Escaping the Security Circus

Gene Spafford gave an impassioned plea at an NSF meeting a few years ago about getting beyond the “security pageant”. I think it’s gotten worse since then — it’s a full-blown security circus. Research whose aim is to make systems more secure is less and less frequent. More and more we’re seeing attack-oriented work that is about demonstrating security vulnerabilities. Why is this? Well, attacks are easy to validate, unlike defenses. And they get publicity easily because the general public finds it interesting.

But is this really useful? In principle, the attack-oriented research should be providing the impetus to solve the real security problems.But we already know (or should know) that systems are poorly built from the security perspective. Attack-oriented work has become an end in itself, taking up air time from research that is trying to make things better. And researchers respond to the incentives — they’re doing more attack work themselves. They still write funding proposals that talk about defense, but the actual work somehow includes a lot more offensive work.

I fear the security community is succumbing to the “drunk under the streetlamp” phenomenon. We all know the truly meaningful research is on defense, but it’s not under the streetlamp — attack-oriented research is. So that’s where the community is focusing its attention.

How to fix this? I’m not sure, but this might be a case where we need to set quotas for security conferences programs. Comparing attack papers and defense papers is really apples-and-oranges. I think that a conference like Oakland should ideally take ~3 attack papers per year — just the very best of the bunch. And certainly not more than 25%. As someone who opposes top-down controls in almost all situations, this is hard for me to say. But something needs to be done.

5 thoughts on “Escaping the Security Circus

  1. Another possible view is that security is now a pervasive property that any computer system has to provide, so security problems should be solved by researchers that build specific parts of computer systems — be it hardware architecture, infrastructure software, programming languages, networks, storage systems, etc. And the role of the security community is to indeed continue finding interesting weaknesses in the way current systems are designed — cross-layer attacks, bad implicit assumptions or dependencies, etc.

    1. This may be unfair, but let me try to paraphase: “It’s up to everyone else to solve the hard unsolved security problems, and the security community should sit back and take potshots at their attempts.”

  2. Andrew & Mike —

    I share your view of course.

    However, it could be that while you and I and folks like us already know systems
    are poorly built, perhaps the wider public — and that includes even the broader CS
    community — doesn’t yet realize this. As such “attack” papers are a valuable form
    of outreach that help make the case for “defense” work.

    Like the ideas from CLU (cf your recent WiB post) it may take a while — many
    decades of attack papers? — before the need for principled defenses is widely
    appreciated, and so we may just need to be patient…



    1. Hi Ranjit, I definitely agree that attack papers can be a valuable form of outreach and a motivation for more defense papers. But these days I think the tail is starting to wag the dog. The reward/cost ratio for attack papers is such that the intellectual energy is getting sucked out of defenses and into attacks.

      And these attack papers can also make things worse in another way — they may give real attackers new ideas!

Comments are closed.