Re: How to add confinement to the Hurd?

l4-hurd

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: How to add confinement to the Hurd?

From:	Marcus Brinkmann
Subject:	Re: How to add confinement to the Hurd?
Date:	Mon, 01 May 2006 05:30:22 +0200
User-agent:	Wanderlust/2.14.0 (Africa) SEMI/1.14.6 (Maruoka) FLIM/1.14.7 (Sanjō) APEL/10.6 Emacs/21.4 (i486-pc-linux-gnu) MULE/5.0 (SAKAKI)

At Mon, 1 May 2006 04:45:47 +0200,
Pierre THIERRY <address@hidden> wrote:
> 
> Scribit Marcus Brinkmann dies 30/04/2006 hora 22:29:
> > I can even tell you why there is an ethical issue.  The reason is that
> > non-trivial confinement separates ownership of digital content into a
> > party that has access and modification right and a party which has the
> > right to decide durability.
> 
> I return to the use case of the program that is executable without
> disclosing itself.
> 
> Let's state the problem clearly to avoid misunderstanding:
> 
> Alice writes the Processor program, whose algorithm she cannot disclose,
> and Bob has to execute Processor on the file SensitiveData, which he
> must keep secret. The system has to make Bob able to execute Processor
> with the guarantee that it won't leak anything without knowing how
> Processor work.
> 
> Where is access and modification separated from durability?

So, let's discuss this based on EROS.

Because of the confinement property, the program can not exclusively
run on the resources of Alice, because then Alice could observe what
the program does (unless the program is trivial and does not require
any writable storage).

This means that the program must run on Bobs resources.  However, the
way the space bank works in EROS, Bob will not be able to inspect the
memory allocated by the program.  Bob can only shoot the space bank
and thus revoke the resources.

So, Alice gets, indirectly, to flip the bits while Bob gets to destroy
them.

> > > 1) Do anyone knows, even remotely, what would be needed to implement
> > > this confinement in the Hurd? Particularily, what would be needed
> > > for the implementer to do, and what could prevent him to do it in
> > > the Hurd design?
> > The underlying mechanism is, at the hardware level, a "trusted
> > computer" chip, which is a chip that contains a cryptographic key
> > which _nobody_ can read out and which is certified by the manufacturer
> > of the hardware.
> 
> I do not see how the cryptographic chip helps achieving confinement... I
> thought it only enables certification of the system 'identity'.

Well, without a TC chip in the system the system-implemented
confinement check relies on the good will of the machine owner.  Do
you know how "secure booting" works?

Thanks,
Marcus

[Prev in Thread]

Current Thread

[Next in Thread]

How to add confinement to the Hurd?, Pierre THIERRY, 2006/04/30
- Re: How to add confinement to the Hurd?, Marcus Brinkmann, 2006/04/30
  - Re: How to add confinement to the Hurd?, Jonathan S. Shapiro, 2006/04/30
    - Re: How to add confinement to the Hurd?, Marcus Brinkmann, 2006/04/30
    - Re: How to add confinement to the Hurd?, Jonathan S. Shapiro, 2006/04/30
    - Re: How to add confinement to the Hurd?, Marcus Brinkmann, 2006/04/30
    - Re: How to add confinement to the Hurd?, Jonathan S. Shapiro, 2006/04/30
  - Re: How to add confinement to the Hurd?, Pierre THIERRY, 2006/04/30
    - Re: How to add confinement to the Hurd?, Jonathan S. Shapiro, 2006/04/30
    - Re: How to add confinement to the Hurd?, Marcus Brinkmann <=
    - Re: How to add confinement to the Hurd?, Jonathan S. Shapiro, 2006/04/30

Prev by Date: Re: Challenge: Find potential use cases for non-trivial confinement
Next by Date: Re: bit-split, or: the schizophrenia of trusted computing
Previous by thread: Re: How to add confinement to the Hurd?
Next by thread: Re: How to add confinement to the Hurd?
Index(es):
- Date
- Thread