Associate Professor
Concordia Institute for Information Systems Engineering (CIISE)
Concordia University, Montreal, Canada
Session Title: Securing user data and open-source binaries against strong adversaries
Abstract:
We have been developing solutions based on trusted computing technologies for data security, considering potentially dangerous but realistic situations. Examples include: protecting user data in rootkit-infected user machines; password confidentiality against password database breaches, compromised servers, rogue administrators, and phishing attacks; physical attacks when the attacker has full control over the target machine and can coerce the machine owner into revealing encryption passwords. We believe such a strong attacker model is in accordance with the current state of affairs, especially considering ubiquitious occurances of data breaches, and adversaries backed by nation-states with high technical capabilities and legal/questionable/illegal powers (e.g., US FISA, clandestine NSA programs, physical/psychological tortures). I will discuss few solutions we proposed in the recent years. Making these solutions open source is a critical part of their verifiability. While being open source is important for auditability, we identify major issues in the current practice of open source software using TrueCrypt as an example case, and highlight the importance of a verifiable build process.
Details of these papers are available here.
Membership in the Trusted Computing Group is your key to participating with fellow industry stakeholders in the quest to develop and promote trusted computing technologies.
Standards-based Trusted Computing technologies developed by TCG members now are deployed in enterprise systems, storage systems, networks, embedded systems, and mobile devices and can help secure cloud computing and virtualized systems.
Trusted Computing Group announced that its TPM 2.0 (Trusted Platform Module) Library Specification was approved as a formal international standard under ISO/IEC (the International Organization for Standardization and the International Electrotechnical Commission). TCG has 90+ specifications and guidance documents to help build a trusted computing environment.