Blunder Dome Sighting  
privacy 
 
 
 

Hangout for experimental confirmation and demonstration of software, computing, and networking. The exercises don't always work out. The professor is a bumbler and the laboratory assistant is a skanky dufus.



Click for Blog Feed
Blog Feed

Recent Items
 
A Secure RFID-Identification Protocol?
 
How Effective Is Your Software QA?
 
An Entirely New Way of Designing Systems?
 
Trust Points and Trust Issues
 
How Do We Safely Orient for Aspects?
 
Conquering the Business-Application Life Cycle
 
FLINT for bug-free, secure, and reliable software....
 
TRUST 2: Proliferation of COTS in Critical Infrast...
 
TRUST: Team for Research in Ubiquitous Secure Tech...
 
Bring us Your Metadata, Your Tired, Your Poor, You...

This page is powered by Blogger. Isn't yours?
  

Locations of visitors to this site
visits to Orcmid's Lair pages

The nfoCentrale Blog Conclave
 
Millennia Antica: The Kiln Sitter's Diary
 
nfoWorks: Pursuing Harmony
 
Numbering Peano
 
Orcmid's Lair
 
Orcmid's Live Hideout
 
Prof. von Clueless in the Blunder Dome
 
Spanner Wingnut's Muddleware Lab (experimental)

nfoCentrale Associated Sites
 
DMA: The Document Management Alliance
 
DMware: Document Management Interoperability Exchange
 
Millennia Antica Pottery
 
The Miser Project
 
nfoCentrale: the Anchor Site
 
nfoWare: Information Processing Technology
 
nfoWorks: Tools for Document Interoperability
 
NuovoDoc: Design for Document System Interoperability
 
ODMA Interoperability Exchange
 
Orcmid's Lair
 
TROST: Open-System Trustworthiness

2005-05-01

 

Flaws in Genuine Software Still Exploitable in Trusted Environment

ACM News Service: Does Trusted Computing Remedy Computer Security Problems?  The use of trusted computer systems will make it likely that genuine software will be run under the protections of a trusted environment.  This blurb reports an analyis that asserts there will still be vulnerabilities in those programs, and a malicious intruder may be able to exploit them.

Although it would seem that computers will be more secure, there are a number of ways that trust can fail, and these will tend to be a result of defects in the trusted program that a malicious entity can still exploit.

The Rolf Oppliger and Ruedi Rytz article in the April 2005 IEEE Security & Privacy issue provides a nice run-down on the trusted computing approach and its limitations.  Basically, the trusted computing platform is unable to detect malicious acts that happen at a level where the exploited behavior is indistinguishable from correct behavior based on what the platform observes.  Put simply, there can always be vulnerabilities at a higher-level that what the platform protects.  The authors question whether this improvement, and it is one, will be acceptable based on the presumed loss of flexibility in being able to install and run software of the user’s choosing.  There is no generic answer to this question, it seems to me.  Different circumstances will have different trade-off preferences, and we’ll need to understand those better.

A side benefit for me is a definition of technical trustworthiness, based on the Glossary of Internet terms:

“trusted and trustworthy systems are not the same; according to RFC 2828 [big file], a system is trusted if it “operates as expected, according to design and policy. If the trust can also be guaranteed in some convincing way, such as through formal analysis and code review, the system is called trustworthy.”

Hmm, interesting, aye Wingnut?

 
Construction Structure (Hard Hat Area) You are navigating Orcmid's Lair.

template created 2004-06-17-20:01 -0700 (pdt) by orcmid
$$Author: Orcmid $
$$Date: 10-04-30 22:33 $
$$Revision: 21 $