Co-authored by Andrew Walenstein, CHACE Director
Earlier this year, BlackBerry launched the CHACE initiative (www.blackberry.com/CHACE). This blog provides an update and overview of 2015 Center For High Assurance Computing Excellence (CHACE) activities since launch.
But first, a reminder of the CHACE mission: to solve one of the world’s most important computer security problem today – a crisis of confidence. BlackBerry is proud of its strengths and accomplishments in security and privacy, but being a leader of the pack is not enough. We live in a world where confidence in security is so eroded and dreadful breaches so familiar that consumers all but shrug when they behold their critical assets quartered with the hands of hackers who let slip their dogs of war (thank you, Shakespeare). This is unacceptable, and the technology industry can and must do better.
The solution seems obvious: we need better security and privacy, the kind that people can verify and is truly trustworthy. But what does this really mean? Many vendors claim (and sometimes believe – right up until the point they’re hacked) they have great security already. How do we define, measure and ultimately achieve “better”? Answering this question is an overarching goal of all CHACE projects: developing ways of producing assurance that the products and services upon which we all rely provide the security and privacy we expect, deserve and desperately need. We’d like to describe key elements of our strategy and illustrate them in action by highlighting a few of our ongoing projects.
Inherently secure development practices
The foundation for security and privacy must be laid during the design and development process, so improving developer practices is an essential element of the CHACE strategy. CHACE develops practical and efficient technical approaches that provide inherently high assurance in a product’s security, rather than the hand waving and finger crossing much of the world sees today.
The gold standard for inherently high assurance is provable security. Techniques for achieving mathematical proof of software correctness and security claims have been well understood for decades. However, conditions in which these “formal methods” have been successful (sometimes spectacularly so) have been fairly restricted – think nuclear power plants and spacecraft – not your banking app on your phone. Much previous work in this area forces massive change in developer workflow, for example requiring new programming languages that can’t be practically retrofitted to mature code bases.
But things are changing. Recent advances in model checking, for example, have drastically expanded economic feasibility. CHACE has been working on adapting and demonstrating how the most advanced tools can be effectively applied to security-critical, legacy code bases, such as OS kernels, network protocols and crypto, and trusted execution environments (TEE), with the goals of finding vulnerabilities efficiently and improving test coverage. Through our QNX division we have been helping customers building safety- and security-critical IoT “Things” apply such techniques.
Improving automated vulnerability finders
Security and privacy cannot scale without automation; improved automated vulnerability finding is a key CHACE strategy. For example, static code analyzers can automatically scan code and locate common vulnerabilities before the code is ever deployed. However, the biggest barrier to their widespread use is a high rate of false warnings that cannot be efficiently actioned. As a result, developers spend an inordinate amount of time wading through inconsequential warnings and customizing the tool for each project or devolving to running the tools less frequently or not at all. CHACE is applying machine learning to static analysis results in order to automatically determine those that are actionable.
The security world is full of snake oil and broken promises, and so a core CHACE strategy is to build measureable, effective standards. We aim for technical and policy approaches that enable independent observers – as opposed to the developer whose claims (as we have seen over and over) should always be suspect – to obtain the same high assurance. While vendor pedigree can engender confidence, ultimately the world needs a systematic approach, and assurance by independent technical evaluation is a prerequisite to solving this crisis of confidence: How can we hope to raise the security bar if we can’t measure its height?
To help raise all boats, CHACE co-founded and leads authorship of a new, international cybersecurity standard. The first revision will be published in early 2016, and we will blog a more thorough overview soon.
Collaboration with other leaders
CHACE turbocharges security initiatives across BlackBerry by collaborating with other high assurance leaders in university, industrial and government research institutions and standards bodies. We are also thrilled to contribute to training the next generation of security assurance professionals by having CHACE students in our university internship program.
We have been working on these and many other problems and have been building research collaborations with multiple external entities. We will announce some of these collaborations and more project details in the near future, so stay tuned to this blog.