Jay Lepreau
University of Utah
Large software systems, and operating systems in particular, are notorious for presenting nearly intractable and very expensive assurance problems. ``Routine'' maintenance and testing costs far outweigh the already costly construction of the original system and the cost of adding new functionality. Unfortunately, the mainstream systems research community has largely ignored the ``grand challenge'' problem of software assurance, concentrating instead on the more easily quantified and easily achieved areas of adding function and improving performance. *Security* is one system attribute that is crucially dependent on correct software design and implementation, and can serve as both motivator and metric for major advances in software assurance.
I believe that researchers outside the traditional software engineering and security communities must become involved in order for significant progress to be made in software assurance. In particular, researchers of *both* a pragmatic and abstract bent must work closely together, from the areas of programming languages, compilers, and formal methods. Only through teams composed of both domain experts--- those doing practical operating systems and security R&D--- and supporting area experts (languages, compilers, formal methods), is there a chance for major advances. Major advances will benefit not only OS security, and not only operating systems themselves, but every domain which requires large and complex software systems--- in particular, applications.
Gradual but important improvements in assurance and security will also result from core systems researchers becoming emotionally and intellectually invested in the issue of assurance, without necessarily researching it per se. For example, we OS hackers need to internalize the need for simplicity. We need to adopt simplicity as a metric on which papers are routinely judged, just as performance is always considered today. We need to find ways to quantify something other than performance. While still maintaining rigorous evaluation, we need to broaden our evaluation criteria for systems research, so that performance is not so often the sole criterion.