A publication of the Foresight Institute
Research agencies in Japan are taking steps to develop
nanotechnology, which "seems destined to become Japan's next
priority target for industrial research," according to the
international scientific journal Nature (February
7). Japan's Science and Technology Agency--a competitor to the
Ministry of International Trade and Industry (MITI)--is moving
Already STA has funded several relevant projects through its innovative Exploratory Research for Advanced Technology (ERATO) program, as described in earlier issues of Update. Now the focus is sharpening: Nature reports that in February STA sponsored "an unusual little gathering of biologists, physicists, and chemists in Kyoto to discuss atomic-level design of functional structures." While a similar meeting was held in the U.S. over a year earlier--the First Foresight Conference on Nanotechnology at Stanford University in October 1989--its orientation was primarily academic, and it had no government backing.
MITI seems to be concentrating on making smaller electronics, such as quantum dot and quantum wire devices, as part of a $40 million project within its "basic technologies for future industries" (Jiseidai) program. MITI may still be focusing on the top-down approach to miniaturization, using improved semiconductor techniques, rather than the bottom-up approach STA seems to be favoring, which aims for positional control of chemical reactions. If so, a most interesting race could develop, in which Foresight's bet is on the bottom-up approach as the only way to gain flexible control at the molecular level.
Meanwhile the U.S. government has begun its first tentative steps toward an examination of the potential of nanotechnology and molecular manufacturing. The Congressional Office of Technology Assessment (OTA) now has a staff member conducting a study of the future of miniaturization. While primarily focused on microelectronics and micromachines, the project has been expanded to include some consideration of molecular approaches. As part of the study, a workshop was held at OTA on February 19; of fifteen invited participants, two represented the molecular perspective: Eric Drexler of the Foresight Institute and Richard Potember of Johns Hopkins University.
The OTA study is a first step in the long process of consensus building that may be needed before a significant amount of U.S. federal research funds is earmarked for work toward nanotechnology. Enabling science and technology work is being done already in academic, industry, and government labs, but without the clear, long-range goals seen in Japan.
Computers are increasingly important in our daily lives: more
and more products and activities throughout society depend on
computers working as programmed. A major question arises: how
reliable is the software running on these computers, and how much
can its reliability be improved? Is it possible to protect
computer operations from outside tampering, or is it all
intrinsically vulnerable to attack by software 'viruses,' which
copy themselves from machine to machine?
A paper by William Dowling (note 1) published last fall touched off a flurry of media coverage on this question, in which the answer seemed to be "Sorry--damage by computer viruses can't be prevented, even in theory." Under the headline "Eternal Plague: Computer Viruses," the paper was summarized by the prestigious journal Science: "Short of total isolation, there is no way to protect a computer against all possible viral attacks." (note 2) The popular press gave even stronger interpretations.
In fact, what Dowling showed was more limited and does not rule out the possibility of secure systems. As Science pointed out later in the same article: "What is futile, Dowling's work shows, is to look for a single 'magic bullet' that will eradicate all conceivable computer viruses." This does not warrant pessimism, because there are other approaches to dealing with the problem.
Dowling shows that no single program can correctly identify all viruses unless the operating system is unalterable. (note 2) Operating systems can, of course, be made unalterable. A simple but effective approach would be to store the operating system in read-only memory, which no software can alter. Indeed, one could store not just the operating system but all programs in read-only memory. Such a computer could process incoming data without becoming infected. It could be reprogrammed only by physically swapping memory chips, but it would be secure from viruses entering over data transmission lines.
Programs are available today to search for viruses, but these
programs can only recognize members of some specific set of known
viruses. While Dowling showed that it is not possible to
determine whether all programs are definitely safe or definitely
unsafe, this is not required in the task of accepting only safe
programs. One need only be able to sort into two categories: (1)
definitely safe, and (2) possibly unsafe. A program which could
reject all viruses, while accepting some (or even most) safe
programs, has not been ruled out.
About twenty years ago J. Peter Deutsch sent me a program that would examine another program and accept it or reject it. An accepted program was sure to terminate in a known time and not store outside a pre-specified area of memory. Not all programs that met these restrictions would be accepted. Indeed, accepted programs had to conform to rigid rules, but these rules allowed certain useful programs.
This early work shows the basic point: by being overly strict--rejecting some safe programs as well as the risky ones--we could in principle filter out all risky programs. That this is true is easily seen by taking an extreme example: suppose the filter screened out all risky programs by accepting only those exactly matching a short list of known safe programs. This would be very crude, but effective. Dowling's work shows that even the optimal screening algorithm would still screen out some safe programs, but this may be a small price to pay for a secure system.
Dowling goes on to argue that most real operating systems are
necessarily vulnerable to some virus because they reside in
writable memory. Indeed, most popular personal computers suffer
this weakness today. More fully developed operating systems,
however, use hardware memory protection features that have been
widely available since 1965 (note 3).
Such hardware distinguishes two modes: privileged and user. The hardware limits which memory can be modified while in user mode. A program may change these limits only when in privileged mode (note 4). When the machine is initially turned on, it is in privileged mode, and the first program the machine begins to obey is in a position, with these modes, to protect itself and its data while it allows other, untrusted programs to run in user mode. The machine reverts to privileged mode and resumes obeying the original program upon any of several events called interrupts. Attempts to violate the memory limits cause an interrupt. Exceeding a time limit established in privileged mode likewise causes an interrupt.
Operating systems (or kernels thereof) are designed to run in this manner, as privileged code. An untrusted program can run efficiently under the restraint of the operating system with the nearly undivided attention of the CPU (central processing unit), subject only to the caveat that it is in user mode and the consequent limitations.
With memory limits, the operating system reserves to itself the memory for its code and some more memory in which to remember its agenda. By enforcing time limits, the operating system reserves some time for itself to execute its policies.
Not all operating systems have used these safety features, and not all systems that did use them have maintained sufficient care to retain control against clever attack. Even if the privileged code remains in control, there are other points of attack by the virus. Nearly all operating systems run programs at the request of a user with all of the authority of the user: the program automatically has as much authority as the person running it. There may be ways for a user to run a program while limiting its reach, but this is seldom convenient or known to casual users. A virus in such a program is thus in a position to modify the program in any file that the user could modify, thus propagating itself. Some users seldom run programs where they can modify such files. But in Unix there are several other kinds of files, such as shell scripts, that are enough like programs to serve as hosts for active viruses.
In most systems a program learns what input it is to process by first learning the name of the file and then asking the operating system to copy data from the file to its memory. The authority it uses to read the file is the same authority the virus uses to infect other files.
A newer type of operating system is the capability system. It
uses the principle behind the old saying "Good fences make
good neighbors": if you don't want an untrusted program
messing up other programs, make sure it doesn't have access to
them. Rather than giving a program the same level of authority as
its user, this system gives it only enough to get its job done.
This detailed, exact allocation can be described as fine grain
authority: it separates functions with more impenetrable walls
(i.e., fences) than do earlier methods.
When a program is initially set up, the user indicates which tools and inputs it is permitted to access; it then has the required capabilities with respect to these items. It has no ability to modify other material, and so any associated virus is unable to spread.
Currently, very few operating systems use the capability approach. One of them, KeyKOS by Key Logic, is currently being evaluated by the U.S. government for general environments requiring high levels of military security, and has never been cracked.
Powerful future technologies, such as nanotechnology, will be
controlled by increasingly complex computational systems. Whether
and how they can be made secure from tampering is of critical
importance. For the reasons above, it appears that security is
possible, with sufficient care. We will need to understand what
is possible in this field if we are to cope successfully with the
problems ahead. Assertions that secure systems are impossible are
false and misleading.
Norman Hardy has been involved both with secure operating systems used in commercial timesharing systems and with computer network security. He cofounded and is a senior scientist at Key Logic, a company that builds secure operating systems.
1. Dowling, William F., "Computer Viruses:
Diagonalization and Fixed Points," Notices of the
American Mathematical Society, 37.858, pp. 858-861.
2. Cipra, Barry, "Eternal Plague: Computer Viruses," Science, Vol. 249, 21 September 1990, p. 1381.
3. The Motorola 68030 and Intel 80386 chips and their successors have memory protection suitable to these ends.
4. Control of I/O is also typically limited to privileged mode.
Links to work on secure operating systems:
First Conference on Computers, Freedom and Privacy,
March 25-28, 1991, Airport SFO Marriott Hotel, Burlingame, CA,
$400. Sponsored by Computer Professionals for Social
Responsibility; cosponsored by IEEE, ACM, Electronic Frontier
Foundation, Cato Institute, ACLU, Autodesk, etc.
Multidisciplinary meeting of up to 600 concerned with electronic
speech, press and assembly; computer-based surveillance by
government, etc. Invitational: contact 415-322-3778; fax
415-851-2814; email email@example.com.
Hypertext Publishing '91, April 2-4, 1991, Pittsburgh Hilton, $450. Sponsored by Texas Instruments and Knowledge Systems. Focuses on stand-alone hypertext publications rather than large open systems. Contact 412-241-2264; fax 412-241-2307.
Molecular Graphics Society Meeting, May 14-17, 1991, University of North Carolina, Chapel Hill, NC. Interactive graphics, presentation graphics, interfaces networking, novel display techniques; includes vendor exhibition. Contact Molecular Graphics Conference Office, c/o Dr. Frederick P. Brooks, Jr., Dept. of Computer Science, University of Computer Science, Univ. of NC, Chapel Hill, NC 27599-3175.
Nanostructures and Mesoscopic Systems, May 20-24, 1991, Sante Fe, NM, sponsored by Texas A&M EE and Physics Dept., NSF, DoE, TI. Covers quantum effects and today's top-down fabrication methods. Contact 409-845-2590 or email firstname.lastname@example.org.
Space Development Conference, May 22-27, 1991, Hyatt Regency, San Antonio, TX, sponsored by National Space Society, Southwest Research Institute. Cosponsored by Foresight Institute. Will have a session and workshop on nanotechnology, and a table for Foresight Institute; see elsewhere in this issue for details. Register before May 1 at cosponsor rate of $70: contact Beatrice Moreno, 512-522-2260.
AAAI-91, National Conference on Artificial Intelligence, July 14-19, 1991, Anaheim, California. Sponsored by the American Association for Artificial Intelligence. Contact 415-328-3123; fax 415-321-4457; email NCAI@aaai.org.
STM '91, International Conference on Scanning Tunneling Microscopy, August 12-16, 1991, Interlaken, Switzerland. Contact Ch. Gerber, fax (1) 724 31 70.
Second Foresight Conference on Nanotechnology, Nov. 7-9, 1991. Technical meeting sponsored by Foresight Institute, Stanford Dept. of Materials Science and Engineering, University of Tokyo Research Center for Advanced Science and Technology. See announcement elsewhere in this issue.
Science and Technology at the Nanometer Scale, American Vacuum Society National Symposium, Nov. 11-15, 1991, Seattle, WA. Contact James Murday, Code 6100, NRL, Washington, DC 20375-5000; fax 202-404-7139 (or American Vacuum Society).
Ecotech, Nov. 14-17, Monterey Conference Center, $595. Participating organizations include Apple Computer, CPSR, Econet, Foresight Institute, Global Business Network. Will explore the technologies of ecology and their application. For businesspeople, scientists, environmentalists, public policy makers. Includes a talk and workshop on nanotechnology.
Hypertext '91, Dec. 15-18, San Antonio, TX. All areas of hypertext research. Contact 409-845-0298, fax 409-847-8578, or email email@example.com.
Third Conference on Technology, Entertainment & Design, Feb. 20-23, 1992, Monterey, CA. Confirmed speakers include Stewart Brand, Jaron Lanier, Paul Saffo, John Sculley, Edward Tufte. Great fun, but expensive. Contact 619-259-5110; fax 619-259-1495.
Applied nanotechnology (the mechanical capability to engineer matter at the molecular level) will change every aspect of life as we know it. But all such change will come from specific products, designed and created for particular purposes.
Contributions are solicited for a collection of papers aimed
at the popular science market that describe products and
applications that molecular-scale engineering will make possible.
Describe your vision of a particular nanotechnological device,
how it works, and how it will change our world. This book is
intended for intelligent individuals who may not be familiar with
nanotechnology, but could grasp the concept from a few
Potential contributors are asked to submit an abstract of 300-600 words. Abstracts will be judged as to (1) clarity of presentation, (2) technical accuracy and completeness, (3) scale of potential cultural impact, and (4) wow factor. Keep it real, but make it flashy.
Contributors with the most promising abstracts will be asked to develop papers of 3,000-8,000 words. Artwork is encouraged. The collected papers will be published under the title: Nanotechnology and the Culture of Abundance.
Abstracts and papers will be reviewed by:
While writing abstracts and papers, keep in mind the following
1. Products should be items that people already want. Consider housing, transportation, education, health care, energy, food, the environment, and, perhaps most important, entertainment.
2. Products should incorporate simple and effective safeguards. Products should not appear able to "get loose" or present any environmental dangers. Safety factors should be intrinsic and obvious without undue explanation. Products should be clearly limited to doing only what they are designed to do.
3. Products should be a potential reality within the next 50 years. Include an approximate time of arrival based on your estimate of technology's trajectory. Highlight any particularly noteworthy hurdles that must be overcome or enabling technologies that must be in place.
Abstracts due: 1 May 1991
Notification of acceptance: 6 June 1991
Papers due: 1 August 1991
Send abstracts, including author's name, mailing address (and email address if available), telephone and fax numbers, to BC Crandall, Nanotechnology Project, PO Box 2178, Sausalito, CA 94965 USA (or email: firstname.lastname@example.org).
Nanotechnology: Molecular Speculations on Global Abundance was published by The MIT Press in 1996.
Books are listed in increasing order of specialization and
reading challenge. Your suggestions are welcome. And remember, if
a book's price looks too high, your library should be able to get
it through interdepartmental loan. --Editor
Doing Science, ed. John Brockman, Prentice Hall Press, 1991, softcover, $11.95. For the general reader. Includes essays on exploratory engineering by Eric Drexler, on the methods of theoretical physics by Foresight advisor Gerald Feinberg, on artificial life by Kevin Kelly, and on how to tell science from pseudoscience by Richard Morris.
Essence of Creativity: A Guide to Tackling Difficult Problems, by Steven H. Kim, Oxford University Press, 1990, hardcover, $29.95. Prof. Kim of MIT explores methods of addressing and resolving problems that admit of no obvious solution, or for which even the means of attaining a solution are unclear. Includes: the incremental growth of ideas, enhancing the processing phase of creativity, with a special focus on applications in research and product development. For thinkers everywhere.
From Foresight Update 11, originally published 15 March 1991.