The Advanced Cyber Systems Lab was created to fulfill 3 primary missions:
1. Connect the Software Development and Cyber Security Communities
If debugging is the process of removing software bugs, then programming must be the process of putting them in.
–Edsger W. Dijkstra
Since the beginnings of modern computing a gulf has existed between developers that create code and various security personnel that attempt to secure these systems. Unfortunately this approach can never be truly successful as security (lack of weird machines) is an intrinsic property of a system and not something that can be layered on top later.
At the ACSL we explore technologies and techniques to prevent the introduction of bugs and security issues:
- Secure by default systems
- Mitigation of entire classes of security vulnerabilities
- Static and Dynamic Analysis
- Correct by Construction Software
- Language-theoretic Security
- Formally Verified Software
- And other techniques and technologies
While total elimination of defects and bugs is the ultimate goal, reducing whole classes of software defects and bugs provides a dramatic improvement in security and reliability over today's industry standard practices. Choosing appropriate systems like OpenBSD and Rust can rapidly move us toward these goals.
2. Promote Experimentation and Innovation in a Non-Production Setting
Test and perfect on our systems so you can deploy better solutions in production.
Production systems should be secure, reliable and trustworthy. Businesses are thus not inclined to make radical changes to their systems, nor should they be.
Further, many educational institutions make the mistake of buying the most expensive systems possible. This inevitably leads to keeping students away from such systems for fear that they will break them. It's rather difficult learn on "off limits" systems.
Equipment and systems in the ACSL have been provided by egx.org specifically for such experimentation and testing. Attendees are heavily encouraged to roll up their sleeves, rack-up a server, install and OS and write the next great system on top of it.
3. Advance the State of Secure, Reliable, and Trustworthy Systems
When everything is connected, everything is critical infrastructure.
Critical systems are obviously necessary in medical, industrial, military, aviation, etc. Less obvious are the consequences of connecting systems together and how this increases attack surfaces and reduces damping and propagation times.
Global losses due to security incidents were $1.5 Trillion. What's lesser known is that losses due to defective and buggy software were $2 Trillion.
A rapid and widespread transition to High Assurance systems seems unlikely as such technologies have been around for decades. At the ACSL we work with attendees and businesses to find a reasonable path toward such systems.
Now that most businesses have become comfortable with Linux, we encourage the transition to better hardened and more rigorously designed systems like OpenBSD. It's a small step with important security advantages.