Establishing and Maintaining Root of Trust on Commodity Computer Systems.

Suppose that a trustworthy program must be booted on a commodity system that may contain persistent malware. Establishing root of trust (RoT) ensures the system has all and only the content chosen by a trusted verifier or the verifier discovers unaccounted content, with high probability. Obtaining such an assurance is challenging because malware can survive in system states across repeated secure- and trusted-boot operations and act on behalf of a powerful remote adversary. I this presentation, I illustrate both the theoretical and practical challenges of RoT establishment unconditionally; i.e., without secrets, trusted hardware modules (e.g., TPMs, HSMs) or adversary computation bounds. I also illustrate the only unconditional solution to this problem known to date. Establishing root of trust forces the adversary to repeat the malware-insertion attack, perhaps at some added cost. However, the inherent size and complexity of commodity OS components (aka., the "giants") render them vulnerable to such successful attacks. In contrast, small and simple software components with rather limited function and high-assurance security properties (aka., the "wimps") can, in principle, be resistant to attack. Maintaining root of trust assures a user that a commodity computer's wimps are isolated from, and safely co-exist with, adversary-controlled giants. However, regardless how secure program isolation may be, I/O separation must also be achieved despite the pitfalls of commodity architectures that encourage I/O hardware sharing, not isolation. In this presentation, I also illustrate the challenges of I/O separation and present and approach that enables the co-existence secure wimps with insecure giants, via an example of a system implemented at CMU.