David W. Grawrock

TPM Virtualization: Building a General Framework

Trusted Computing has been widely recognized as a useful and necessary extension of more traditional security mechanisms. In today’s complex multi-device environment, it is essential to be assured that devices participating in transactions can be trusted. The Trusted Computing Group (TCG) has created a set of specifications and accompanying infrastructure defining means of assurance necessary to build a trusted environment. Continuing interest in virtualization as a way to extend flexibility in diverse computing environments while addressing issues of underutilization of equipment and energy consumption brings additional complexities to current and future models of trusted computing.

Systematic security assessment at an early processor design stage

One critical aspect of a secure hardware design is the ability to measure a designs security. In this paper, we propose a hardware security assessment scheme that provides a systematic way of measuring and categorizing a hardware features security concern at an early design stage. The proposed scheme is developed to measure security exposure and risk of a design. The scheme takes a two level questionnaire format and scores a feature based on the answers to the questions. Based on the security score, a feature is then categorized into no, low, medium or high security concern. We discuss several representative questions in detail and evaluate a number of current and future processor features using the scheme. Overall, the assessments from our scheme concur with the security evaluation results by industry security experts, providing an effective security measurement for hardware designs.

Trust Evidence for IoT: Trust Establishment from Servers to Sensors

Trust Evidence provides a framework for demonstrating the trustworthiness of a device, a system, or a service, a key requirement in managing risk within interactions associated with a broad spectrum of electronic processes (sensor networks, data analytics, ecommerce, etc.) As an addition to authentication and proof of integrity, Trust Evidence comprises a broader range of factors when demonstrating the trustworthiness of a computing device, for example, considering its configuration, software stack, and operational context.

The Search for Trust Evidence

Trust Evidence addresses the problem of how devices or systems should mutually assess trustworthiness at the onset and during interaction. Approaches to Trust Evidence can be used to assess risk, for example, facilitating the choice of threat posture as devices interact within the context of a smart city. Trust Evidence may augment authentication schemes by adding information about a device and its operational context. In this paper, we discuss Intel’s 3-year collaboration with university researchers on approaches to Trust Evidence. This collaboration included an exploratory phase that looked at several formulations of Trust Evidence in varied contexts. A follow-up phase looked more specifically at Trust Evidence in software runtime environments, and whether techniques could be developed to generate information on correct execution. We describe various research results associated with two key avenues of investigation, programming language extensions for numerical Trust Evidence and an innovative protected module architecture. We close with reflections on industry-university researcher collaborations and several suggestions for enabling success.

Intention Semantics and Trust Evidence

When technologists develop trust, security and privacy features in devices, applications, networks, and systems, they plan for certain functionality and outcomes. Early stages of planning include threat modelling, vulnerability analysis as well as formal or informal development practices that are aimed at fulfilling the security objectives. But with the complexity of today’s systems, interoperability requirements and other adaptations and the nature of the development processes, the actual outcomes and resulting security features frequently do not reflect or do not reflect completely the intent of the developers.