One of the greatest challenges in computer security is a sociological one: to find a way to address the pervasive programming errors in software code.
EECS Professor David Wagner (Photo by Peg Skorpinski) David Wagner is particularly well acquainted with the perils of buggy software. In 1995, when he was 21, he and fellow Berkeley graduate student Ian Goldberg, now at the University of Waterloo, made headlines for finding a security hole in Netscape's version of Secure Socket Layer, the program used to secure online banking and purchasing. A few years later, Wagner and colleagues cracked the scheme used to secure digital cell phone conversations and demonstrated that a GSM cell phone could be "cloned," enabling one user to take over another's cellular account. In 2001, Wagner, Goldberg, and then-graduate student Nikita Borosov, now at the University of Illinois, revealed that data transmitted across 802.11 wireless networks can be easily intercepted and deciphered.
While engaged in these projects, Wagner began thinking about ways to detect the critical errors that make software programs vulnerable to attacks. The result has been an ongoing effort to create tools that enable programmers to detect buffer overflows and other critical programming bugs before software ships. "These tools will never be perfect—they can't catch all bugs—but they can be useful," says Wagner.
Even if it's impossible to catch all bugs, it may be possible to contain their effects. Toward this end, Wagner and his students are also developing a new, secure programming language. The issue, Wagner says, is that today's programs tend to be much more powerful than they need to be, which means that a virus affecting a single program can wreak widespread havoc. For example, in Microsoft's Windows operating system, as incredible as it may sound, the included Solitaire game has the power to delete every file in the system. "If one rivet fails, does a bridge fall down?" he asks. "We don't build bridges that way, that would be crazy, but that's more or less how we build software." Wagner's programming language would restrict the power of individual programs by invoking the “principle of least privilege”—each piece of software gets the authority it needs to do its job, and that's it.
As part of a project called ACCURATE, which is allied with TRUST, Wagner is also trying to create secure programs for electronic voting. Electronic voting systems have been widely adopted because of their attractive, easy-to-use interfaces, yet current voting machines run with notoriously buggy and complex software, which could enable an attacker to rig vote totals.
One approach to making e-voting secure—the approach that has been most popular in the growing community of voting activists—is to require voting machines to produce a paper ballot that is verified by the voter before it is cast. Deirdre Mulligan, a Berkeley professor of law, worked to promote the passage of a California law requiring such a "voter-verified paper trail," which has subsequently been imitated by many other states. Yet, as Wagner says, “paper trails don’t eliminate the need for software that works right.”
Laws do require that official voting software be "checked" by state election authorities in consultation with Federal laboratories. But because commercial e-voting programs contain millions of lines of code and run on commercial operating systems, this is a meaningless exercise.
The reason commercial voting software is so complex, Wagner says, is because it makes use of general-purpose software that is not specifically tailored to voting—software that runs on the Windows operating system, for example, or invokes general-purpose code for building graphical user interfaces. Wagner's project is to build a simple voting program from the ground up that will be checkable, yet will retain the advantages that made touch-screen machines attractive in the first place, such as an easy-to-use interface and features for disabled voters. "You can dramatically simplify the code and make it substantially easier for third parties to review," Wagner says. "We hope this will make it easier to certify that voting systems are fit for purpose."