The Difference

Posted Feb 8, 2007 7:52 UTC (Thu) by drag (subscriber, #31333) [Link]

Well that is why stuff like TPM can be very good. It has the capability of giving over more control to the end user to fend off malicious code and attackers.

For example kernel mode rootkits.

Lets say you have TPM on the motherboard. It has some keys in itfor something like the signed key of the 'trusted grub' bootloader.

The system boots, TPM stuff is activated and tests grub binaries and grub's key cache. If they are swell then it's executed. Grub then uses it's key stash to validate the kernel and initrd. Those are brought up, executed and ran.

They have their own keys to keep track of the kernel modules and test them before loading them. And also probably will test the validity of various important system files and configurations.

Currently, with no TPM or similar technology, there is no possible way to ever ever use something like 'root kit hunter' (or any anti-rootkit software) and trust anything it tells you about the safety of your system.

The only practical way to do that sort of thing now is to take the machine offline, use something like Tripware from a different boot medium to take checksums of your system and store that in offline or read-only storage. Then you can later take down the machine and re-run the checksums to confirm the purity of your binaries. But if you can be sure that your kernel is pristine and that all the drivers are safe.. then you can effectively combat rootkits while your system is running. As long as the running kernel is safe from exploits then TPM can raise the security and trustability of your system to new heights.

If you end up with machines that can do things like test code as it's being executed then you can potentially even trust kernels that may have a local vunerability in them.

It all depends who has the keys. If you have the keys, as the owner.. Then TPM is wonderfull. If you don't have the keys and somebody else has more control over your system then you do, then TPM sucks majorly.

The challenge with this Bitfrost is to come to happy solution were you can prevent the theft of laptops, and use 'trusted computing' type features to secure the userspace from softare vunerabilities, while still allowing end users (the children) the freedom to modify their systems.

If Bitfrost works out then this can be a huge selling point for Linux desktops. If it can be applied to something like a corporate desktop environment were you can allow things like password-less (or at least be not so dependant on passwords) user identity management, simple PKI infrastructure, per-user VM (with efficiency!), etc etc. Then this can be huge attraction for Linux desktop adoption for some people.

How well could this Bitfrost can be applied to increasing the security of corporate or home desktop systems?

Posted Feb 8, 2007 19:35 UTC (Thu) by cjb (guest, #40354) [Link]

(actually, the theft protection scheme in Bitfrost could be considered a theoretical weak point. A modchip-like device or similar hack could possibly be used to disable the anti-theft protection. However, this is unlikely to be feasible in practice. Therefore, the theft protection system has done its job: deterring theft.)

Rather than being a weak point, I'd just call this something that isn't covered by the threat model. The worries that motivated the security system came from (for example) the possibility of someone writing a virus that bricks the BIOS on all n-hundred-million laptops at once, making them useless. Reducing that risk to the possibility of breaking the security on one laptop at a time, by disassembling it and resoldering the BIOS, is a huge step forward.

Posted Feb 9, 2007 1:57 UTC (Fri) by ikm (subscriber, #493) [Link]

> Bitfrost works for the owners of the machine

Yes, until the owner would want to turn it off. And then it suddenly starts to work against his wishes.