The knack of the hack

Australia’s hottest cyber hackers come from one UNSW lab, led by a professor on a mission to fight global cybercrime.

buckland.png

Professor Richard Buckland with his budding hackers. Photo: UNSW Engineering

In 2012, the Prime Minister’s Office – together with Cisco, Microsoft and Facebook – established an annual hacking competition to find the next generation of cyber security talent. Student teams from across Australia compete in the 24-hour hackathon. And each year Professor Richard Buckland’s students blow away the competition – taking out first, second and third place.

“Every year, we blitz it,” says Buckland, head of the Security Engineering Lab and a professor of cyber security at UNSW’s School of Computer Science and Engineering. “So I think we’re doing something right.”

What Buckland does is organise courses that teach cyber security through a series of hands-on exercises, using cloak-and-dagger collaborative games that ignite his students’ enthusiasm. This approach flips the standard teaching model so that students are taught offence as a way to develop defence; and, in the process, come to understand the mindset of the hacker.

“In addition, we partner with experts to bring in real-world scenarios to the classroom,” Buckland says. Sometimes, these are industry gurus in banking and telecommunications. Sometimes they are [just plain] hackers.

“I can give the students an overview and tell them the theoretical aspects, but then we have cyber community leaders show them how to actually do it,” he says. “The role of teachers is to lift our students up above us.”

The program’s alumni have brought this collaborative ethos into the corporate world. “I’ve seen the emergence of a community of security professionals who work together, not just for the interests of their own company, but for security in general,” says Buckland.

There is a huge supply and demand problem for cyber security professionals. A recent report by US-based market research company Cybersecurity Ventures estimates cyber crime cost companies US$4 trillion in 2015, and is set to rise to US$8 trillion annually by 2021.

It’s a criminal epidemic that can only be fought by cyber security experts, a profession now growing at a rate of 18% annually, according to the US Bureau of Labor Statistics.

“Now that cybersecurity experts need to be mass produced, the burden is falling to universities.”

Cisco estimates there are more than a million unfilled security jobs worldwide.  “In the early days, companies just repurposed rebels and old-style malcontent hackers, dressing them in suits and paying them lots of money,” says Buckland. “That was a really great solution – until the pool ran dry.”

Now that cyber security experts need to be mass produced, the burden is falling to universities. “But no one really knows how to do it – there isn’t yet expertise on training up the rebels and breakers you want.” 

To quench demand, Buckland is developing a series of massive open online courses (MOOCs) as part of a partnership with the Commonwealth Bank of Australia to expand UNSW’s cyber security teaching resources and curriculum.

Already, almost 20,000 budding cyber defenders have signed up to the introductory course, 60% of them from Australia, ranging from information technology professionals wanting to brush up on the latest technical know-how to schoolchildren – even miners and taxi drivers who want to re-skill.

Perhaps most crucial are the many teachers and lecturers taking the course. “For university academics who have been brought up in a traditional non-hacker way, cyber is a little bit scary to teach,” he says. “Academics can borrow our lecture notes and course materials, or just be influenced to become believers in the way we teach cyber.”

Buckland is not just focusing on young adults and professionals. He also goes into primary schools to teach kids the mindset of a hacker and how to protect against cybercrime. “I’m trying to get the kids to scam each other in a controlled way because then they get to understand how scams work and how to be defensive against them.”

A version of these stories first appeared in Ingenuity, the research magazine of the Faculty of Engineering.

gernolt_hesler.png

Professor Gernot Heiser

CODE ALERT

We trust computer systems every day – but trusted systems are rarely entirely trustworthy. Laptops can crash, servers can freeze, and personal details can be stolen. Even pacemakers can be hacked.

“The complexity of the systems we’re building has grown much faster than our ability to deal with it,” says Gernot Heiser, a professor of operating systems at UNSW and chief research scientist at Australia’s digital research network, Data61, a division of CSIRO. 

“The result is an appalling lack of dependability. As tasks like controlling medical devices, mobile phones, industrial plants and aeroplanes become more technology-dependent, trust should not be taken for granted.” 

Is it even possible to write truly trustworthy code? Heiser thinks so – which is why he has spent the past decade developing secure microkernels, the core on which dependable operating systems can be built. By itself, a microkernel does not provide useful services, but contains the core mechanisms on which to build them.

Working with UNSW colleagues Gerwin Klein and Kevin Elphinstone, Heiser sparked excitement among experts when the team proved that all 7,500 lines of C code in his seL4 microkernel were mathematically correct. This may not sound like much, but this is incredibly difficult to achieve.

“It is hard to comment on this achievement without resorting to clichés,” quips Lawrence Paulson, a noted leader in theorem proving and a professor of computational logic at the University of Cambridge. 

June Andronick, a principal research scientist at Data61, who specialises in the verifiability of software systems, adds: “What Heiser and his team have done, is to strengthen the guarantees that can be provided about software by orders of magnitude, while maintaining very good performance for real-world use.”

A big test of Heiser’s seL4 microkernel came in 2015, when the US Defense Advanced Research Projects Agency gave hackers unfettered access to the onboard computer of an autonomous Boeing AH-6 helicopter gunship. 

Their task was to hijack the microkernel and take control. While hackers easily commandeered the helicopter when it hosted other software, they could not crack the on-board computer when it ran on Heiser’s microkernel.

The development cost of the seL4 microkernel was about three times that of comparable unverified, vulnerable software. But Heiser thinks he can make the software affordable for everyone. “If we manage to eliminate this factor-three cost gap to standard software, we’re totally changing the world of software systems.”

Ben Skuse