cyber-"terrorism"?

[Ben Laurie]

Brian Gladman wrote:
> And I am not pursuaded by the arguments that I have heard that I do not need
> a secure boot sequence. I think a small security kernel running on a VM
> machine can improve security significantly when compared with what we have
> now. And to get a security kernel up and running with high assurance I
> believe we need a secure boot sequence and limited code metrics.
> 
> Although both David and Peter are unconvinced that the gains in security
> terms would be significant, I have to disagree with them.  If we can get
> strong process separation and full control of memory and peripheral access
> we don't need anything more from hardware.

I think their point, and I'm inclined to agree, is that of the things 
you say we need to be secure, the least important is the trusted boot - 
and if I have a security kernel running, I need it even less. I'm not 
sure what you mean by "limited code metrics", but clearly the biggest 
source of security problems today is bugs in code, so I imagine that you 
are hoping to address that in some way. I'd like to hear more.

Strong process separation we have already, surely? Not entirely sure 
what you mean by "full control of memory and peripheral access" but if 
its what I think you mean (i.e. as well as an MMU a way of mediating DMA 
and other access by hardware other than a CPU), then this isn't, as I 
understand it, a TCPA feature in any case (but is a Pd one). I'm not 
sure I believe that controlling memory access from peripherals is an 
adequate defence against hostile hardware in any case.

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff