Vivek’s Soapbox

I gave a talk on semantic remote attestation in the language-based security seminar class today. Here are the slides for the talk.

There were many questions from the audience.

One of the questions — “Isn’t all this just about DRM?”

Unfortunately, while DRM is one of the possible applications of having a TPM in your machine, that is not the only thing about Trusted Computing. By itself, the TPM is a completely passive device. All it does is measure software, and then reliably and accurately report those measurements. It is policy-neutral. Policy is what is done in higher levels of software, like the OS, or a media player, based on the measurements reported by the TPM.

The central problem, in my opinion, is to have a trusted entity to vouch for software that is outside software, since software cannot vouch for itself.

There was also much discussion about the attack model. The TPM’s attack model only aims to protect against software attacks — with physical attacks all bets are off.

An interesting point, raised by Christian Stork: why can’t I load my own root keys into the TPM (as opposed to the manufacturer-certified keys that are embedded in every TPM), self-certify them, and then use them within my own PGP-like web of trust? Honestly, I don’t know. Maybe because the TPM designers think that web-of-trust models won’t work with the mass-deployment scenario they have in mind.

There was aso a lot of discussion about security policies. This is a recurring theme in almost all security research. The techniques are, relatively speaking, easy. The hard part is to specify a policy.

Oh — and going off topic — since I hand-wrote these slides on my Tablet PC, people are always surprised by the novelty of seeing hand-written slides on a PowerPoint presentation. Like my officemate, Andreas Gal, said: “We started with handwritten transparencies, then PowerPoint decks, and now we’re back to handwriting”. I said, “Yeah — but this time, it’s been done right!”