Computer security is a young field, and we have had few occasions to say good-bye to the people who forged the way, but it is with great sadnesss exactly that task that we must undertake this month, due to the untimely death of Dr. Paul Karger. He helped define the field with his keen insight into the meaning and mechanisms for high assurance systems. He was a deep thinker who contributed to almost every high assurance system of the 1980's. An architect who understood the most intricate details of computer design, he was able to bring theory and practice together into systems that were, actually, secure.

The field took a turn away from high assurance in the 1990's, and the resulting hodge-podge approach to security reaped its whirlwind of malware. This opened the field up to a great diversity of point solutions in the continual cat-and-mouse game that is now the status quo. I predict that future generations will keep looking back on Karger's work and drawing inspiration from its scope and vision.

A brief biography:
Dr. Paul Karger was a Research Staff Member in IBM's Thomas J. Watson Research Center. His recent work was on automated test generation for common criteria evaluations and on developing a high-assurance, penetration-resistant operating system for smart cards, including the design of new mandatory secrecy and integrity access control models for commercial applications.

He began his computer security career in the US Air Force where he developed some of the original technology for penetration-resistant computer systems. He founded Digital Equipment Corporations Secure Systems Department, where he was the lead designer on the Security Enhanced VMS operating system prototype and on Digital's A1-secure virtual machine monitor security kernel.

He was the security architect for the Open Software Foundation and researched wireline and wireless telephone security at GTE Laboratories.

Karger earned SB, SM, and EE degrees from the Massachusetts Institute of Technology, a PhD degree from the University of Cambridge, England. He has 13 patents in computer security.

• "An Augmented Capability Architecture to Support Lattice Security and Traceability of Access", 1984, Karger, P. A.; Herbert, A. J.
• "Limiting the Damage Potential of Discretionary Trojan Horses", 1987, Karger, P. A.
• "Implementing Commercial Data Integrity with Secure Capabilities", 1988, Karger, P. A.
• "New Methods for Immediate Revocation", 1989, Karger, P.A
• "A VMM Security Kernel for the VAX Architecture", 1990, Karger, P. A.; Zurko, M. E.; Benin, D. W.; Mason, A. H.; Kahn, C. E.
• "Storage Channels in Disk Arm Optimization", 1991, Karger, P. A.; Wray, J. C.
• "Fuzzy Multi-Level Security: An Experiment on Quantified Risk-Adaptive Access Control", 2007, Cheng, Pau-Chen; Rohatgi, Pankaj; Keser, Claudia; Karger, Paul A.; Wagner, Grant M.; Reninger, Angela Schuett

From Roger Schell:
He was a major contributor to early computer security efforts like the Multics vulnerability assessment, which he revisited a few years ago in his ACSAC classic paper. He was the undisputed technical authority and visionary for the ARPA/Honeywell sponsored Project Guardian at MIT, and was so successful that the results were incorporated into two standard commercial products: Multics with integral MLS controls (later rated Class B2) installed as the primary data processing engine for the Air Force in the Pentagon and for the Computer Security Center at NSA; and the SCOMP (later rated Class A1).

From Steve Lipner:
I first met Paul in 1972 (I believe) when he joined the computer security branch at the USAF Electronic Systems Division at Hanscom Field. He'd just graduated from MIT and was a very eager freshly minted second lieutenant. With Roger Schell and other folks at ESD and MITRE, he contributed to the Multics security enhancements, the design of a Multics security kernel, the CWRU work on security models, and countless other products. Perhaps best remembered is his work with Roger on the penetration test of Multics in late 1972 or early 1973. In addition to developing some of the exploit code, Paul made a typographical error in copying working exploit code from the Multics system at RADC to the MIT system. When he tried it out, MIT Multics "went away." Fortunately, the MIT staff couldn't extract a smoking gun and the penetration test went on to be a great success.

When I came to DEC in 1981, Paul was in the tiny security research group. He had been with the company for a year or two and had already prototyped what we'd later have called a B1 version of VMS - and was engaged in a "discussion" with the VMS group about whether to productize and ship it. We finally shipped a "special" version of pretty much that functionality in about 1987 and a real product version in the 1990s.

Paul and I came up with the idea of building a VMM security kernel for the VAX at a Mexican restaurant in Palo Alto the night after the 1981 Oakland conference. Paul worked tirelessly on the project for the next three years, first on the "design analysis" that outlined the design of the system and then on a prototype of the lowest layers of the system. I still remember the celebratory dinner the night when the system first booted VMS in a virtual machine on a painfully slow VAX-11/730.

Shortly after that, Paul and Carol Lynn got married and Paul went off to Cambridge to work on his PhD. I still have a copy of his dissertation in my library.

Paul was "Mr. High Assurance." If it wasn't highly secure, he didn't have much use for it - and if it was, there were few people in the industry who better understood it.