Winning Against any Adversary on Commodity Computer Systems

The axioms of insecurity on commodity computer systems [1] suggest that an adversary will have an asymmetric advantage over any defender forever. This implies that the defender-adversary arms race on such systems always favors the adversary, as often emphasized by conventional security wisdom. In this presentation, I illustrate how a defender can win against any adversary by establishing root of trust on a commodity system unconditionally; e.g., without any tradeoffs. Then I will show how to maintain the defender's advantage in protecting selected applications, and explain why this is still uncommon on commodity systems. Establishing root of trust unconditionally. Suppose that a small and simple trusted verifier must boot a trustworthy program on a system that may contain persistent malware. Establishing root of trust (RoT) assures the system has all and only the content chosen by a trusted verifier or the verifier discovers unaccounted content, with high probability. Hence, verifiable boot takes place in a malware-free state. Obtaining such assurance is challenging because a remote adversary's malware can survive repeated secure- and trusted-boot operations and detection by any anti-malware tool; e.g., these tools do not have malware-unmediated access to device controllers' firmware nor prevent remote malware connections over the internet. In this presentation, I will show how to establish RoT unconditionally; i.e., without secrets, trusted hardware modules (e.g., TPMs, RoMs, HSMs), or adversary computation bounds. I will also argue that this is the only unconditional solution to any security or cryptography problem to date [2]. Maintaining root of trust selectively. Establishing root of trust makes all persistent malware ephemeral and forces the adversary to repeat a malware-insertion attack. Nevertheless repeated successful attacks in commodity systems and applications are hard to deny because of the inherent size and complexity of their software components; aka, the "giants" [1, 3]. To win against an adversary, small and simple software components with rather limited function and high-assurance security properties (aka, the wimps) must be available, since they can, in principle, counter all attacks [3]. In this setting, maintaining root of trust selectively assures a defender that a commodity computer's wimps are isolated from, and safely co-exist with, adversary-controlled giants. Maintaining RoT selectively also implies that, regardless how secure wimp isolation may be, I/O separation for wimps must also be provably achieved despite use of commodity systems that encourage I/O hardware sharing, not isolation [4]. In this presentation I will also illustrate the basic challenges of I/O separation for wimps and giants, and present an example of an experimental system for on-demand separated I/O transfers, which was designed and implemented at CMU's CyLab.