[trustable-software] I fear we need trustable hardware too...

Andrew Banks andrew at andrewbanks.com
Fri Jan 5 05:51:17 GMT 2018


Morning all

>> we have to think about the elephant underneath... in the hardware.

Agreed... and this is particularly true about the micro-code (or whatever you want to call it) running at the lowest level - often in devices that one may not expect to have processors in!

A

-----Original Message-----
From: trustable-software [mailto:trustable-software-bounces at lists.trustable.io] On Behalf Of Paul Sherwood
Sent: 04 January 2018 11:10
To: trustable-software at lists.trustable.io
Subject: [trustable-software] I fear we need trustable hardware too...

When this discussion list in 2016 we were already seeing enough news headlines to realise the scale of the elephant in the room for software trustability.

Now it's becoming clear [1] with the discovery of the Meltdown + Spectre [2] vulnerabilities (and Rowhammer), we have to think about the elephant underneath... in the hardware.

My immediate emotional reaction has been to worry that this is just another signal that what we're thinking about is futile. What's the point of trustable software, if we can't trust the hardware?

After reflection and discussions with colleagues, we broadly concluded that discovering a secret tunnel into the basement doesn't reduce the need for us to fix the front door lock.

I need to re-scope and re-think some of my presentations and diagrams to include hardware, and expressly escalating hardware risks for customer projects.

But I'm interested to get others' thoughts on this, in the aftermath...

- are we wasting our time?
- is there any of what we are thinking about that re-applies to hardware?

br
Paul

[1]
http://www.theregister.co.uk/2018/01/04/intel_amd_arm_cpu_vulnerability/
[2] https://meltdownattack.com
[3] https://twitter.com/misc0110/status/948706387491786752

_______________________________________________
trustable-software mailing list
trustable-software at lists.trustable.io
https://lists.trustable.io/cgi-bin/mailman/listinfo/trustable-software




More information about the trustable-software mailing list