The idea of trusted computing is to provide security functions with which one computer system can establish and evaluate trust into another computer system within a distributed computing environment. Practically, trusted computing often refers to using a hardware security module for certain basic security functions to establish higher-order security properties. One example of such a module is the Trusted Platform Module (TPM), as specified by the Trusted Computing Group (TCG). However, trusted computing consists of more than just the specifications of the TCG. Trusted Computing is a concept, which can apply many different techniques and technologies. In that field I did most of my research. And this is still the main source of ideas, techniques and concepts I draw from when designing applied systems in practice.
TVD for L4
TVD for OpenSolaris
One of my research projects during my PhD studies was TruWallet, a wallet-based web authentication security architecture. It uses a password wallet to store login information for web sites and a security kernel with trusted computing support to provide a secure and isolated execution environment for the wallet. The protected execution environment prevents malware or other unauthorized software from reading the passwords from the wallet database. The wallet itself verifies the legitimacy of websites and inserts automatically the login credentials on behalf of the user. Hence, the user does not need to care about checking websites or even about remembering all the passwords for all used websites and accounts.
Another research topic was around asking the question whether a trusted path from a system to a user has to be bidirectional for all use cases, i.e., authenticating the system to the user and authenticating the user to the system. The answer is no, there are use cases that allow a uni-directional trusted path (UTP), just from the user to the system. I did this research together with Jonathan McCune, and Atanas Filyanov helped to implement it. We identified use cases such as transaction confirmation in online purchases or CAPTCHAs as possible applications.
The UTP approach allows users to confirm a transaction without the need to having them know that the application they are interacting with is actually trustworthy or not. We are using trusted computing features for remote attestation and isolated code execution (i.e., our prototype used Intel TXT and a TPM). We leverage these mechanisms to establish a "one-way" trusted path allowing service providers to gain assurance that users' transactions were indeed submitted by a human operating the computer, instead of by malware such as transaction generators.
In the UTP design, a trusted confirmation and (optionally) authentication agent executes in CPU-provided isolation. The trusted computing base (TCB) of the trusted agent is remarkably small (just a few thousand lines of code), and remains compatible with users' existing operating system and application environments.
When the client requests an action from the server that requires a confirmation of the user's intent, the server establishes the uni-directional trusted path by sending a message to the client. The untrusted client program invokes the execution of the UTP Agent in the CPU's secure execution mode. The UTP Agent displays the message provided by the server (e.g., a transaction summary) to the user. Once the user has viewed and confirmed the message, the UTP Agent assembles the necessary data to generate a cryptographically secured attestation that these events happened while in the secure execution mode. The attestation dat is sent to the server, and the server can verify the data was processed in the secure CPU mode or not. If the verification succeeds, the server knows that a uni-directional trusted path to the human user has been established and that the transaction can be processed.
You can read more about UTP in our paper "Uni-directional Trusted Path: Transaction Confirmation on Just One Device".