Critical cyber systems must inspire trust and confidence, protect the privacy and integrity of data resources, and perform reliably. Therefore, a more scientific basis for the design and analysis of trusted systems is needed. In this proposal, we aim to progress the Science of Security. The Science of Security entails the development of a body of knowledge containing laws, axioms and provable theories relating to some aspect of system security. Security science should give us an understanding of the limits of what is possible in some security domain, by providing objective and quantifiable descriptions of security properties and behaviors. The notions embodied in security science should have broad applicability - transcending specific systems, attacks, and defensive mechanisms. A major goal is the creation of a unified body of knowledge that can serve as the basis of a trust engineering discipline, curriculum, and rigorous design methodologies. As such, we provide eight hard problems in the science of security. We also present representative projects which we feel will make progress in the discipline of the science of security.

This program will establish a national Secure Open Systems Institute (SOSI), located on North Carolina State's premier Centennial Campus that will be a global center for Open Systems security research and development.

Privacy is increasingly a major concern that prevents the exploitation of the Internet?s full potential. Consumers are concerned about the trustworthiness of the websites to which they entrust their sensitive information. Although significant industry efforts are seeking to better protect sensitive information online, existing solutions are still fragmented and far from satisfactory. Specifically, existing languages for specifying privacy policies lack a formal and unambiguous semantics, are limited in expressive power and lack enforcement as well as auditing support. Moreover, existing privacy management tools aimed at increasing end-users? control over their privacy are limited in capability or difficult to use. This project seeks to provide a comprehensive framework for protecting online privacy, covering the entire privacy policy life cycle. This cycle includes enterprise policy creation, enforcement, analysis and auditing, as well as end user agent presentation and privacy policy processing. The project integrates privacy-relevant human, legal and economic perspectives in the proposed framework. This project will develop an expressive, semantics-based formal language for specifying privacy policies, an access control and auditing language for enforcing privacy policies in applications, as well as theory and tools for verifying privacy policies. Additionally, experiments and surveys will be conducted to better understand the axes of users? privacy concerns and protection objectives. Results from this empirical work will be used to develop an effective paradigm for specifying privacy preferences and methods to present privacy policies to end users in an accurate and accessible way.