---------- Forwarded message ---------- From: Michal Suchanek <[EMAIL PROTECTED]> Date: Aug 16, 2006 11:25 AM Subject: Re: Challenge: Confinement To: Christian Stüble <[EMAIL PROTECTED]>
On 8/14/06, Christian Stüble <[EMAIL PROTECTED]> wrote:
Hi, after a long time of following this list only passively, I would like to share some of my thoughts with you :-) Background: I am working/researching/developing microkernel-based security architectures for a few years now, currently at Ruhr-University Bochum (RUB), Germany. At the moment, our group is involved in some R&D projects related to trusted computing (TC) and security in general: E.g., PERSEUS (perseus-os.org), EMSCB (emscb.org), OTC (opentc.net), and some others. In this context, we are developing security-critical services and applications on top of L4 and Xen. Further important topics are security engineering, formal models, language-based security, and security protocols. General: Since I am not aware of a multi-server system designs that fulfills today's requirements, our group has to design and implement a lot of services from scratch - wasting a lot of time, since our main focus is security. Therefore, we would like to collaborate with further projects like hurd and coyotos, to share design ideas, use cases and implementations. Unfortunately, this seems to be impossible due to conflicting requirements (at least with hurd): We are using TC technology and we are even developing DRM-like applications (whatever this means). We do this for the following reasons: On the one hand, it is IMO better to prove that a better solutions exists if you want to criticise existing technology. On the other hand, TC is currently the only technology that is widely available and fulfills (IMO) important security requirements. Yes, it could be misused (like nearly any security-related product), but our main develop/reasearch goal is an architecture that prevents misuse but allows many relevant use cases. The same holds for the DRM-like applications: We develop applications that allow the enforcement of security policies in a distributed environment, but which consider user rights and the law (keywords: multilateral security, fair use). Challenge: I would like to give a more concrete example of an application that IMO requires confinement (e.g., based on the security properties offered by TC technology): As you may know, we have in Germany strict laws regarding user privacy. E.g., a company is in general not allowed to give personal information to other institutions. Nevertheless, it is sometimes hard to prove that there was a leakage of information, or companies may be in another country. Therefore, one of our goals is to develop an environment that allows users to create an agent that controls their personal information and enforces, e.g., within the environment of a company, that it can only use personal information once, or that it cannot be shared with other companies, etc. But this requires that the owner of the platform executing the agent cannot access the internal state of the agent. A lot of people would call the agent a DRM application... Another application, currently an (open) master thesis, is to develop a P2P filesharing client that uses DAA to connect to other clients. The motivation is to prevent modified clients that allow the platform owner to see the connection table (and thus to uncover the anonymity of clients). But this only makes sense if the platform owner cannot access the internal state of applications... I would like to know to what extend people here are interested in a collaboration. If you think this is too OT to discuss it here, we can continue this discussion somewhere else..
Hello I guess that the discussion of possible uses of DRM (or DRM-like technology) is on topic here. There was a "challenge" thread where Marcus explicitly asked for uses that are important but cannot be achieved without DRM. What does DRM buy you in P2P? If you cannot trust the administrator of the computer you can connect one that you administer yourself. If you aren't allowed to do that you aren't probably allowed to do p2p either. Anyway, the network is probably owned by the same untrusted administrator (if it was not, you could connect another computer). So you have to design the protocol in such a way that it does not reveal the other party even in case the connections are observed. I guess in such case it should be safe against revealing any connection tables as well. In the context of personal data protection: What kind of use do you have in mind? How do you enforce once-only use? Once you get the data, you can print them, or write them down. What kind of use guarantees no reuse? If the administrator of the system cannot access the data how do you make backups? I do not see how DRM can be of much help if you want to use a system that is controlled by a party that you do not trust. Sure encryption can do something for you. DRM can do a little but not much. And you still have to trust the provider DRM which I do not consider much wiser than trusting the party controlling the system. Thanks Michal
_______________________________________________ L4-hurd mailing list [email protected] http://lists.gnu.org/mailman/listinfo/l4-hurd
