Rutkowska: State considered harmful - A proposal for a stateless laptop
Rutkowska: State considered harmful - A proposal for a stateless laptop
Posted Dec 25, 2015 20:31 UTC (Fri) by ledow (guest, #11753)In reply to: Rutkowska: State considered harmful - A proposal for a stateless laptop by rsidd
Parent article: Rutkowska: State considered harmful - A proposal for a stateless laptop
2) The only reason given is that you don't get pre-installed malware on the laptop. Well... that's not a problem for anyone sensible who just wipes hardware clean on arrival (I speak as someone with a network full of Lenovo laptops and desktops that have not a single byte of their original factory install left - except for the first of each model, the rest don't even get to boot from the factory disk!). And if you are genuinely pulling all firmware OUT of the device (good luck! Coreboot etc. haven't been able to do it to most models of computer that exist, and newer ones are only getting worse), then you are back to installing SOME firmware to make it work. All you've done is shifted the malware from "pre-installed" to "user has to install to use their device".
3) Basically "Let's gloss over this massive and glaring problem that's the prime target for factory-installed malware being able to do anything on the processor without any kind of inspection possible, that's also the prime block for projects like Coreboot etc. GETTING CLOSE to booting on the majority of modern boards with Intel processors".
Sorry, I just don't see what your point is here. The questions aren't answered. This is a LiveCD on a laptop you own. You can do that now, today, with reasonable amounts of support for hardware, and with the same amount of "freedom" as above. But this is pushing - as we all are - for firmwareless systems so you can work even more this way. If/when those appear, wouldn't we just LiveCD from them or, better still, just verify their firmware and then use them as "normal" laptops?
It's a pipe dream that, in all significant aspects, already exists to the same extent on the machine you wrote your post on if you go and download a LiveCD and put it on a USB stick.
Posted Dec 25, 2015 20:40 UTC (Fri)
by mjg59 (subscriber, #23239)
[Link] (7 responses)
Argh. No. Are you sure you've read the article?
Posted Dec 26, 2015 2:37 UTC (Sat)
by rsidd (subscriber, #2582)
[Link] (6 responses)
Posted Dec 26, 2015 12:21 UTC (Sat)
by khim (subscriber, #9252)
[Link] (5 responses)
He does not talks about off-the shelf laptops. He compares them to a proposed solution. AFIACS proposed solution includes TWO trusted components: “stateless laptop” and “trusted stick”. And BOTH are trusted. And are extremely tightly tied to each other. Which, naturally, raises the question: what's the point? What do we achieve by introducing all that complexity? Remove the ridiculous idea to physically separate these two and suddenly article makes sense: it explains how could we use off-the-shelf components yet still build a system which we could trust to some degree. Separation of “trusted, state-off-the-art, off-the-shelf but stateless components” (CPU, HDD, WiFi) from “trusted, stateful, but not state-of-the-art purposefully built components” makes a sense then: if our “off-the-shelf components” don't have a place to store a state then it's much harder to imagine a malware injected into them and if our stateful components don't need to be state-of-the-art then we could have many more suppliers which makes the whole thing more secure. But as presented: trusted security stick plus trusted laptop the whole thing just makes no sense. And AIACS that's pointless “novelty” is the only new thing which is in said article.
Posted Dec 26, 2015 12:59 UTC (Sat)
by rsidd (subscriber, #2582)
[Link] (4 responses)
You missed the part about off-the-shelf CPUs, HDDs and wifis not being stateless. And the reason for moving the SPI firmware to the stick, constructing a stateless HDD, proposed solutions for wifi/networking.
Posted Dec 26, 2015 13:23 UTC (Sat)
by khim (subscriber, #9252)
[Link] (3 responses)
That's why I've said: “components”, not “parts”. They all use stateless components and stateful components, but these could be separated still because flash and fast CPUs are just using different technological processes. The idea to move all the state from these parts into a separate, better-controlled piece looks sensible to me, but the idea to make it possible to separate that piece from the rest just does not make a sense. If you want to support all the possible bazillion combinations of CPUs, HDDs and WiFis then your “trusted codebase” would be extremely massive and, more importantly, will need regular updates (which would defeat the whole idea), and if you want to only support one particular set of “stateless components” then physical separation will just make your whole construct less reliable.
Posted Dec 26, 2015 15:36 UTC (Sat)
by rsidd (subscriber, #2582)
[Link] (2 responses)
Who would use such a device? Hardly anyone, just as hardly anyone uses Qubes OS (I don't) -- but the people who do include Dan Bernstein and other security-conscious people. But, because such people use it and promote the ideas, and also because of all the negative NSA publicity recently, some of these ideas may seep into the mainstream (just as it is becoming standard for websites to use https by default).
Posted Dec 28, 2015 21:14 UTC (Mon)
by drag (guest, #31333)
[Link] (1 responses)
So you remove any 'state' from the mainboard and assign it to your flash drive. What is the big win here?
The only advantage that I see is that the state preserved on the flash drive is much easier for you to control, observe or manipulate. Besides that it still has all the same pitfalls that occur with state on the mainboard or processor. You've just moved it's location, but didn't change it's nature.
Would this be a big win over, say, storing state on your laptop that is easily observable and verifiable?
Imagine instead you have a laptop were the state is stored on the system itself, but the system is easily monitored through a standardized interface. You can, during run time, examine the contents of any onboard flash via JTAG (or something similar) or have the ability to snoop on cpu instructions in the wifi via similar interface.
Would storing state on a flash drive provide a superior result then something like that? I know that it will be much more cost effective to achieve this situation then coming up with a brand new approach to designing computers. You could probably _almost_ do this right now with off the shelf components and custom mainboard.
Hardware and onboard firmware doesn't have to be a black box even though it generally is.
Posted Dec 29, 2015 19:02 UTC (Tue)
by nix (subscriber, #2304)
[Link]
As for 'snoop on CPU instructions in the wifi', how do you do *that* with an x86? You don't, of course... which means you suddenly need your own chip fab.
Rutkowska: State considered harmful - A proposal for a stateless laptop
Rutkowska: State considered harmful - A proposal for a stateless laptop
Rutkowska: State considered harmful - A proposal for a stateless laptop
Rutkowska: State considered harmful - A proposal for a stateless laptop
Rutkowska: State considered harmful - A proposal for a stateless laptop
You missed the part about off-the-shelf CPUs, HDDs and WiFis not being stateless.
Rutkowska: State considered harmful - A proposal for a stateless laptop
Rutkowska: State considered harmful - A proposal for a stateless laptop
Rutkowska: State considered harmful - A proposal for a stateless laptop