Researchers work to save trusted computing apps from keyloggers Intel's Software Guard Extensions started rolling in Skylake processors in October 2015, but it's got an Achilles heel: insecure I/O like keyboards or USB provide a vector by which sensitive user data could be compromised. A couple of boffins from Austria's Graz University of Technology reckon they've cracked that problem, …
The most telling quote of your entire article:
Instead of the handful of I/O technologies directly protected by SGX – most of which have to do with DRM rather than user security
What, you're saying that this is designed to benefit content providers rather than the user? That "trusted" in this case means the PC can be trusted to deny its user any control?
Gee. I am totally surprised. My world is a lie.
I was reading around seL4 topic a few days ago, by coincidence.
Since when have the words "hypervisor" and "microkernel" been interchangeababble? Some similarities, in the same way as a chair and a table may have similarities.
Not everyone's convinced about seL4 anyway; see e.g.
http://theinvisiblethings.blogspot.co.uk/2010/05/on-formally-verified-microkernels-and.html
And not everyone's convinced about formal proof of non-trivial code either. There's a famous Knuth quote on the subject: who wants to be first (no prizes, it's just for fun)?
Isn't SGX conceptually similar to ARM's TrustZone, except SGX in the real world is necessarily less trustworthy? (Because SGX isn't implemented on an SoC, and TrustZone is).
"Learn about how CPUs are designed these days. And stay out of planes, will you."
Actually I am not and have never been a web designer, but I do have a reasonable idea how industry in general designs+verifies CPU architectures and implementations, now and for the last couple of decades.
I also have a rather closer idea of how one particular 'modern' custom CPU for safety critical use (in planes and elsewhere) has been designed. It's a customer-specific implementation of a customer-specific architecture, with all the snags and none of the benefits of such an approach, not that the regulatory authorities seem to care.
And long before that I remember the RSRE Viper processor fiasco (formally proven, but the proof was wrong).
But carry on attacking the messenger rather than the message, it's the only way to enlightenment.
What these solutions really do is shift trust from one location in a system to another. But almost as important (for the vendor) they invariably add vendor, or typically at a minimum, vendor licensed technology, lockin paths.
While there is no such thing as complete security systems can be made harder and harder to circumvent but at the expense of implementation costs. Whatever the system one has to implicitly trust that every component involved in the process is not compromised, implemented poorly or has design problems. While this level of trust is reasonably achievable for most use cases, the more components there are in a system the more vectors there are for problems.
In the end regardless of these technologies banks will still store passwords in a two-way encryption scheme (meaning that the password can be decrypted and seen) and offshore both the development of its systems and the final use and support of them to the cheapest suppliers using the cheapest staff.
>Apparently Intel are showing a credit-card sized computer at CES this year.
Every year is the year when Intel finally breaks into mobile. Fact of the matter is Intel whole business model depends on being a generation ahead of everyone else in fab technology and paying for the overhead with fat margins per unit. Pretty much the exact opposite model (Apple special beast with vertical integration) to everyone else in mobile now that chips are pretty much fast enough.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
