A user’s trust in a single device can be
extended to many other devices.
By BRyAn PARno
as soCIety rUshes to digitize sensitive information
and services, users and developers must adopt
adequate security protections. However, such
protections often conflict with the benefits expected
from commodity computers. Consumers and
businesses value commodity computers because
they provide good performance and an abundance
of features at relatively low cost, but attempts to
construct secure systems from the ground up are
expensive, time-consuming, and unable to keep up
with the changing marketplace.
2, 8, 11, 12 For example,
the VAX VMM security kernel was developed over nine
years (1981–1990), but the kernel was never deployed.
This failure was due, in part, to the absence of support
for Ethernet, a feature considered crucial by the time
the kernel was completed but not anticipated when
Rather than build secure systems
from scratch, the tension between security and features can be resolved by
extending the trust users have in one
device to enable them to use another
commodity device or service securely
without sacrificing the performance,
features, or cost expected of commodity systems.
21 Note this article focuses
on average users and commodity systems rather than advanced users, special-purpose computers, or highly constrained environments (such as those
in the military).
At a high level, this premise is supported by developing software, hardware, and cryptographic techniques to
extend user trust in a small special-purpose hardware device to provide strong
security protection for both local and
remote computation on sensitive data
while preserving the performance and
features of commodity computers.
Included is an overview of hardware
security technologies (see the sidebar “Security Features in Commodity
Computers”), how to extend trust in a
special-purpose mobile device to verify
the security hardware in a user’s local
machine, how to extend that trust in
a meaningful way to software on the
local machine, how to extend trust in
that software to network elements,
and finally how to extend that trust to
remote computers where neither software nor hardware is trusted; for a detailed comparison with related work
see other publications.
improving software security is
insufficient; also needed is the ability
to securely verify whether a computer
employs the new software.
Providing security on demand (such
as via the flicker architecture) helps
balance security, performance, and
Verifiable computation allows a client
to outsource the computation of a
function and efficiently verify the results
returned while keeping inputs and
outputs private; constraining the way
the worker/server computes the function
enables such efficient verification.