Semantic Remote Attestation

So I am slowly catching up with the TC debate (more to come soon). Last May, Vivek Haldar gave a very interesting presentation at the 3rd USENIX Virtual Machine Research & Technology Symposium. In the related paper, he and his co-authors propose an approach which they call "semantic remote attestation". The high-level idea is to have a remote attestation mechanism that is not based on the identity of a particular software program, but on its behavior. In the end, the goal of remote attestation is (or should) not be to know what particular software program is running on a remote platform, but whether the program behaves in malicious ways or not. In order to separate program behavior attestation from program identity attestation, the authors introduce a trusted virtual machine that can attest various properties of a local software program to a remote challenger without necessarily revealing the identity of the software program.

In general, this proposal seems very interesting from a TC-policy perspective: if semantic remote attestation does not have to transmit the identity of a software program to a remote challenger, but only various properties of its code, this could, as the authors point out on page 5, solve some of the policy problems that have led to proposals such as the owner override and hard-to-verify signatures. However, it seems to me that the proposal suffers from at least two limitations: First, although the authors give some examples of what kind of behavior their trusted virtual machine could analyze, it is an open question whether this mechanism can provide all the different kinds of information a remote challenger needs when he does a remote attestation. More work and explanation is probably needed in this area. Secondly, and more importantly, this proposal only works with applications written in Java and similar languages - as the language-based trusted virtual machine needs the high-level information that is included in Java bytecode.


Add new comment