Position Statement: On the Evolution of Adversary Models in Computer Systems and Networks

Abstract

Summary form only given. Invariably, new technologies introduce new vulnerabilities which often enable new attacks by increasingly potent adversaries. Yet new systems are more adept at handling well-known attacks by old adversaries than anticipating new ones. Our adversary models seem to be perpetually out of date: often they do not capture adversary attacks and sometimes they address attacks rendered impractical by new technologies. In this panel presentation, I provide a brief overview of adversary models beginning with those required by program and data sharing technologies ('60-70s), continuing with those required by computer communication and networking technologies (70s-'90s), and ending with those required by and sensor network technologies ('00s ->). I argue that sensor, ad-hoc, and mesh networks require new models, that are able to account for physical node capture by adversaries. Protecting device secrets (e.g., cryptographic keys) via physical security mechanisms will continue to require network security measures, despite advances in physical security measures and devices. I argue that "good-enough" measures in the face of node capture by adversaries can be obtained by using emergent properties. Intuitively, these are properties that cannot be provided by individual network nodes - no matter how well-endowed nodes might be - but instead result from interaction and collaboration among multiple nodes. Such properties can be used to detect, often probabilistically, the presence of an adversary within a network and to pinpoint with reasonable accuracy the affected network area (e.g., identify a specific captured node, a particular properly of captured nodes). However, all such measures require periodic network monitoring in normal mode to detect a somewhat rare event (i.e., node capture, replica insertion) and hence their cost can be high. I illustrate a new simple probabilistic protocol that avoids the effects of node capture by detecting adversaries attempts to access a node's internal state, and discuss various design trade-offs that will characterize much of the future research in this area.