Network Security Laboratories, Inc. (NSLI), Bethesda, MD

BRUCE D. WILNER, CCP, CISSP
Network Security Laboratories, Inc. (NSLI)
205 Yoakum Parkway
Alexandria, Virginia 22304
*
(703)370-2771 / (202)236-1990

EXECUTIVE SUMMARY

20+ years’ experience at the chief architect level building product internals (UNIX/C, C++, Perl, Java, X-Windows/Motif) for highly visible Internet startups and leading vendors and devising complex INFOSEC solutions for elite federal directorates; recognized authority in multi-level security (MLS) technology.

Extremely broad and deep experience developing UNIX kernels, TCP/IP internals, O/S and network security products, Internet e-ppliances, cryptographic suites, firewalls, intrusion detection systems, RDBMS internals, and language processing software (compilers, translators, debuggers, yacc/lex)

Consultant to the top consulting firms across full spectrum of INFOSEC services, including vulnerability analysis, penetration testing, formal evaluation (TCSEC/Orange Book, ITSEC/Common Criteria, FIPS PUBs), and certification and accreditation (DITSCAP, NIACAP).

Led two National Security Agency (NSA) INFOSEC working groups at age 24; co-authored two NSA Rainbow Books and IEEE POSIX standard; built DoD standard secure RDBMS; refereed for IEEE Computer in security, DBMS, and linguistics.

PROFESSIONAL CERTIFICATIONS

Certified Computing Professional (CCP), certificate #960362, ICCP, 1996; certified specialist in systems security and systems programming, endorsed by IEEE and ACM.

Certified Information Systems Security Professional (CISSP), certificate #26042, (ISC)², 2001.

PROFESSIONAL ACTIVITIES

Chief editor, NSA Trusted UNIX (TRUSIX) Working Group (1987-1990)

Led team of NSA, AT&T, Sun, and MITRE defining B3 secure UNIX formal model and access controls.

Chief editor, NSA Labeling Working Group (1988-1989)

Led team of NSA, Trusted Information Systems, and UNISYS defining TCP/IP security extensions for DoDIIS, NATO, and DOE atop CIPSO, RIPSO, and MaxSix.

INDEPENDENT CONSULTING EXPERIENCE (1991-present)

For DigiGAN, Stamford, CT:

Chief architect of multi-level secure Web server technology atop Sun Microsystems Trusted Solaris, supporting secure acess to hybrid red/black military extranets across untrusted public networks; system includes demon, kernel-resident SKIP VPN mechanisms, and tools to suport multi-level content publishing and hyperlink maintenance.

For CatchFIRE Systems, Reston, VA:

Chief architect and sole developer of startup firm’s FIRENode e-ppliance offering quality of service (QoS) and traffic-shaping capability for e-commerce Web server farms; NetBSD-based e-ppliance uses unique, high-throughput kernel mechanisms for IP traffic management and theft-of-service protection. Developed 15,000 lines of NetBSD kernel code, incluing TCP/IP internals, pseudo-device driver, SNMP management, and administrative tools.

For Andes Networks, Mountain View, CA:

Directed formal cryptographic evaluation of startup firm’s SSL accelerator e-ppliance. Built the first complete finite state machine (FSM) characterization and formal predicate calculus based security model of the SSL handshake. Worked with digital hardware and firmware design teams pioneering custom application-specific integrated circuits (ASIC) atop VxWorks O/S.

For Lumeta Corp. (formerly Lucent Technologies New Ventures Group), Murray Hill, NJ:

Principal developer of startup firm’s state-of-the-art, GUI-based FIRMATO firewall management toolkit atop Linux platform, including yacc-based firewall modeling language compiler/code generator that translates back-end data structures into packet filtering rule database in CheckPoint FireWall-1 INSPECT language. Wrote tool to support ad hoc, SQL-like data flow queries against large INSPECT rule bases. Projects entailed complete reverse-engineering of CheckPoint fw compiler and code generator.

For Corbett Technologies, Alexandria, VA:

Directed all software development activities (1997-2000) for the fastest-growing INFOSEC firm in metro Washington. Developed Java tool that fully automates the preparation of DITSCAP system security authorization agreements (SSAA) for Defense Information Systems Agency and generates fully indexed Microsoft Word output documents. Conducted penetration testing and accreditation of HQ, Drug Enforcement Administration, and HQ, U.S. Department of Justice. Designed custom firewall protecting U.S. Judicial Conference.

For Network Associates (formerly Trusted Information Systems), Glenwood, MD/Rockville, MD:

Developed internals of Gauntlet adaptive proxy firewall and WebShield e-ppliance, including malicious code filtering and URL redirection. Integrated third-party, CVP-based content scanning tools (Dr. Solomon’s Olympus anti-virus engine, Finjan SurfinGate) and built user-level APIs. Directed port of 300K+ lines of proxy code to Nokia IPSO/FreeBSD and RedHat Linux, requiring kernel-level reengineering of thread management, IP packet filtering mechanisms (e.g., BPF), and device driver interfaces to kernel data structures.

For Procom Technology, Irvine, CA:

Enhanced Linux-based kernel of proprietary network-attached storage (NAS) device to support POSIX-compliant access control list (ACL) mechanisms compatible with both NFS and Microsoft Windows DAC models and credential data structures. Devised extensions to UDP/IP implementations of Samba and NetBIOS to support Windows NT security APIs.

For Defense Modeling and Simulation Office (DMSO), Alexandria, VA:

Conducted feasibility study of multi-level secure (MLS) "guard" concept to support DoD High-Level Architecture (HLA), an object-oriented modeling and simulation infrastructure supporting C++, Java, and Ada APIs. Built Java prototype of guard atop HLA-conformant platform. Results of study motivated the Chief Scientist of DoD to commit $45 million in sponsorship to joint "purple" (U.S. combined forces) simulation research using HLA.

For McCabe and Associates, Columbia, MD:

Wrote Model 204 User Language (4GL) compiler for McCabe Visual ToolSets using yacc and lex; reentrant parser supporting recursive procedure inclusion generates topological data flow models of code that interface to graphical "software battle map" environment.

For U. S. Agency for International Development (USAID), Washington, DC:

Devised emergency security repairs to worldwide NMS accounting system integrating Visual BASIC applications, ORACLE SQL*Net, and V-ONE SmartGATE VPN technology. Quickly and creatively solved problems that had plagued $100M system for five years. Brought systems into compliance with Congressional INFOSEC directives and Vice Presidential mandate eighteen months ahead of schedule.

For Enterasys Dragon, Columbia, MD:

Developed real-time software tools that cross-correlate Dragon intrusion detection system (IDS) event logs with signature database and periodic NESSUS vulnerability scanner reports to deduce probable avenues of attack for noteworthy events.

For Robbins-Gioia, Alexandria, VA:

Developed CAT II project management toolkit internals, including DBMS storage manager, yacc-based ESQL/C compiler, security mechanisms, and Xt/Xlib presentation graphics.

For Fair, Isaac and Company, Baltimore, MD:

Designed and developed site internals (including Perl/CGI and SSL) for secure Web-based business loan application engine used by Wells Fargo, Chase, and Citibank.

For VAST Corporation, McLean, VA, and Groupe Bull, Grenoble, France:

Developed real-time BOS/RT kernel for dual-processor Bull platform by porting MODCOMP REAL/IX. Integrated SecureWare SMP+, Wollongong TCP/IP, and Lachman NFS into BOS/RT. Added lock and mutex error analysis primitives to BOS/RT kernel debugger.

For Internal Revenue Service (IRS), Fairfax, VA:

Developed internals of enhanced OSF/Motif widget toolkit in UIM/X environment to serve as IRS standard application development toolkit. Modified OSF/Motif window manager internals to support multiplexed virtual X colormaps atop NCR UnixWare port of X11R4. Implemented X server behavior that the vendor had declared impossible given the limitations of the graphics hardware.

For GTSI, Chantilly, VA:

Security architect for $900 million DoD C⁴I proposal effort. Managed security product integration testing laboratory, including PKI components, firewalls, and trusted O/S.

For OptionWealth, Rockville, MD:

Designed and developed site internals (including mod_perl and HTML::Template) for startup firm providing comprehensive Web-based stock option modeling and optimization tools.

Additional short-term consulting studies (1995-present) have included:

Vulnerability analysis, penetration testing, and firewall design for Office of the Secretary of Transportation; HQ, Nuclear Regulatory Commission; HQ, Federal Energy Regulatory Commission; HQ, US Forest Service; HQ, Bureau of the Census; HQ, Department of Defense Health Affairs; U.S. Patent Office; Cisco Systems (San Jose, CA); and International Computer Security Association (Reston, VA).

Architecture, design, and competitive market analysis for IPsec-compliant B2 trusted networking product and preparation of technical literature for Cryptek Secure Communications (Chantilly, VA).

SELECTED PRIOR EMPLOYMENT (1982-1991)

Chief Scientist, Infosystems Technology (ITI), Greenbelt, MD (1987-1991)

Principal architect of B2-secure TRUSTED RUBIX RDBMS atop AT&T UNIX 4.2ES. Wrote over 100,000 lines of RDBMS internals code, including B-tree storage manager, updatable views, referential integrity, concurrency, discretionary and mandatory security, polyinstantiation, relational algebraic command language, report writer, and yacc-based ANSI SQL-II interpreter with ESQL/C compiler. Wrote formal security policy model and DTLS to support NSA evaluation. Designed secure distributed RDBMS featuring B2-trusted servers integrated atop untrusted public networks via Kerberos authentication server. TRUSTED RUBIX was chosen over TRUSTED ORACLE, INFORMIX On*Line/Secure, and SYBASE Secure Data Server as the NSA standard secure DBMS.

Sr. Assoc. Programmer, IBM Thomas J. Watson Research Center, Yorktown Heights, NY (1982)

Built UNIX system API emulation library in REX (precursor to REXX) atop VM/SP with CMS. Built 8080 kernel debugger and designed firmware interface. Wrote optical disk driver for Wicat UNIX.

SECURITY CLEARANCE

SECRET/SSBI (Federal Aviation Administration, 2002); TOP SECRET (Missile Defense Agency, 2003).

EDUCATION

M.E.E. (1983), B.E.E. (1982), The Cooper Union for the Advancement of Science and Art, New York, NY. Awarded master’s degree at age nineteen. Received five-year, full-tuition Cooper Union Foundation Scholarship and four-year New York State Regents Scholarship.

As one of the earliest Western Electric source code licensees, co-developed UNIX VII kernel and system utilities with AT&T Bell Laboratories research staff under Programmer’s Workbench (PWB) initiative. Awarded first prize in IEEE Student Paper Contest, Northeast Region (1980) for kernel debugger research.

Served as research UNIX system administrator (1979-1981), Cooper Union Computer Center. Managed laboratory environment featuring DEC PDP-11/45, LSI-11, and VAX-11/780 and supporting 400+ academic users in graduate research (microprocessors, robotics, computer graphics, software tool and language development) and undergraduate classroom exercises.

FOREIGN LANGUAGES

Nearly fluent conversational and technical Spanish; passable German, Dutch, and Turkish; basic reading knowledge of Japanese.