Tom Temin So what are you trying here in cybersecurity that hasn’t been thought of yet?

Howard Strobe Well, actually, it’s a very old idea. And the analogy would be useful if we think about how we build ships. The goal, of course, is that they don’t fill with water. So we try to build them with strong shells that are difficult to penetrate. But we don’t stop there. We also integrate it into compartments capable of isolating the flow. The analogy with software systems or computer systems in general is: attackers can get in, but we don’t want them to be able to advance from one place to another. So this idea of ​​compartmentalization is realized by dividing systems into small pieces, each of which only runs with the privilege it actually needs to do its job. And this principle goes back a very, very long way in computer science. But in fact, it has always been impractical to apply it because the overhead is too high. The approach we take therefore consists of using new computer architectures, new extensions of current conventional architectures to facilitate the application.

Tom Temin And when you talk about overhead, you’re talking about the programming required to encapsulate each element.

Howard Strobe There are actually two meanings here. So one is the actual runtime overhead and the other is how difficult it is for people to program this way. And this gives us the two main tasks that the program addresses. The first is architectures that can apply the low-cost compartmentalization and privilege management scheme. And the second is how can we automatically determine what they should apply? So how do we divide the system into pieces and what privileges should we grant to these pieces? The second of these tasks is therefore a software analysis task. And there are two ways to do this. We do both. So the first one, which is perhaps the easiest to understand, is to use a large test suite that covers most of what you think a computer would do. Run it, trace everything it does, then analyze what privileges it actually needs based on what it actually did. The problem is that it’s no better than your test suite. The other approach is to simply analyze the text with the software. This is a technique called software analysis, which has a long history in formal methods. It allows you to build a model indicating which parts of the system can reach other parts, but often, for technical reasons, this model is too permissive. So by combining the two, we’re trying to get to the point where we get a really good envelope around what the system should do.

Tom Temin It looks like you’re combining elements of zero trust and artificial intelligence; it seems very contemporary.

Howard Strobe There are elements of that. In fact, once you have a model of, say, dynamic analysis by running it, it would be impractical to apply this privilege management scheme on a statement-by-statement level. So we start grouping instructions and data objects that behave similarly. And the more you group them into compartments, that’s where the name comes from. The less overhead you have, because there is less transition between compartments. But you have also been granted more privileges than you could have wished for in a completely pure world. And the techniques to achieve this are actually ancient AI techniques. The analysis part is based on what computer scientists call formal methods. So this proves what the software can do. And like I said, you need both because one tends to overestimate and the other tends to underestimate.

Tom Temin It seems that a lot of this has to do with the activities of the coders themselves. They should integrate this into their work.

Howard Strobe Well, the idea is to not force them to do that. Of course, the more they understand this way of programming, the easier it will be for them to do the analysis. But we are also concerned about the billions of lines of code that exist. So if you take today’s operating systems, they’re millions of lines of code, tens of millions of lines of code, and they’re critical. So we have to manage existing legacy systems as well as new systems.

Tom Temin We speak with Dr. Howard Trobe. He is a program manager in the Office of Information Innovation. It’s called I2O at DARPA. And what are the programmatic aspects? What do you expect from the industry? How do you try to make this notion a reality?

Howard Strobe RIGHT. So we put out a solicitation called the Broad Agency Announcement (BAA) a while ago and selected seven groups to be performers on this program. It is a mix of universities and businesses. And it’s in two technical parts. As I already pointed out, the analysis part and the application part. There is a team that does both. And then there are two other teams for each of these two technical areas.

Tom Temin And once they figure that out, how does that become something that the industry could turn to if they wanted to?

Howard Strobe Yes. So everything we do is open source and unrestricted. Our goal is to demonstrate that this can work well first on operating systems and then later on large application systems. And we will try to work collaboratively with organizations that manage large open source systems. For example, the Linux Foundation. For another program dealing with compilers, we will try to work with the LLVM foundation, which is one of the major compiler systems. So our idea is to release the software and then work with the system specialists who actually make these large, critical software systems. We can’t force anyone to adopt anything, but because we think these are good ideas and if we can demonstrate that they are useful, we think that over time they will be adopted.

Tom Temin And how do you see this working in the very dynamic world of software today? People have scrums and two-week cycles and new modules are introduced all the time, and modules are mixed and matched to create new applications or the integration of separate applications to create a better customer experience. All of these things mean that software is constantly interacting with new software.

Howard Strobe Yeah, that’s a good point. And as you said, part of the goal here is to try to establish a framework that programmers working on new things can follow that would make it easier to compartmentalize. The other part is being able to use our tools to automatically compartmentalize that. The more programmers have this model in mind, the easier it is to do it. But we want to be able to do that for anything that’s really critical.

Tom Temin And it’s a pretty obscure but actually pretty crucial quest that you’re embarking on here. What is your background that made you so deeply interested in cybersecurity?

Howard Strobe Yeah. So I’m a senior research scientist at the MIT Computer Science and AI Lab, where I’ve worked since 1978 as a staff member, before that as a graduate student. I’ve worked here at DARPA three times now. This is my third tour. There is a program that allows people who work for a nonprofit organization to work in government for limited periods of time. It was therefore during my second stay at DARPA that I first became interested in this field. In fact, my office manager asked me to do a project in this area. And I tried to beg under the guise that it was one of the few areas of computing that still bored me. And he said, “Well, that’s exactly why you’re the right person, because we need a fresh look at this.” So that’s when I became very interested in the problem and took two general areas. One of them is what this program is in, namely the blending of hardware and software architectures to create inherently secure systems. And the other is more about the resilience of systems, so that even – and this program has aspects of that as well – so that even if the bad guys get in, they can’t achieve their goals. And it also has a very AI flavor. And my experience is actually in both of these areas, which is systems and artificial intelligence.

Tom Temin And you go back quite a long way, you know, a megabit of memory was worth a thousand dollars, you know, in 1978.

Howard Strobe Yes.

Tom Temin And also, you’ve seen operating systems go from small things to things where they do everything.

Howard Strobe That’s correct. The transition has been incredible. When I think back, as you say, when at one point I was working on a startup that had some of these aspects. And back then you had to buy something like a 300 megabyte disk and a megabyte of memory, and that was considered completely unaffordable. Now you can’t get things that small.

Tom Temin Well, the little memories they had at least imposed a certain programming discipline that doesn’t exist at all now, right?

Howard Strobe It was true. I mean, the system I worked on has increased memory security, which is another crucial aspect. Your audience won’t know what the term means. It doesn’t matter. This is one of the most important principles you want to uphold. Because if you don’t have that, the bad guys can do anything once they’re in there.