Improving the TCPA Specification
Computer
Understanding Trusted Computing: Will Its Benefits Outweigh Its Drawbacks?
IEEE Security and Privacy
Cryptography and competition policy: issues with 'trusted computing'
Proceedings of the twenty-second annual symposium on Principles of distributed computing
ISP'06 Proceedings of the 5th WSEAS International Conference on Information Security and Privacy
Attestation: Evidence and Trust
ICICS '08 Proceedings of the 10th International Conference on Information and Communications Security
Trustable Remote Verification of Web Services
Trust '09 Proceedings of the 2nd International Conference on Trusted Computing
Managing application whitelists in trusted distributed systems
Future Generation Computer Systems
| Hi-index | 0.00 |
The Trusted Computing Group (TCG) is an industry consortium which has invested in the design of a small piece of hardware (roughly a smartcard), called a Trusted Platform Module (TPM), and associated APIs and protocols which are supposed to help increase the reliability of TPM-endowed computing platforms (trusted platforms). The TCG envisions that boot loaders, OSes and applications programs on trusted platforms will all collaborate in building a cryptographic hash chain which represents the current execution state of the platform, and which resides on the TPM. Remote sites can then verify that the platform in question is "in a trusted state" by requesting the TPM to produce a signed data blob containing the value of this hash chain, which can then be compared against a library of recognized ("trusted") values; this process is called remote attestation, and the whole picture is sometimes referred to as integrity-based computing (IBC).We argue that there is a fundamental gap between the stated goals of the TCG's IBC and the central technology that is intended to achieve these goals, which gap is simply that remote attestation asks the attesting platform to answer the wrong question - the platform is not attesting to its security state, but rather to its execution state, and this underlies all of the troublesome use cases, as well as a number of the practical difficulties, of the TCG world-view. One response to this is to replace standard TCG attestation with property-based attestation (PBA), which places the emphasis on deriving security properties from (potentially) elaborate trust models and conditional statements of security property dependencies. Herein the central rôle for IBC of trust and deriving consequences from precise trust models becomes clear.Finally, we claim that the TCG's own remote attestation is most properly viewed in fact as a form of PBA, with a certain simple trust model and database of security properties. From this point of view, it becomes clear that IBC can have a much less restrictive range of applications than envisioned merely by the TCG. In fact, with the right "trust infrastructure" and sufficiently open software using and relying upon this infrastructure, IBC could actually realize some of the portentous early promises of the TCG for truly increasing the reliability of individual users' platforms and pushing back the apocalyptic rise of malware, especially if platforms and OSes virtualize and enforce some kind of signed code contracts.