‘Fabric’ would tighten the weave of online security

by Bill Steele, Cornell Chronicle ONLINE

As we become increasingly dependent on computers to manage our lives and businesses, our money and privacy become less and less secure. But now, Cornell researchers offer a way to build security into computer systems from the start, by incorporating security in the language used to write the programs.

Until now, computer security has been reactive, said Fred Schneider, the Samuel B. Eckert Professor of Computer Science. When hackers discover a way in, we patch it. “Our defenses improve only after they have been successfully penetrated,” he explained.

“When problems arise, we patch software like putting on duct tape,” added collaborator Andrew Myers, professor of computer science. “By now we have layers of duct tape, and the system is a mess. … Our computer systems are this tottering stack of obsolete [layers of software] … and security vulnerabilities are nearly inevitable.”

Myers and Schneider are developing a new computer platform, dubbed “Fabric,” that replaces multiple existing layers with a single, simpler programming interface that makes security reasoning explicit and direct, Myers said.

Fabric is designed to create secure systems for distributed computing, where many interconnected nodes — not all of them necessarily trustworthy — are involved, as in systems that move money around or maintain medical records. When you connect to Amazon, for example, it talks to your credit card company and the vendor of the product, passes your demographics to some advertisers and more. In a medical records system, data is shared between hospitals, doctors and other practitioners, laboratories, medical billing agencies and insurers.

Fabric’s programming language, an extension of the widely used Java language, builds in security as the program is written. Everything in Fabric is an “object” labeled with a set of policies on how and by whom data can be accessed and what operations can be performed on it. Even blocks of program code have built-in policies about when and where they can be run.

While your medical record, for example, could be seen entirely by your doctor, your physical therapist might be able to see only the doctor’s prescription for your therapy, and your insurance company could see only the charges. Report

Related Posts

Written by

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.