when you build a system, you'd like to know it is that system you run and that nothing has been modified since that build. Or at least mostly (maybe you have dynamically linked libraries, or are running as a component in a distributed system, or are re-running on a new OS release/VM/Container etc etc) so you also want to know that those systems are (mostly) the same too - you want
mutual attestation
but also assurance about the system behaviour either side of that mutual divide.
so one thing one might do is have a behavoural signature for a system - basically an execution trace - tim harris built such a system for pervasive debugging a while back - the trace can often be massively compressed since much of it is repetitive - indeed, there was a nice demo of actually being able to run programmes backwards!
so each system would log a trace in the attestation service, and then carry a manifest (signed digest of the trace) as well as an integrity check of the actual system...
then it'd be up to some runtime checker (like the aforesaid pervasive deubgger) to decide what level of deviation from the typical trace constituted a possible problem. This could use a similar approach to vigilante to detect bad behaviours, or sign systems that have run without any detected deviation (note, this is not a guarantee, but could give a tradeoff - see next):-
We could apply this as part of Data Safe Havens to give some level of assurance, automatically that small changes to applications or to the haven, after a given release, have not deviated beyond some acceptable threshold (this could be zero in extreme, or even by default) .... would also let developers try stuff with a little flexibility....
No comments:
Post a Comment