EE380 Computer Systems Colloquium

The Future of Trustworthy Computer Systems: A Holistic View from the Perspectives of Hardware, Software, and Programming Languages
Wednesday, June 3, 2015 - 4:15pm to 5:30pm
Gates B01
Peter Neumann (SRI International)
Abstract / Description: 

The state of the art of trustworthiness is inherently weak with respect to computer systems and networks. Essentially every component today is a potential weak link, including hardware, operating systems, and apps (for desktops, laptops, network switches and controllers, servers, clouds, and even mobile devices), and above all, people (insiders, penetrators, malware creators, and so on). The potentially untrustworthy nature of our supply chains adds further uncertainty. Indeed, the ubiquity of computer-based devices in the so-called Internet of Things is likely to make this situation even more volatile than it already is.

This talk will briefly consider system vulnerabilities and risks, and some of the limitations of software engineering and programming languages. It will also take a holistic view of total-system architectures and their implementations, which suggests that some radical systemic improvements are needed, as well as changes in how we develop hardware and software.

To this end, we will discuss some lessons from joint work between SRI and the University of Cambridge for DARPA, which is now nearing several possible transition opportunities relating to some relatively clean-slate approaches. In particular, we are pursuing formally based hardware design that enables efficient fine-grained compartmentalization and access controls, new software and compiler extensions that can take significant advantage of the hardware features. SRI's formal methods tools (theorem prover PVS, model checker SAL, and SMT solver Yices) have been embedded into the hardware design process, and are also applicable selectively to the software. This work for DARPA is entirely open-sourced. The potential implications for hardware and software developers are quite considerable. SRI and U.Cambridge are also applying the knowledge gained from our trustworthy systems to software-defined networking, servers, and clouds, along with some network switch/controller approaches that can also benefit from the new hardware.. For example, Phil Porras has described some of the SDN work of his team in last week's talk at this colloquium.


Peter G. Neumann ( has doctorates from Harvard and Darmstadt. After 10 years at Bell Labs in Murray Hill, New Jersey, in the 1960s, during which he was heavily involved in the Multics development jointly with MIT and Honeywell, he has been in the Computer Science Lab at SRI International (formerly Stanford Research Institute) since September 1971 -- where he is now Senior Principal Scientist. He is concerned with computer systems and networks, trustworthiness/dependability, high assurance, security, reliability, survivability, safety, and many risks-related issues such as election-system integrity, crypto applications and policies, health care, social implications, and human needs -- including privacy. He is currently Principal Investigator on two projects: clean-slate trustworthy hosts for the DARPA CRASH program with new hardware and new software, and clean-slate networking for the DARPA Mission-oriented Resilient Clouds program. He moderates the ACM Risks Forum (,s and has been reponsible for CACM's ongoing Inside Risks articles since 1990, when he began chairing the ACM Committee on Computers and Public Policy. He created the ACM SIGSOFT Software Engineering Notes in 1976, was its editor for 19 years, and still contributes a RISKS-highlights section six times yearly. He has participated in four studies for the National Academies of Science: Multilevel Data Management Security (1982), Computers at Risk (1991), Cryptography's Role in Securing the Information Society (1996), and Improving Cybersecurity for the 21st Century: Rationalizing the Agenda (2007). His 1995 book, Computer-Related Risks, is still timely; perhaps surprising, many of its conclusions and recommendations are still valid today, as incidents similar to those described continue to occur. He is a Fellow of the ACM, IEEE, AAAS, and SRI. He received the National Computer System Security Award in 2002, the ACM SIGSAC Outstanding Contributions Award in 2005, and the Computing Research Association Distinguished Service Award in 2013. In 2012, he was elected to the newly created National Cybersecurity Hall of Fame as one of the first set of inductees. He is a member of the U.S. Government Accountability Office Executive Council on Information Management and Technology. He co-founded People For Internet Responsibility (PFIR, He has taught courses at Darmstadt, Stanford, U.C. Berkeley, and the University of Maryland. See his website ( ) for testimonies for the U.S. Senate and House and California state Senate and Legislature, papers, bibliography, further background, etc.