Distinguished lecture: Virgil Gligor, Carnegie Mellon University
Date and time: 30 May 2023, 10:00-11:00 CEST (UTC +2)
Speaker: Virgil Gligor, Carnegie Mellon University
Title: Determining an Economic Value of High Assurance for Commodity Software Security
Where: Digital Futures hub, Osquars Backe 5, floor 2 at KTH main campus OR Zoom
Moderator: Mads Dam
Administrator: Carlos Barretto, firstname.lastname@example.org
Abstract: Security measures that attempt to prevent breaches of commodity software have not used high assurance methods and tools. Instead, rational defenders have risked incurring losses caused by breaches because the cost of recovery from a breach multiplied by the probability of that breach was lower than the cost of prevention by high assurance, e.g., by formal methods. This practice may change soon since breach-recovery costs have increased substantially while formal methods costs have decreased dramatically over the past decade.
We introduce the notion of selective high assurance and argue that it can decrease breach costs significantly. However, the extent to which it is necessary depends on defenders’ risk aversion, which makes its value difficult to assess since risk preferences cannot be anticipated.
A challenge is to determine a lower bound on the economic value of selective high assurance independent of the defenders’ risk preferences; i.e., a value that depends only on the commodity software itself and the attacks it withstands. We propose an approach to determine such a value and illustrate it for SCION, a networking software system with provable security properties.
Bio: Virgil D. Gligor is a Professor of Electrical and Computer Engineering at Carnegie Mellon University. His research interests have ranged from access control mechanisms, penetration analysis, and denial-of-service protection, to cryptographic protocols and applied cryptography.
Gligor was an Associate Editor of several ACM and IEEE journals and the Editor in Chief of the IEEE Transactions on Dependable and Secure Computing. He received the 2006 National Information Systems Security Award jointly given by NIST and NSA, the 2011 Outstanding Innovation Award of ACM SIGSAC, and the 2013 Technical Achievement Award of IEEE Computer Society. He was inducted into the National Cyber Security Hall of Fame in 2019.