ABSTRACT
Cybernetic closed loop regulators are used to model socio-technical systems in adversarial contexts. Cybernetic principles regarding these idealized control loops are applied to show how the incompleteness of system models enables system exploitation. We consider abstractions as a case study of model incompleteness, and we characterize the ways that attackers and defenders interact in such a formalism. We end by arguing that the science of security is most like a military science, whose foundations are analytical and generative rather than normative.
- M. D. Adams, S. D. Hitefield, B. Hoy, M. C. Fowler, and T. C. Clancy. Application of cybernetics and control theory for a new paradigm in cybersecurity. arXiv preprint, 2013.Google Scholar
- W. R. Ashby. An introduction to cybernetics. Chapman & Hall Ltd, 1957.Google ScholarCross Ref
- W. R. Ashby. Requisite variety and its implications for the control of complex systems. Cybernetica, 1:83--99, 1958.Google Scholar
- K. J. Astrom and R. M. Murray. Feedback Systems: An Introduction for Scientists and Engineers. Princeton University Press, 2012. Google ScholarDigital Library
- J. Boyd. A discourse on winning and losing. Technical Report Number MU43947, Air University Library, Maxwell AFB, 1987.Google Scholar
- S. Bratus, M. E. Locasto, M. L. Patterson, L. Sassaman, and A. Shubina. Exploit programming: From buffer overflows to weird machines and theory of computation. USENIX; login, pages 13--21, 2011.Google Scholar
- CERT. Buffer overflow in telnetd. http://www.cert.org/historical/advisories/CA-2001-21.cfm, July 2001.Google Scholar
- R. Conant and W. Ashby. Every good regulator of a system must be a model of that system. International Journal of Systems Science, 1(2):89--97, 1970.Google ScholarCross Ref
- C. Cowan, S. Arnold, S. Beattie, C. Wright, and J. Viega. Defcon capture the flag: Defending vulnerable code from intense attack. In Proceedings of DARPA Information Survivability Conference and Exposition 2003, volume 1, pages 120--129. IEEE, 2003.Google ScholarCross Ref
- A. Datta, J. Franklin, D. Garg, L. Jia, and D. Kaynar. On adversary models and compositional security. IEEE Security & Privacy, 3:26--32, 2010. Google ScholarDigital Library
- D. Davenport. The social derivation of technical systems. In Handbook of Research on Socio-Technical Design and Social Networking Systems, pages 50--64. Information Science Reference, 2009.Google ScholarCross Ref
- Department of Defense. Dictionary of military and associated terms. http://www.dtic.mil/doctrine/dod_dictionary/Last accessed July 12, 2015.Google Scholar
- D. Evans. Worshop report: NSF/IARPA/NSA workshop on the science of security, 2008.Google Scholar
- P. Galison. The ontology of the enemy: Norbert Wiener and the cybernetic vision. Critical Inquiry, 21(1):228--266, 1994.Google ScholarCross Ref
- P. Galison. Augustinian and Manichaean science. Keynote presentation to the 2012 Science of Security (SoS) Community Meeting., 2012.Google Scholar
- M. I. Handel. Masters of War: Classical Strategic Thought. Routledge, 3rd edition, 2001.Google Scholar
- F. Heylighen. Principles of systems and cybernetics: an evolutionary perspective. Cybernetics and systems, 92(3--10), 1992.Google Scholar
- K. Hinsen. The approximation tower in computational science: Why testing scientific software is difficult. Computing in Science Engineering, 17(4):72--77, July 2015.Google ScholarDigital Library
- A. E. Howe, I. Ray, M. Roberts, M. Urbanska, and Z. Byrne. The psychology of security for the home computer user. In IEEE Symposium on Security and Privacy, pages 209--223, 2012. Google ScholarDigital Library
- JASON. Science of cyber-security. Report number JSR-10-102. Technical report, MITRE corporation, November 2010.Google Scholar
- G. Kiczales. Towards a new model of abstraction in software engineering. In 1991 International Workshop on Object Orientation in Operating Systems, pages 127--128. IEEE, 1991.Google ScholarCross Ref
- A. F. Krepinevich. 7 Deadly Scenarios: a military futurist explores war in the 21st century. Bantam Books, 2010.Google Scholar
- C. E. Landwehr. Cybersecurity: From engineering to science. The Next Wave, 19(2), 2011.Google Scholar
- N. Leveson. A new accident model for engineering safer systems. Safety Science, 24(4):237--270, 2004.Google ScholarCross Ref
- T. Longstaff, D. Balenson, and M. Matties. Barriers to science in security. In Proceedings of the 26th Annual Computer Security Applications Conference, pages 127--129. ACM, 2010. Google ScholarDigital Library
- C. Lotrionte. Active defense for cyber: A legal framework for covert countermeasures. In J. Carr, editor, Inside Cyber Warfare, chapter 18. O'Reilly Media, second edition, 2012.Google Scholar
- R. A. Maxion, T. A. Longstaff, and J. McHugh. Why is there no science in cyber science?: a panel discussion at NSPW 2010. In Proceedings of the 2010 workshop on New security paradigms, pages 1--6. ACM, 2010. Google ScholarDigital Library
- J. McLean. The science of computer security: Perspectives and prospects. (keynote presentation). In The 2014 Symposium and Bootcamp on the Science of Security (HotSoS), 2014.Google Scholar
- G. Orwell. In front of your nose. In S. Orwell and I. Angus, editors, In front of your nose, 1946--1950, volume 4 of The collected essays, journalism, and letters of George Orwell. Harcourt, Brace, & World, 1968.Google Scholar
- F. Osinga. Science, Strategy and War: the strategic theory of John Boyd. PhD thesis, Universiteit Leiden, 2005.Google Scholar
- P. Paret. Clausewitz. In P. Paret, G. A. Craig, and F. Gilbert, editors, Makers of modern strategy from Machiavelli to the Nuclear Age, pages 186--216. Princeton University Press, 1986.Google Scholar
- S. Ramsay. Reading machines: Toward an algorithmic criticism. University of Illinois Press, 2011. Google ScholarDigital Library
- G. Rattray and J. Healey. Categorizing and understanding offensive cyber capabilities and their use. In Proceedings of a Workshop on Deterring CyberAttacks: Informing Strategies and Developing Options for US Policy, 2010.Google Scholar
- T. Rid. Cyber war will not take place. Journal of Strategic Studies, 35(1):5--32, 2012.Google ScholarCross Ref
- N. C. Rowe. Counterplanning deceptions to foil cyber-attack plans. In Information Assurance Workshop, pages 203--210. IEEE Systems, Man and Cybernetics Society, 2003.Google Scholar
- N. C. Rowe and H. S. Rothstein. Two taxonomies of deception for attacks on information systems. Journal of Information Warfare, 3(2):27--39, July 2004.Google Scholar
- J. Shy. Jomini. In P. Paret, G. A. Craig, and F. Gilbert, editors, Makers of modern strategy from Machiavelli to the Nuclear Age, pages 143--185. Princeton University Press, 1986.Google ScholarCross Ref
- J. Spolsky. The law of leaky abstractions. http://www.joelonsoftware.com/articles/LeakyAbstractions.html Last checked August 16, 2012.Google Scholar
- United States Army Combined Arms Center, Fort Leavenworth, Kansas. Center for Army Lessons Learned Services Handbook, June 2015.Google Scholar
- US-CERT/NIST. Vulnerability summary for cve-2014-6271. https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271, September 2014.Google Scholar
- N. Wiener. Cybernetics: or control and communication in the animal and the machine. MIT Press, 2nd revised edition, 1961. Google ScholarDigital Library
- W. Young and N. Leveson. An integrated approach to safety and security based on systems theory. Communications of the ACM, 57(2):31--35, 2014. Google ScholarDigital Library
Index Terms
- Security is about control: insights from cybernetics
Recommendations
Flourishing Ethics
This essay describes a new ethical theory that has begun to coalesce from the works of several scholars in the international computer ethics community. I call the new theory Flourishing Ethics' because of its Aristotelian roots, though it also includes ...
From information security to cyber security
The term cyber security is often used interchangeably with the term information security. This paper argues that, although there is a substantial overlap between cyber security and information security, these two concepts are not totally analogous. ...
Towards an ethical code for information security?
NSPW '08: Proceedings of the 2008 New Security Paradigms WorkshopMost computer scientists reflexively reject the idea of a malicious universe due to its conflict with the dominant scientific paradigm of a non-teleological impartially disinterested universe. While computer scientists might not view the universe as ...
Comments