HARVARD GAZETTE ARCHIVES
The search for computer security
Morrisett says safety these days is (unfortunately) a matter of trust
By Alvin Powell
Harvard News Office
It's a computerized jungle out there, with viruses, worms, Trojan horses, and other electronic predators waiting to wreak havoc on an unprotected computer.
Malicious computer code can steal sensitive information, destroy data, or create a zombie machine under remote control of a malicious hacker. Enormous amounts of time and energy are invested in making computers safer and more secure. An entire industry, in fact, has grown up to provide computer security.
Division of Engineering and Applied Sciences (DEAS) Professor Greg Morrisett is
Morrisett is also working to revolutionize the way new files and software are loaded onto computers. Today, computer users decide daily whether to give new programs access to their computer. Each time they open an e-mail attachment, download a song, or add new software to their machine they are potentially infecting it with a virus - or adding a program with a security flaw in it that will allow infection in the future.
Morrisett wants to stand today's practice on its head. Instead of computer users having to decide whether or not to "trust" a program by opening it or installing it onto their computer, Morrisett wants to shift the burden to the incoming programs and files. He wants them to offer mathematical proofs that they're not flawed or infected or malicious.
Morrisett is saying, in essence, that in today's wild electronic environment, trust is overrated.
One way he's helping clean up the scene is by crafting software tools that help programmers write code that has fewer bugs. Software bugs provide chinks in a program's armor that hackers can exploit. A programming rule of thumb, Morrisett says, is that there's one bug for every 100 to 1,000 lines of code. With computer programs growing more and more complex - the Windows operating system has roughly 50 million lines of code - Morrisett says it's impossible for humans to do the checking unaided.
"We can't rely on humans to find the bugs. We need help. We need automation," Morrisett said.
Morrisett's tools check code for consistency, ensuring that it makes sense from a programming standpoint. He said the tools are analogous to checking that formulas calculating speed are all in the same units - meters per second, for example, not feet per second or miles per hour, which would give a dramatically different result.
But Morrisett says that however successful he is in designing programs to find and fix bugs, hackers can use the same tools to find those bugs and exploit them. Against a backdrop of rapidly multiplying computer languages being developed for specific kinds of computer uses, the security picture is becoming so complex that it makes sense to shift the onus of "trust" to the incoming program.
"What we're aiming for is a day when you don't have to 'trust' a code, where you can state your guidelines [for acceptable code] and the builder would have to give you a proof that you can check," Morrisett said.
The issue of trust and computer security leads beyond the bounds of DEAS, however, to larger questions of government policy, regulation of the Internet, ethical issues around pornography, and a host of other areas where the growing interaction of technology and society are posing new questions.
Morrisett said he'd like to help answer those questions and being at Harvard has put him in a position to do so. Harvard's strengths in multiple areas make it a unique place where these interdisciplinary questions can be explored.
"The next round of questions will be ethical, legal, and social," Morrisett said. "I am frustrated when I see policy-makers making decisions when they don't understand the limits of technology. We have to understand that technology gets you to a certain place, and the remaining questions are harder."
Morrisett came to Harvard in January from Cornell University, where he was first assistant and then associate professor of computer science. He received a bachelor's degree in 1989 from the University of Richmond, and master's and doctorate degrees from Carnegie Mellon University.
Dean of the Division of Engineering and Applied Sciences and Dean of Physical Sciences Venkatesh Narayanamurti, himself a Cornell graduate, said Morrisett has distinguished himself in programming languages and software engineering - a field that is undergoing a resurgence as computer systems evolve.
"He comes to us from Cornell where his scholarship, teaching, and service were all highly touted," Narayanamurti said. "He has been a marvelous addition to the faculty and has fit seamlessly into the division's collaborative culture."
Assistant professor rides whirlwind from Afghanistan to Harvard Square
Clark's model could become the basis of a future cycleplane