Communications - June 2012

contributed articles

Doi: 10.1145/2184319.2184339

A user’s trust in a single device can be
extended to many other devices.
By BRyAn PARno
Trust
extension for
Commodity
Computers

as soCIety rUshes to digitize sensitive information and services, users and developers must adopt adequate security protections. However, such protections often conflict with the benefits expected from commodity computers. Consumers and businesses value commodity computers because they provide good performance and an abundance of features at relatively low cost, but attempts to construct secure systems from the ground up are expensive, time-consuming, and unable to keep up with the changing marketplace. 2, 8, 11, 12 For example, the VAX VMM security kernel was developed over nine years (1981–1990), but the kernel was never deployed. This failure was due, in part, to the absence of support for Ethernet, a feature considered crucial by the time the kernel was completed but not anticipated when originally designed. 11

Rather than build secure systems from scratch, the tension between security and features can be resolved by extending the trust users have in one device to enable them to use another commodity device or service securely without sacrificing the performance, features, or cost expected of commodity systems. 21 Note this article focuses on average users and commodity systems rather than advanced users, special-purpose computers, or highly constrained environments (such as those in the military).

At a high level, this premise is supported by developing software, hardware, and cryptographic techniques to extend user trust in a small special-purpose hardware device to provide strong security protection for both local and remote computation on sensitive data while preserving the performance and features of commodity computers.

Included is an overview of hardware security technologies (see the sidebar “Security Features in Commodity Computers”), how to extend trust in a special-purpose mobile device to verify the security hardware in a user’s local machine, how to extend that trust in a meaningful way to software on the local machine, how to extend trust in that software to network elements, and finally how to extend that trust to remote computers where neither software nor hardware is trusted; for a detailed comparison with related work see other publications. 21, 23

key insights

improving software security is insufficient; also needed is the ability to securely verify whether a computer employs the new software.

Providing security on demand (such as via the flicker architecture) helps balance security, performance, and features.

Verifiable computation allows a client to outsource the computation of a function and efficiently verify the results returned while keeping inputs and outputs private; constraining the way the worker/server computes the function enables such efficient verification.