The Community for Technology Leaders

In Memoriam: Paul Karger

Roger , AESEC
Steve , Microsoft
Mary Ellen , IBM
Elaine R. , IBM
David , IBM
Charles C. , IBM
Carl E. , University of Maryland

Pages: pp. 5

V.S. Naipaul's latest book cites an African saying: "When an old person dies, we say a library has burnt down." Paul Karger was far from old, and he had not only an encyclopedic (and bibliographic) knowledge of our field but also the ability to apply it to new situations. We have indeed lost a library, and more, with Paul's passing in September. In recognition of his impact on the field, IEEE S&P solicited the following tribute from a few of his many colleagues and friends.

As Peter Neumann put it, "Paul contributed many significant papers on data integrity, revocation, covert channels, and perhaps most important, an approach to avoiding Trojan horses. He will long be remembered." A summary of his career could fill many pages, but some brief highlights are included here.

Paul was a member of the Multics development team at the Massachusetts Institute of Technology. After graduation, he received his commission as an officer in the US Air Force, where he developed some of the original technology for penetration-resistant computer systems. He was also on the computer science faculty at the US Air Force Academy.

Assigned to the Multics vulnerability assessment, he grew to understand not just the flaws he discovered but also the design principles whose violation led to vulnerabilities. More important, Paul's insight pointed him to a verifiable "security kernel" as a highly effective defense against increasingly determined and sophisticated adversaries.

He clearly reflected his deep understanding as the lead author of the classic 1974 technical report, "Multics Security Evaluation: Vulnerability Analysis." A decade later, Ken Thompson described an innovative trap door in his 1984 Turing Award paper, an idea he attributed to Paul's report.

Paul joined Digital Equipment Corp. (DEC) around 1980, where he founded its Secure Systems Department. There, he was the lead designer on the Security Enhanced VMS operating system prototype and the inspiration behind DEC's A1-secure virtual machine monitor (VMM) security kernel. Paul's design reduced the complexity of the system through his use of a strict layered approach, which also provided rigor and structure for the design and implementation. His approach to the VMM was one that he applied many times during his career, as have countless others.

Paul was also a visionary in covert channel analysis and a leading authority on the topic throughout his career. His early guidance was recognized when the National Computer Security Center cited his work as a primary reference for the covert channel analysis rationale in its 1987 "Trusted Network Interpretation" (aka the "Red Book").

Later, he was security architect for the Open Software Foundation and researched wireline and wireless telephone security at GTE Laboratories.

Paul joined the security department at the IBM Thomas J. Watson Research Center in 1995 as a founding member of the company's highly successful ethical hacking team.

Paul was a zealous advocate of high-assurance operating systems, often pointing out their superior reliability. Much of his research at IBM focused on the security of the inseparable interactions of operating systems, hypervisors, and hardware. Although his background was in software, he also worked to improve the security and performance of a wide range of hardware, from smart cards to large high-end servers.

Paul invented the first practically applicable access control model that combined secrecy and integrity and allowed controlled sharing of data among commercial applications (a harder problem than strict isolation). He also collaborated with logicians and cryptographers to create formal proofs that demonstrated the soundness of his models. He invented the first privacy-preserving authentication protocol for smart cards, which was incorporated into standards throughout Europe.

Paul sought to comply with and improve standards for evaluating the security of systems. One example was his work on Composite Evaluation, which emphasized the need for full information flow between hardware and software developers of high-assurance systems. He was also a significant contributor to the first cryptographic library ever to earn an Evaluation Assurance Level 5+ under the Common Criteria.

Paul's vast publication and patent record can be found at He is survived by his wife Carol Lynn, and his daughters Rebecca and Sarah. He will be greatly missed.

59 ms
(Ver 3.x)