Securing the Next Generation of Computers
by Doug Hulette
For Amit Levy, it’s the little things in life that count.
photo by David Kelly Crow
Levy, who joined the CS department in 2018 as an assistant professor after earning his doctorate from Stanford, is interested in distributed systems, operating systems, security, privacy, and programming languages, but his current goal is to improve the security and reliability of the small electronic devices that we’re carrying around these days as the Internet of Things explodes into all aspects of everyday life.
Think sport watches, fitness trackers and other forms of wearable and portable technology that rely on low-memory microcontrollers powered by small batteries. Levy’s project, the Tock operating system, opens the door for such IoT devices to support apps developed by third parties—as PC operating systems do—without compromising the integrity and trustworthiness of the device.
Levy considers it a problem that demands a solution now. “This class of computer is likely to become ubiquitous and, as a result, will have access to increasingly sensitive parts of our lives,” he says. “From implanted medical devices that keep us alive to sensors in urban environments, the ubiquity of these computers is a double edged sword: If misused, they can harm us as much as they can help.
“In addition, they are a great platform for experimenting with completely new operating systems, since there isn't as much of a need to be backward compatible. There just aren't really legacy applications that we need to support. This means that we can learn how well completely novel system designs work in the real world, whereas that is much more difficult for more entrenched computer systems such as laptops, phones, and servers.”
Born and raised on the West Coast (he earned his bachelor’s and master’s degrees from the University of Washington), Levy did his PhD at Stanford on “A secure operating system for the Internet of Things.” When he visited campus in April 2018, he says, the lure of Princeton was strong.
“And the East Coast is great, too,” says Levy, who commutes from New York City. “It doesn't have my beloved Cascade mountains, but it does have trains, and you can’t really get both (maybe in Switzerland).”
Professor Michael Freedman, who was Levy’s host for his April visit, says the new assistant professor “brings a unique and much-needed focus on operating systems, security, and embedded devices to the department. Computing devices are increasingly all around us and embedded in everything, and Amit tackles some of the most critical problems to make sure that this computerized future is safe and secure. But rather than just paper designs, he builds both real systems and vibrant developer communities, and pushes his conceptual ideas into real, practical use.”
Levy discussed some of his interests in an email Q&A:
It seems that many consumers put up with the shortcomings of their IoT devices, albeit grudgingly. It’s an imperfect world, right? What’s wrong with the current generation of devices?
The biggest problem is that they are mostly siloed. If you have devices from different vendors, they probably can’t talk to each other. Developers with ideas for how to improve existing devices can’t distribute applications for them. If a vendor goes out of business, devices may never be updated and become e-waste at best, or, worse, become buggy and compromised. There have been technical barriers to building systems that allow for extensibility. Tock is a step in that direction.
How does the Tock OS work?
The hypothesis Tock has is that device vendors won’t (and shouldn’t) let end users install applications on IoT devices because it's too hard to secure the system from third-party applications. To address that problem, Tock does two things. First, it isolates applications from each other and from the system, so that third-party applications can access only the resources the system allows them to. But it turns out that’s not enough. If the system itself is buggy, even an application that’s isolated can wreak havoc (that's what happens when your computer crashes, or is hacked). So Tock also provides a mechanism to make the system's correctness easier to reason about, so vendors can be more confident that their system will work as they intended regardless of which applications run on it.
On your website you describe yourself as interested in “good will towards people.” What do you mean, and how does it figure in your work and your life?
Isn’t everybody interested in that? At the end of the day, I don’t think that better operating system abstractions, or higher performance distributed systems, are inherently important problems. They’re only important if they somehow help people do something good. So, in a way, it's a maxim that drives all of my work, often more than the specific technical areas in that list.
It's also a reference to “Sneakers,” an early 90s caper about a group of white-hat hackers who get their hands on a device that can decrypt U.S. government network traffic. When negotiating the return of the device to the National Security Agency, David Strathairn’s character says all he wants is “peace on earth and good will toward men.” To which the NSA agent responds, “We're the United States Government! We don’t do that sort of thing.”