Hangout for experimental confirmation and demonstration of software, computing, and networking. The exercises don't always work out. The professor is a bumbler and the laboratory assistant is a skanky dufus.

Recent Items
 
A Secure RFID-Identification Protocol?
 
How Effective Is Your Software QA?
 
An Entirely New Way of Designing Systems?
 
Trust Points and Trust Issues
 
How Do We Safely Orient for Aspects?
 
Conquering the Business-Application Life Cycle
 
FLINT for bug-free, secure, and reliable software.  That should cover it!
 
TRUST 2: Proliferation of COTS in Critical Infrastructure
 
TRUST: Team for Research in Ubiquitous Secure Technology
 
Bring us Your Metadata, Your Tired, Your Poor, Your Abandoned Document Formats

Archives
2004-06-13
2004-06-20
2004-06-27
2004-08-29
2004-09-05
2004-09-12
2004-09-19
2004-10-10
2004-10-24
2004-11-07
2004-11-28
2004-12-05
2004-12-12
2004-12-26
2005-01-30
2005-02-06
2005-03-06
2005-03-13
2005-03-20
2005-04-03
2005-04-10
2005-04-17
2005-04-24
2005-05-01

Flaws in Genuine Software Still Exploitable in Trusted Environment

ACM News Service: Does Trusted Computing Remedy Computer Security Problems?  The use of trusted computer systems will make it likely that genuine software will be run under the protections of a trusted environment.  This blurb reports an analyis that asserts there will still be vulnerabilities in those programs, and a malicious intruder may be able to exploit them.

Although it would seem that computers will be more secure, there are a number of ways that trust can fail, and these will tend to be a result of defects in the trusted program that a malicious entity can still exploit.

The Rolf Oppliger and Ruedi Rytz article in the April 2005 IEEE Security & Privacy issue provides a nice run-down on the trusted computing approach and its limitations.  Basically, the trusted computing platform is unable to detect malicious acts that happen at a level where the exploited behavior is indistinguishable from correct behavior based on what the platform observes.  Put simply, there can always be vulnerabilities at a higher-level that what the platform protects.  The authors question whether this improvement, and it is one, will be acceptable based on the presumed loss of flexibility in being able to install and run software of the user’s choosing.  There is no generic answer to this question, it seems to me.  Different circumstances will have different trade-off preferences, and we’ll need to understand those better.

A side benefit for me is a definition of technical trustworthiness, based on the Glossary of Internet terms:

“trusted and trustworthy systems are not the same; according to RFC 2828 [big file], a system is trusted if it “operates as expected, according to design and policy. If the trust can also be guaranteed in some convincing way, such as through formal analysis and code review, the system is called trustworthy.”

Hmm, interesting, aye Wingnut?

posted by orcmid at 5/1/2005 12:28:05 AM, rating data by NewsGator Online