Securing the Internet: Ruby Lee -- Roots of trust
Patrolling the edges, rethinking the core, Princeton researchers envision a more secure Internet
While Peterson contemplates a clean-slate version of the Internet, Ruby Lee, the Forrest G. Hamrick Professor of Engineering, talks about “clean slate” design with personal computers, PDAs and cellphones in mind. That is not to say that the potential impact of her work is any less far-reaching than Peterson’s. “I’m working on individual computing devices rather than entire networks,” she said. “But there are trillions of those devices.”
Lee—who was a member of the Committee on Improving Cybersecurity Research in the United States, the group that produced the report mentioned earlier—observes that researchers in academia are in a position to make contributions to Internet security that simply cannot be made in the realm of commerce.
“In industry, successful entrenched products cannot be completely changed overnight—rather they have to be improved gradually,” said Lee. “When we do research in academia we have the freedom to consider all possibilities—including designing security from the beginning rather than as an after- thought.” The good ideas, she said, will inevitably migrate to industry.
Lee’s ultimate goal is to prevent inadvertent exposure of sensitive information and also to inoculate computers against threats like viruses, worms and bots so that they cannot infect, or be used to attack, other machines. She aims to do this by building fundamental security features directly into the hardware of a device. Members of her lab are working to build “trust anchors” into computer hardware to which different software can be tethered to provide important security coverage.
“Computers were not originally designed with security as a goal,” said Lee, who—as chief computer architect at Hewlett-Packard in the 1980s—helped lead an industry revolution in computer architecture. “I’m trying to rethink the design of computers so they can be trustworthy while retaining all their original design goals, such as high performance, low cost and energy efficiency. Also, usability is important. If people find security a hindrance, they will find a way to bypass it.”
According to Lee, many researchers do not think it is possible to build security features into computer hardware without slowing the computer or causing it to consume lots of power. However, research done by her lab demonstrates that this is not the case.
“These hardware ‘roots of trust’ are actually quite deployable on consumer devices like desktop computers or PDAs, and also in sensor networks and larger servers,” said Lee. Her work is part of the SecureCore multi-university research project—funded by the National Science Foundation CyberTrust program and the Defense Advanced Research Projects Agency. In addition to her cutting-edge research, Lee teaches a popular University-wide undergraduate lecture class on cybersecurity in which the students split roughly 50-50 between engineering and non-engineering majors.
“I’m trying to train the future policy makers, lawyers, entrepreneurs and company executives to understand what the technology can and cannot do,” she said. “There are economic and social dimensions to this problem. Technology alone will not solve the problem of security in cyberspace.”