Advanced security to come to the PC

Computer scientists at the University of Pennsylvania have received a two-year, $2,125,000 grant to introduce advanced security features used in special-purpose government computers into standard office PCs.

The funding, from the Defence Advanced Research Projects Agency (DARPA), represents a change in the federal government’s approach to procuring highly secure computers, said principal investigator Jonathan M. Smith.

Endlessly besieged by individuals seeking to break into federal web sites and classified files, government computers require security mechanisms and assurances far more stringent than those ordinarily engineered into the computers available to the general public.

‘During the last few decades, the government’s approach has been to contract researchers to develop high-security workstations specifically for its own uses, outside of the mainstream computer industry,’ said Smith, professor of computer and information science. ‘The problem is that development of these special-purpose computers has generally progressed so slowly that the machines, while indeed secure, are technically obsolete by the time they are put into service.’

Smith and colleagues at the University of Pennsylvania, the software development consortium OpenBSD, the Apache Software Foundation and OpenSSL Group propose to use the open-source movement – where programmers openly share incremental advances – to try to engineer better security features into mainstream computers.

‘Computers developed for consumer use have focused on user-friendliness, not security concerns,’ Smith said. ‘Users generally only care about security when they’ve had a failure.’

Working through OpenBSD the team hopes to integrate stronger security features into mainstream software as it progresses through development. Individuals worldwide who are interested in software can download and examine open-source code and suggest revisions. This collaborative approach leads to more robust software more quickly, said Smith.

By auditing the security weaknesses of conventional software as it’s developed, Smith’s team will try to foster the development of mainstream systems secure enough to meet the government’s needs.

The team will share its security advances with the open-source software community via OpenBSD, whose machines have proven impervious to break-ins for many years. The team will work on an audit of OpenSSL, the widely used software for e-commerce security found in the Apache web server.

‘We expect our work will represent a serious contribution to all computer manufacturers, not just the government,’ Smith said. ‘The source code we develop will be freely available to everyone, and no manufacturers want to deliver an insecure system when they know how to do better.’