Keynotes

We are proud to announce the confirmed speakers of TRUST 2016:
Virgil D. Gligor (Carnegie Mellon University, UK) &
Stefan Katzenbeisser (TU Darmstadt & CASED, Germany)

Establishing and Maintaining Root of Trust on Commodity Computer Systems
Virgil D. Gligor (Carnegie Mellon University, UK)

Abstract: Suppose that a trustworthy program must be booted on a commodity system that may contain persistent malware. For example, a formally verified micro-kernel, micro-hypervisor, or a subsystem obtained from a trustworthy provider must be booted on a computer system that runs Windows, Linux, or Android.  Establishing root of trust assures the user that either the system is in a malware-free state in which the trustworthy-program boot takes place or the presence of malware is discovered, with high probability. Obtaining such an assurance is challenging because malware can survive in system states across repeated secure- and trusted-boot operations. These operations do not always have malware-unmediated access to device memories; e.g., memories of bring-your-own devices, such as keyboards, consoles, printers, routers, and system devices such as disk controllers. To date, concrete assurance for root-of-trust establishment has not been obtained on more complex systems than tablets or smartphones. I this presentation, I will illustrate both the theoretical and practical challenges of root-of-trust establishment unconditionally; i.e., without secrets, privileged modules (e.g., TPMs), or adversary bounds.

Establishing root of trust is important because makes all persistent malware ephemeral and forces the adversary to repeat the malware-insertion attack, perhaps at some added cost.  Nevertheless, some malware-controlled software can always be assumed to exist in commodity operating systems and applications. The inherent size and complexity of their components (aka the “giants”) render them vulnerable to successful attacks. In contrast, small and simple software components with rather limited function and high-assurance layered security properties (aka the “wimps”) can, in principle, be resistant to all attacks.  

Maintaining root of trust assures a user that a commodity computer’s wimps are isolated from, and safely co-exist with, adversary-controlled giants. However, regardless how secure isolation may be (e.g., based on Intel’s SGX), wimps must use services of, or compose with, insecure giants. This appears to be “paradoxical:” wimps can counter all adversary attacks but survive only if they use adversary-controlled giants from which they have to defend themselves.  I will present a method for the composition of secure wimps with insecure giants, via two examples of experimental systems; i.e., on-demand isolated I/O channels and a trusted display service, which were designed and implemented at CMU’s CyLab.

Read more about Virgil D. Gligor.

DRAM PUFs
Stefan Katzenbeisser (TU Darmstadt & CASED, Germany)

Abstract: A Physically Unclonable Function (PUF) is a unique and stable physical characteristic of a piece of hardware, which emerges due to variations in the fabrication processes. Prior works have demonstrated that PUFs are a promising cryptographic primitive to enable secure key storage, hardware-based device authentication and identification. So far, most PUF constructions require addition of new hardware or FPGA implementations for their operation. Recently, intrinsic PUFs, which can be found in commodity devices, have been investigated. Unfortunately, most of them suffer from the drawback that they can only be accessed at boot time. In this talk I will give an overview of DRAM PUFs, which can be accessed during system runtime and are based on individual decay-based intrinsic DRAM PUFs in commercial off-the-shelf systems, requiring no additional hardware or FPGAs. A key advantage of this PUF construction is that it can be queried during run-time of a Linux system.

Read more about Stefan Katzenbeisser.