Foresight Update 11
A publication of the Foresight Institute
US Begins Assessment
by Chris Peterson
Research agencies in Japan are taking steps to develop
nanotechnology, which "seems destined to become Japan's next
priority target for industrial research," according to the
international scientific journal Nature (February
7). Japan's Science and Technology Agency--a competitor to the
Ministry of International Trade and Industry (MITI)--is moving
Already STA has funded several relevant projects through its
innovative Exploratory Research for Advanced Technology (ERATO)
program, as described in earlier
issues of Update. Now the focus is sharpening: Nature
reports that in February STA sponsored "an unusual little
gathering of biologists, physicists, and chemists in Kyoto to
discuss atomic-level design of functional structures." While
a similar meeting was held in the U.S. over a year earlier--the First Foresight
Conference on Nanotechnology at Stanford University in
October 1989--its orientation was primarily academic, and it had
no government backing.
MITI seems to be concentrating on making smaller electronics,
such as quantum dot and quantum wire devices, as part of a $40
million project within its "basic technologies for future
industries" (Jiseidai) program. MITI may still be focusing
on the top-down approach to miniaturization, using improved
semiconductor techniques, rather than the bottom-up approach STA
seems to be favoring, which aims for positional control of
chemical reactions. If so, a most interesting race could develop,
in which Foresight's bet is on the bottom-up approach as the only
way to gain flexible control at the molecular level.
Meanwhile the U.S. government has begun its first tentative steps
toward an examination of the potential of nanotechnology and
molecular manufacturing. The Congressional Office of Technology
Assessment (OTA) now has a staff member conducting a study of the
future of miniaturization. While primarily focused on
microelectronics and micromachines, the project has been expanded
to include some consideration of molecular approaches. As part of
the study, a workshop was held at OTA on February 19; of fifteen
invited participants, two represented the molecular perspective:
Eric Drexler of the Foresight Institute and Richard Potember of
Johns Hopkins University.
The OTA study is a first step in the long process of consensus
building that may be needed before a significant amount of U.S.
federal research funds is earmarked for work toward
nanotechnology. Enabling science and technology work is being
done already in academic, industry, and government labs, but
without the clear, long-range goals seen in Japan.
Computers are increasingly important in our daily lives: more
and more products and activities throughout society depend on
computers working as programmed. A major question arises: how
reliable is the software running on these computers, and how much
can its reliability be improved? Is it possible to protect
computer operations from outside tampering, or is it all
intrinsically vulnerable to attack by software 'viruses,' which
copy themselves from machine to machine?
A paper by William Dowling (note 1) published last
fall touched off a flurry of media coverage on this question, in
which the answer seemed to be "Sorry--damage by computer
viruses can't be prevented, even in theory." Under the
headline "Eternal Plague: Computer Viruses," the paper
was summarized by the prestigious journal Science:
"Short of total isolation, there is no way to protect a
computer against all possible viral attacks." (note 2) The popular press
gave even stronger interpretations.
In fact, what Dowling showed was more limited and does not rule
out the possibility of secure systems. As Science
pointed out later in the same article: "What is futile,
Dowling's work shows, is to look for a single 'magic bullet' that
will eradicate all conceivable computer viruses." This does
not warrant pessimism, because there are other approaches to
dealing with the problem.
Stupid, Brute-Force Methods
Dowling shows that no single program can correctly identify
all viruses unless the operating system is unalterable. (note 2) Operating systems
can, of course, be made unalterable. A simple but effective
approach would be to store the operating system in read-only
memory, which no software can alter. Indeed, one could store not
just the operating system but all programs in read-only memory.
Such a computer could process incoming data without becoming
infected. It could be reprogrammed only by physically swapping
memory chips, but it would be secure from viruses entering over
data transmission lines.
Filtering Out Risk
Programs are available today to search for viruses, but these
programs can only recognize members of some specific set of known
viruses. While Dowling showed that it is not possible to
determine whether all programs are definitely safe or definitely
unsafe, this is not required in the task of accepting only safe
programs. One need only be able to sort into two categories: (1)
definitely safe, and (2) possibly unsafe. A program which could
reject all viruses, while accepting some (or even most) safe
programs, has not been ruled out.
About twenty years ago J. Peter Deutsch sent me a program that
would examine another program and accept it or reject it. An
accepted program was sure to terminate in a known time and not
store outside a pre-specified area of memory. Not all programs
that met these restrictions would be accepted. Indeed, accepted
programs had to conform to rigid rules, but these rules allowed
certain useful programs.
This early work shows the basic point: by being overly
strict--rejecting some safe programs as well as the risky
ones--we could in principle filter out all risky programs. That
this is true is easily seen by taking an extreme example: suppose
the filter screened out all risky programs by accepting only
those exactly matching a short list of known safe programs. This
would be very crude, but effective. Dowling's work shows that
even the optimal screening algorithm would still screen out some
safe programs, but this may be a small price to pay for a secure
Dowling goes on to argue that most real operating systems are
necessarily vulnerable to some virus because they reside in
writable memory. Indeed, most popular personal computers suffer
this weakness today. More fully developed operating systems,
however, use hardware memory protection features that have been
widely available since 1965 (note 3).
Such hardware distinguishes two modes: privileged and user. The
hardware limits which memory can be modified while in user mode.
A program may change these limits only when in privileged mode (note 4). When the machine
is initially turned on, it is in privileged mode, and the first
program the machine begins to obey is in a position, with these
modes, to protect itself and its data while it allows other,
untrusted programs to run in user mode. The machine reverts to
privileged mode and resumes obeying the original program upon any
of several events called interrupts. Attempts to violate the
memory limits cause an interrupt. Exceeding a time limit
established in privileged mode likewise causes an interrupt.
Operating systems (or kernels thereof) are designed to run in
this manner, as privileged code. An untrusted program can run
efficiently under the restraint of the operating system with the
nearly undivided attention of the CPU (central processing unit),
subject only to the caveat that it is in user mode and the
With memory limits, the operating system reserves to itself the
memory for its code and some more memory in which to remember its
agenda. By enforcing time limits, the operating system reserves
some time for itself to execute its policies.
Not all operating systems have used these safety features, and
not all systems that did use them have maintained sufficient care
to retain control against clever attack. Even if the privileged
code remains in control, there are other points of attack by the
virus. Nearly all operating systems run programs at the request
of a user with all of the authority of the user: the program
automatically has as much authority as the person running it.
There may be ways for a user to run a program while limiting its
reach, but this is seldom convenient or known to casual users. A
virus in such a program is thus in a position to modify the
program in any file that the user could modify, thus propagating
itself. Some users seldom run programs where they can modify such
files. But in Unix there are several other kinds of files, such
as shell scripts, that are enough like programs to serve as hosts
for active viruses.
In most systems a program learns what input it is to process by
first learning the name of the file and then asking the operating
system to copy data from the file to its memory. The authority it
uses to read the file is the same authority the virus uses to
infect other files.
A Better Approach
A newer type of operating system is the capability system. It
uses the principle behind the old saying "Good fences make
good neighbors": if you don't want an untrusted program
messing up other programs, make sure it doesn't have access to
them. Rather than giving a program the same level of authority as
its user, this system gives it only enough to get its job done.
This detailed, exact allocation can be described as fine grain
authority: it separates functions with more impenetrable walls
(i.e., fences) than do earlier methods.
When a program is initially set up, the user indicates which
tools and inputs it is permitted to access; it then has the
required capabilities with respect to these items. It has no
ability to modify other material, and so any associated virus is
unable to spread.
Currently, very few operating systems use the capability
approach. One of them, KeyKOS by Key Logic,
is currently being evaluated by the U.S. government for general
environments requiring high levels of military security, and has
never been cracked.
Why Security Matters
Powerful future technologies, such as nanotechnology, will be
controlled by increasingly complex computational systems. Whether
and how they can be made secure from tampering is of critical
importance. For the reasons above, it appears that security is
possible, with sufficient care. We will need to understand what
is possible in this field if we are to cope successfully with the
problems ahead. Assertions that secure systems are impossible are
false and misleading.
Norman Hardy has been involved both with secure operating
systems used in commercial timesharing systems and with computer
network security. He cofounded and is a senior scientist at Key
Logic, a company that builds secure operating systems.
1. Dowling, William F., "Computer Viruses:
Diagonalization and Fixed Points," Notices of the
American Mathematical Society, 37.858, pp. 858-861.
2. Cipra, Barry, "Eternal Plague:
Computer Viruses," Science, Vol. 249,
21 September 1990, p. 1381.
3. The Motorola 68030 and Intel 80386
chips and their successors have memory protection suitable to
4. Control of I/O is also typically
limited to privileged mode.
Links to work on secure operating systems:
First Conference on Computers, Freedom and Privacy,
March 25-28, 1991, Airport SFO Marriott Hotel, Burlingame, CA,
$400. Sponsored by Computer Professionals for Social
Responsibility; cosponsored by IEEE, ACM, Electronic Frontier
Foundation, Cato Institute, ACLU, Autodesk, etc.
Multidisciplinary meeting of up to 600 concerned with electronic
speech, press and assembly; computer-based surveillance by
government, etc. Invitational: contact 415-322-3778; fax
415-851-2814; email firstname.lastname@example.org.
Hypertext Publishing '91, April 2-4, 1991, Pittsburgh
Hilton, $450. Sponsored by Texas Instruments and Knowledge
Systems. Focuses on stand-alone hypertext publications rather
than large open systems. Contact 412-241-2264; fax 412-241-2307.
Molecular Graphics Society Meeting, May 14-17,
1991, University of North Carolina, Chapel Hill, NC. Interactive
graphics, presentation graphics, interfaces networking, novel
display techniques; includes vendor exhibition. Contact Molecular
Graphics Conference Office, c/o Dr. Frederick P. Brooks, Jr.,
Dept. of Computer Science, University of Computer Science, Univ.
of NC, Chapel Hill, NC 27599-3175.
Nanostructures and Mesoscopic Systems, May
20-24, 1991, Sante Fe, NM, sponsored by Texas A&M EE and
Physics Dept., NSF, DoE, TI. Covers quantum effects and today's
top-down fabrication methods. Contact 409-845-2590 or email
Space Development Conference, May 22-27, 1991,
Hyatt Regency, San Antonio, TX, sponsored by National Space
Society, Southwest Research Institute. Cosponsored by Foresight
Institute. Will have a session and workshop on nanotechnology,
and a table for Foresight Institute; see elsewhere in this issue
for details. Register before May 1 at cosponsor rate of $70:
contact Beatrice Moreno, 512-522-2260.
AAAI-91, National Conference on Artificial Intelligence,
July 14-19, 1991, Anaheim, California. Sponsored by the American
Association for Artificial Intelligence. Contact 415-328-3123;
fax 415-321-4457; email NCAI@aaai.org.
STM '91, International Conference on Scanning Tunneling
Microscopy, August 12-16, 1991, Interlaken, Switzerland.
Contact Ch. Gerber, fax (1) 724 31 70.
Second Foresight Conference on Nanotechnology,
Nov. 7-9, 1991. Technical meeting sponsored by Foresight
Institute, Stanford Dept. of Materials Science and Engineering,
University of Tokyo Research Center for Advanced Science and
Technology. See announcement elsewhere in this issue.
Science and Technology at the Nanometer Scale, American
Vacuum Society National Symposium, Nov. 11-15, 1991,
Seattle, WA. Contact James Murday, Code 6100, NRL, Washington, DC
20375-5000; fax 202-404-7139 (or American Vacuum Society).
Ecotech, Nov. 14-17, Monterey Conference Center,
$595. Participating organizations include Apple Computer, CPSR,
Econet, Foresight Institute, Global Business Network. Will
explore the technologies of ecology and their application. For
businesspeople, scientists, environmentalists, public policy
makers. Includes a talk and workshop on nanotechnology.
Hypertext '91, Dec. 15-18, San Antonio, TX. All
areas of hypertext research. Contact 409-845-0298, fax
409-847-8578, or email email@example.com.
Third Conference on Technology, Entertainment &
Design, Feb. 20-23, 1992, Monterey, CA. Confirmed
speakers include Stewart Brand, Jaron Lanier, Paul Saffo, John
Sculley, Edward Tufte. Great fun, but expensive. Contact
619-259-5110; fax 619-259-1495.
and the Culture of Abundance
by BC Crandall
Applied nanotechnology (the mechanical capability to engineer
matter at the molecular level) will change every aspect of life
as we know it. But all such change will come from specific
products, designed and created for particular purposes.
Call for Papers
Contributions are solicited for a collection of papers aimed
at the popular science market that describe products and
applications that molecular-scale engineering will make possible.
Describe your vision of a particular nanotechnological device,
how it works, and how it will change our world. This book is
intended for intelligent individuals who may not be familiar with
nanotechnology, but could grasp the concept from a few
Potential contributors are asked to submit an abstract of 300-600
words. Abstracts will be judged as to (1) clarity of
presentation, (2) technical accuracy and completeness, (3) scale
of potential cultural impact, and (4) wow factor. Keep it real,
but make it flashy.
Contributors with the most promising abstracts will be asked to
develop papers of 3,000-8,000 words. Artwork is encouraged. The
collected papers will be published under the title: Nanotechnology
and the Culture of Abundance.
Abstracts and papers will be reviewed by:
- Eric Drexler, Foresight Institute
- David Forrest, MIT
- Ted Kaehler, Apple Computer
- Ralph Merkle, Xerox PARC
- Jeffrey Soreff, IBM.
While writing abstracts and papers, keep in mind the following
1. Products should be items that people already want. Consider
housing, transportation, education, health care, energy, food,
the environment, and, perhaps most important, entertainment.
2. Products should incorporate simple and effective safeguards.
Products should not appear able to "get loose" or
present any environmental dangers. Safety factors should be
intrinsic and obvious without undue explanation. Products should
be clearly limited to doing only what they are designed to do.
3. Products should be a potential reality within the next 50
years. Include an approximate time of arrival based on your
estimate of technology's trajectory. Highlight any particularly
noteworthy hurdles that must be overcome or enabling technologies
that must be in place.
Abstracts due: 1 May 1991
Notification of acceptance: 6 June 1991
Papers due: 1 August 1991
Send abstracts, including author's name, mailing address (and
email address if available), telephone and fax numbers, to BC
Crandall, Nanotechnology Project, PO Box 2178, Sausalito, CA
94965 USA (or email: firstname.lastname@example.org).
Molecular Speculations on Global Abundance was
published by The MIT Press in 1996.
Books are listed in increasing order of specialization and
reading challenge. Your suggestions are welcome. And remember, if
a book's price looks too high, your library should be able to get
it through interdepartmental loan. --Editor
Doing Science, ed. John Brockman, Prentice Hall
Press, 1991, softcover, $11.95. For the general reader. Includes
essays on exploratory engineering by Eric Drexler, on the methods
of theoretical physics by Foresight advisor Gerald Feinberg, on
artificial life by Kevin Kelly, and on how to tell science from
pseudoscience by Richard Morris.
Essence of Creativity: A Guide to Tackling Difficult
Problems, by Steven H. Kim, Oxford University Press,
1990, hardcover, $29.95. Prof. Kim of MIT explores methods of
addressing and resolving problems that admit of no obvious
solution, or for which even the means of attaining a solution are
unclear. Includes: the incremental growth of ideas, enhancing the
processing phase of creativity, with a special focus on
applications in research and product development. For thinkers
From Foresight Update 11, originally published 15