PITTSBURGH—Carnegie Mellon University has launched a small laboratory, or lablet, sponsored by the National Security Agency to study fundamental issues about the design of information systems that are secure and trustworthy, an area of research that has come to be known as the Science of Security, or SoS.

The Carnegie Mellon lablet, directed by William Scherlis, professor and director of the Institute for Software Research, is one of four such lablets in academia funded by the NSA. North Carolina State University, the University of Illinois Urbana-Champaign and the University of Maryland also host lablets.

"All of the work is basic science, without any publication restrictions," Scherlis said. "The point of all this is to build a network of SoS thinking." Though computer security is a large industry and a highly active area of academic research, SoS focuses on developing a systemic body of knowledge and the theoretical underpinnings for the design of trusted computer systems. It includes contributions from computer science, as well as software engineering, behavioral science and economics.

The lablet community has identified five "Hard Problems" in SoS; Carnegie Mellon's lablet will focus primarily on two of these: scalability and composability, and human behavior and usability.

Scalability and composability relates to the increasingly large, complex software systems made possible by assembling many separate components. "The challenge is to develop methods to enable the construction of secure systems with known security properties by assembling components each of which has known quality and security properties," Scherlis said.

"This is the goal of composability — to be able to assemble those components without then having to painstakingly re-analyze the security properties for the entire system. While there is no general solution to composability, as our understanding improves we can make important progress on particular technical attributes critical to security. This influences how we structure our systems and what kinds of languages, models, and tools we use. We will learn how to engineer systems that are more readily assured," Scherlis said.

In the area of human behavior and usability, the researchers will be developing models of human behavior that enable the design, modeling and analysis of systems with specified security properties. That includes not only looking at the ways people use computer systems, but also the behavior of adversaries and human operators, which has implications for insider threats, reliability and security policies. Also of interest is how to improve support for the people who develop systems and evaluate their security.

At Carnegie Mellon, Jonathan Aldrich, associate professor in the Institute for Software Research, is co-principal investigator with Scherlis. The effort involves about 15 faculty members, as well as about 20 more post-doctoral researchers, technical staff members and graduate students. Seven departments, including the Institute for Software Research, the Computer Science Department, CyLab, Electrical and Computer Engineering, Engineering and Public Policy, the Information Networking Institute and the Human-Computer Interaction Institute, contribute to the effort.

The lablet includes collaborators at seven universities: the University of Pittsburgh, Cornell University, the University of Nebraska Lincoln, Wayne State University, the University of Texas at San Antonio, George Mason University and the University of California, Berkeley.