On Fri, May 19, 2006 at 03:29:57PM +0200, Pierre THIERRY wrote:
> > >> Currently, I am root on my computer. There is no way you can let
> > >> me run a program on a GNU/Linux machine where I am root without
> > >> allowing me to see the binary.
> > >Would that be different when you are the owner on the
> > >constuctor-based system? I don't think so.
> > It will be much more difficult for the machine owner,
>
> Why? It has many times been said that only TC could make it really
> impossible, and never that without it would even be hard. When you
> install the system, you do whatever you want with it, and nothing forces
> you to give up the capabilities to any part of the TCB...
System install by default doesn't give these capabilities to the machine
owner, he would need to hack the install system to do so. It's not a simple
matter of "not dropping them", it's a matter of "taking them out of the
prepared snapshot". Which is pretty hard compared to what root needs to do
(nothing) to be able read/write user data.
> > With the (opaque) constructor based system you can write a loader that
> > is downloaded by the user, executes in opaque storage, verifies that,
> > and downloads the actual program into its opaque storage.
>
> I'm not sure it is possible if the user is downloading it. How does an
> external (that is, downloaded) program would know that the capability it
> is given to check opacity is not faked?
We are assuming here that we have a system which allows creating opaque
storage and a user on it who knows this. The program can indeed not check it.
But the user can. Well, unless the machine owner is lying to him about what
system is on the machine of course, but the assumption is that he isn't.
So to make it clear: This isn't about remote attestation. This is about the