account. Most recently, Wagner made headlines with a report revealing that data flying across today's popular 802.11 wireless computer networks can easily be plucked from the air. Fortunately, Wagner is one of the good guys. And as of late, the world-renowned cryptographer and UC Berkeley professor of computer science has focused his attention on methods to protect our software infrastructure from malicious attacks. He'll discuss his innovative approaches to computer security at the March 1 Berkeley in Silicon Valley symposium. "By far, the majority of computer vulnerabilities are due to software bugs," says Wagner, who recently made Popular Science magazine's Brilliant 10, a list of "scientists who are shaking up their fields and whose work will touch your life." According to Wagner, buggy software is an age-old problem. But with the connectivity offered by the Internet, bugs can become much more than annoyances that cause computers to crash. Sometimes, a bit of bad computer code can act as an open door that provides hackers access to an entire system. "You hear about dozens of bug reports in Microsoft, Netscape, and everyone else's software," Wagner says. "Then you hear about patches for the bugs. But fixing them after the fact can be problematic because sometimes the hackers have already exploited those bugs." Wagner's idea is to provide software developers with tools that help them find and exterminate the bugs before the software goes out the door. The tools automatically scan through computer code and flag problematic parts that could lead to vulnerabilities. One method, he explains, is to identify the "principles of good coding practice that reduce the odds of falling prey to certain classes of common security flaws." Wagner's software then ensures that the new code obeys the rules. Can David Wagner's research help tame the Internet's Wild West? We want to hear from you... Wagner's Software Security Project began while he was a graduate student at UC Berkeley working toward his PhD. He had sorted the different classes of software vulnerability and discovered that one simple error, called a buffer overrun vulnerability, accounted for almost half of all security holes. In a buffer overrun attack, a hacker overwrites a piece of computer memory with his own executable code — for example, he might insert a program that erases files before sending copies of itself to other computers on a network. "It's easy to make the buffer overrun vulnerability mistake and it's not a really deep mistake," Wagner says. "But it is 'Programming 101,' and many programmers are contributing to their software's security vulnerability." Already, several research prototypes of Wagner's security tools are available for free download. More secure software, he hopes, will help protect us from cyberterror attacks that are "unlikely to cause much loss of life, but could cause significant financial damage" or worsen real-world catastrophes. For example, Wagner says, taking down 9-1-1 emergency phone network or hacking into the networked computers that control the electrical power grid are not out of the realm of possibility. "The Internet is like the Wild West when it comes to security," Wagner says. "And after September 11, we realized that maybe we should pay attention to things we weren't thinking about before. One of the things that's exciting to me about Berkeley is that researchers here value having that kind of impact." David Wagner's Home Page Popular Science's Brilliant 10: David Wagner Lab Notes is published online by the Public Affairs Office of the UC Berkeley College of Engineering. The Lab Notes mission is to illuminate groundbreaking research underway today at the College of Engineering that will dramatically change our lives tomorrow. Editor, Director of Public Affairs: Teresa Moore Writer, Researcher: David Pescovitz Designer: Robyn Altman Subscribe or send comments to the Engineering Public Affairs Office: lab-notes@coe.berkeley.edu. © 2003 UC Regents. Updated 1/24/03.