[Cryptography] Untrusted Turtles all the way down

Ben Laurie benl at google.com
Fri Apr 10 08:00:05 EDT 2015

On 9 April 2015 at 21:17, Henry Baker <hbaker1 at pipeline.com> wrote:
> I've been working with computers for 54 years, and have watched an amazing & unending series of "virtualization" steps.
> Basically, for every "Moore's Law" step, we gain an additional level of emulation; in Turing Machine terminology, each Moore's Law step adds only a small fixed constant amount of tape to store the new instruction set interpreter.
> However, each such additional step adds to the threat surface, so from a security perspective things are getting monotonically worse.
> How come, therefore, the security "solution" always presented is to pile yet another "trusted" turtle to the stack (e.g., SMM, Trustzone, your favorite ***trust*** word here), in hopes that this will _increase_ security ?
> E.g., "UEFI" now looks more like "goofy" in retrospect, because we've added yet another hole to hide in.
> Either these new "trusted turtles" are more security theater, or they are a misdirection/cover for some NSA-NSL-inspired new level of nonsense to keep the core wars going for yet another decade.
> "Trusted Turtles" or "Untrusted Turtles" all the way down?  Or more succinctly, "Turtles all the way down" v "Turds all the way down" ?
> When do we _cut_ the Gordian Knot, instead of trying to untie it?

Here's our plan: https://www.cl.cam.ac.uk/research/security/ctsrd/cheri/.

In short: stop adding new layers and instead do it differently. Use
the MMU for what its good for: virtual memory. Security/separation
come from "capability registers" which grant byte-grained access to
memory. Context switches are about 100x faster than on current CPU
architectures, and you do not need to understand multiple layers of
weirdness to believe in the security of the system. Just one.

_And_ it provides backwards compatibility with existing systems.

More information about the cryptography mailing list