Although we have remarked that this paradigm of trusted computing is at its strongest when assuring local owners (or users) of the state of their platforms, it is notable that much of the active research in this area relates to the use of remote attestation in one form or another. Perhaps there are two reasons for this: one, the integrity of the local platform is largely a matter for the
operating system. This, in turn, is a relatively specialist area, not particularly amenable to those who are not deeply involved in it. Secondly, as we have remarked, attestation is a much more novel concept than integrity, and so as a new primitive gives rise to a range of genuinely
innovative lines of inquiry. A project which aims to address the operating system integration issues (in the open source arena) and thereby to facilitate remote attestation based upon trusted virtualization, is the European project OpenTC10. In doing so, it is developing prototype implementations: for example its first demonstration was for a home banking scenario: a specialized virtual machine was launched to host the home banking client. This VM would
be attested by the bank (and the bank by the VM) to prevent not merely impersonation attacks (which mutual authentication would solve) but also invidious interference in the network stack or keyboard driver (Kuhlmann, Lo Presti, Ramunno, Vernizzi, Bayer, Katrcolu and Gngren, 2008).
A similar scenario involves building a virtual machine to sit at the client end of a VPN. Most VPN solutions are intended to prevent mis-behaving clients from compromising the server, but this is hard to ensure. An attested client, perhaps fully isolated from the rest of the host system, is potentially much better able to enforce the security policy required by the server. A more complex realization of this kind of thinking comes in the High Assurance Platform (HAP) Programme11. This is aiming to build, using trusted virtualization, a secure client execution environment, capable
of participating in multiple isolated virtual security domains. A goal — which the government and industry partners appear to believe is achievable — is to enable operation to be sufficiently partitioned as to able systems safely to process material classified ‘Top Secret’ on a host also connected to the Internet. This has been an aspiration of high-assurance systems for decades.
Our own aims have been at a rather more modest level of assurance. We have seen the technologies described here as ideal for implementing something we might call a ‘trusted grid’, or, in the broader sense of service orientation, trusted services. Grid computing implies having work done on a possibly-distributed collection of hosts, outside one’s direct control. The full abstraction of the grid would mean not knowing where one’s job (or service) might be executed. In such a setting, questions of data and code confidentiality, and of results integrity become difficult.
The author came to this problem whilst considering the security properties for limateprediction.net.