April 1, 2020 | Written by: IBM Research Editorial Staff
Share this post:
This is our fifth and final blog post in a series for Women’s History Month 2020 focused on women innovating the future of IBM Research. Previously, we’ve met women developing AI, quantum, cloud computing, and next generation systems. They’re developing technologies that promise to transform entire industries, from medicine to mobility, and solve our thorniest problems. And yet the tremendous power of digital technology also introduces risk. If it’s hacked, or falls into the wrong hands, it can be used against us. That’s why security research is indispensable. And the four women we meet here represent every aspect of it, from blockchain and open source defense to erecting cloud-based fortifications around digital crown jewels.
A matter of trust
Elaine Palmer, Senior Technical Staff Member, Cloud and Systems Security, IBM Research
As computers and cloud networks have grown more complex, so have the challenges of establishing trust between systems trying to communicate. That is where Elaine Palmer and her team in IBM Cloud and Systems Security Research come in. They are working on ways to secure the multiple layers of boot processes that computers initiate when they are started or restarted, and to ensure subsystems trying to connect to a server’s main processor are up-to-date with their security patches.
“The concern is, are those subsystems—system management or network controllers, for example—vulnerable to cyberattacks?” says Palmer, a Senior Technical Staff Member and a member of the IBM Academy of Technology. “And what damage could malicious hackers do if they could remotely control them?”
Just like the servers they run in, subsystems need strong security features too, such as secure boot, designed to protect a system against malicious code being loaded and executed early in the startup process. Graphics Processing Units (GPUs), for example, with access to a system’s main memory are particularly attractive targets, and researchers have already hijacked them to run malware and steal keystrokes.
Palmer’s research focuses on creating a smart system that can make decisions related to trust. “If your power controller is supposed to be running the latest version of firmware, then how do know what version it’s actually running? If you ask it, can you really believe the answer? Remember, malware can lie.” Palmer says. IBM addresses this challenge, in part, through devices which require a hardware root of trust and something called attestation. “If the malware lies, the hardware will tattle on it, and it will be detected.”
Palmer grew up in New Orleans and attended an all-girls prep school. “This was the 1970s and, at the time, girls were thinking about careers in physical therapy or nursing,” Palmer recalls. “I would scratch my head and wonder, why don’t they go to medical school?” Palmer chose computer science and received her bachelor degree in 1977 from Louisiana State University and Agricultural and Mechanical College (commonly known as LSU).
Palmer learned to program on systems that used toggle switches or punch cards. One class on assembler language required students to type their programs into a keypunch machine, print them on cards and hand them in to students working in the computer lab, who would then enter the programs into another computer. A day or two later, students could return to the lab to get the results.
On one occasion, Palmer turned in her work only to find out later that her program had an error. “I saw that and started crying,” she says. One of the computer room workers noticed Palmer’s distress and, literally, jumped through a window in the wall to reach her and ask, ‘How can I help?’ That person turned out to be Charles Palmer, who would go on to be a Distinguished Researcher at IBM Research, and Elaine’s husband. “There was a door to the computer room,” she laughs. “I’m not sure why he didn’t use that.”
Palmer began her IBM career in 1984 doing manufacturing research to help the company build mainframes. She earned her M.S. in computer science from Pace University in 1987 while working at the T.J. Watson Research Center in Yorktown Heights. Later, she moved on to computer graphics. After that group shuttered, Palmer joined a team working on antivirus systems and tamper-responding hardware security.
Computer security has only grown in importance over the ensuing decades, and Palmer is proud of the role she has played. “With security, it’s for the good of the world,” she says. “The tamper-responding technology I worked on years ago has evolved, and now runs in IBM servers, protecting billions of dollars in transactions per day worldwide. It’s satisfying that something I worked on can help so many people.”
Building a more secure blockchain
Elli Androulaki likewise finds satisfaction in protecting people from digital dangers. Whereas Elaine Palmer’s work is in defense of the systems that form the core of enterprise operations, Androulaki is focused on securing the blockchain networks beginning to find their way into corporate IT.
Elli Androulaki, Principal Research Staff Member, and Manager – Industry Platforms and Blockchain
“Blockchain is about the distribution of trust in transaction processing,” says Androulaki, Research Manager for BlockChain, Security and Applications at IBM’s research laboratory in Zurich. “Although the technology involves a community of users, not everyone in the community is involved in every transaction, so you want to limit how many people see the details of a particular transaction.”
IBM was ahead of the curve in offering blockchain networks for businesses. With that leadership position comes a responsibility to likewise lead in blockchain security. “We offer permissioned blockchains because, unlike public blockchains, they implement an access control layer to allow certain actions to be performed only by certain properly authorized participants,” says Androulaki, who joined IBM Research in 2013.
Androulaki leads a team of 13 blockchain security researchers in the Zurich lab. One of their priorities is enabling privacy-preserving asset transfer in enterprise blockchains—transactions that combine both privacy and transparency. With this technology, transactions containing verifiable proof that money or some other asset is exchanged are available on the ledger, without revealing the lending rates or the quantity and parties involved, allowing the bank at any particular time to understand the liquidity of what they have in cash. “The novel thing here is that privacy is not unconditional,” she says. “There’s a strong notion of auditability. You want privacy, but you also want to be able to comply with regulators.”
Zero-Knowledge Asset Transfer can also be used to audit transactions recorded in Hyperledger Fabric, an open-source permissioned blockchain. IBM is a member of Hyperledger consortium, which The Linux Foundation launched in December 2015 in an effort to create an enterprise-level blockchain platform. At the time, IBM donated the first version of a code-base that has evolved to become Hyperledger Fabric, the first production-ready permissioned blockchain platform. Androulaki had played a role in helping design Hyperledger Fabric before becoming a manager. “We were there when Hyperledger Fabric was first designed and, as new features are added, it has been in close collaboration with the IBM core development team and, of course, the open-source community,” she says.
Androulaki earned her undergraduate degree from the Electrical and Computer Engineering school of National Technical University of Athens in 2005. After receiving her master’s and Ph.D. degrees in computer science at Columbia University in New York, she decided to settle in Zurich, an area rich in security research opportunities and a short flight from her family in Greece, according to Androulaki, who recently gave birth to a baby girl.
When she was growing up in Athens, Greece, Androulaki especially liked math and physics. Her mother has a degree in economics and her father worked as a naval and mechanical engineer. “He was the one who really introduced me to the world of math,” she says. “He used to sit with me, and we would discuss my math homework at night.”
Now Androulaki wants to use her love of math to protect others in an increasingly online world. “Security was not considered when many systems were designed, and now you add the fact that people give away their data without thinking about how it will be used,” she says. “There’s a lot to be done in security as our world continues to move online, in terms of protecting our identities and our privacy. I get intrigued and inspired by this.”
Like the rest of her colleagues at the IBM T.J. Watson Research Center at Yorktown Heights, NY, Mimi Zohar is working from home due to COVID-19. This reminds her of her first days at the company, in the early ‘80s—a decade before the public internet exploded on the scene. Back then, the challenge was to establish secure dial-up connections for the pioneering remote workers. This required verification. “Since the system didn’t trust the dial in,” she says, “It would call you back, at a predefined phone number.”
All these years later, Zohar is still working on trust and verification, but at a level infinitely more complex. She oversees a piece—the integrity subsystem—of the open-source Linux operating system.
This involves close collaboration with a global community of Linux developers, including colleagues at a who’s who of tech companies. “You have bug fixes and new features coming from all over,” she says. “Everyone is using it, and everyone is trying to make changes to it.”
Zohar’s focus is on the security of files in the Linux OS. The system requires checks and verification at every step. The so-called Integrity Measurement Architecture (IMA) relies on trusted and encrypted keys to verify the integrity of the files. Each file must be correlated with a hash, or fingerprint, to detect whether the system has been compromised. “You need to know what’s running on the system, and you can’t ask it,” she says, “because it will lie to you.”
Most of the leading tech companies have teams focused on LInux kernel development and are involved in the Linux Integrity subsystem in particular. Zohar must coordinate all of the development and fixes, and make sure that other people’s use cases do not break. “It has all kinds of complications,” she says.
But the work is crucial. “The same architecture is being used from small devices,” she says, “all the way up to servers, and to clouds, and [virtual machines] running on the servers.”
In a research department where colleagues hail from all over the world, Zohar is a rare local. She grew up just down the road from the Yorktown Heights facility, where her father—an IBM Master Inventor—worked as an electrical engineer for 40 years in the Central Scientific Services department. He enabled researchers by designing and building prototypes.
She was interested in computers in college, but SUNY Albany at the time offered no majors in computer science. So she minored in it, got an internship at IBM, and later joined the company. “I’ve always worked in systems,” she says, “and eventually graduated into security-related projects.”
Zohar still lives nearby. She’s on their own these days, with three grown children out of the house.
Now, with the virus pandemic forcing her to work at home, she has a fresh perspective on her career. “Part of being a woman in research is that at different points in your life, everything changes. You worked and you had family, and you had no time for anything else,” she says. “Today, as an empty nester, I can do what I want. My work started out as a job to support my family, but has matured into a fun and exciting career.”
Focusing Security on Language
Youngja Park grew up in a rural area on the east coast of South Korea. Her parents grew apples and peaches. Park was fascinated by science and math, but it was slim pickings for STEM at the local high school. So her parents sent her, at age 15, to live with her 18-year-old sister in the province’s capital city, about three hours away, and to go to school there. The two sisters had to find their own apartment in a neighborhood that seemed safe. They had to shop, cook, clean, and budget—as well as study. “That empowered us for independence, and taught us how to survive,” Park says, looking back.
Youngja Park, Research Staff Member, IBM Research
Park went on to study computer science at Yonsei University in Seoul, where she went on to get her doctorate in computer science and natural language processing. It was while she was in graduate school that two researchers from IBM Research visited the university and gave a seminar on natural language processing, her passion. She was impressed, and applied for an internship. That brought her to Yorktown Heights for the first time, in 1997. Three years later, she was on the research staff there.
The focus of Park’s research is to build data security systems upon natural language and machine learning technology. One project is to build a program that analyzes reports of security experts, and creates from that a knowledge base of security intelligence. Drawing learning from this, a security system powered by AI could zero in on viruses and malware.
Another project focuses on automatically discovering what Park calls a company’s “crown jewels.” While traditional firewalls defend an entire IT architecture, her system enables companies to further reinforce defenses around the most crucial data. She worked on that concept several years ago and built a prototype. “We did some internal proof of concept, and then worked with a couple of clients,” she says. Her hope is that it will eventually become a security feature in computing clouds.
Park and her husband, also a computer scientist, live in New Jersey and have two teenage daughters.
This post is presented by The Watson Women’s Network, a community of technical staff, primarily based at the T.J. Watson Research Center, that seeks to encourage a workplace environment that advances the professional effectiveness, individual growth, recognition, and advancement of all women at IBM Research. The WWN partners with senior management, human resources and other diversity network groups to promote programs in mentoring, networking, diversity, knowledge sharing and recruiting.
Inventing What’s Next.
Stay up to date with the latest announcements, research, and events from IBM Research through our newsletter.