powered by co-ment®
www.CO-MENT.NET IS BEING PHASED OUT!  Head over to www.co-ment.com for the new version of the service.

National Cyber Leap Year Summit 2009:  

Exploring Paths to New Cyber Security Paradigms  

Draft Report of Participants’ Ideas 


August 24, 2009 

New Game: Knowing when we’ve been had. 

This document explores Hardware-Enabled Trust as a path to this new game. 

The following ideas were captured in unedited form at the National Cyber Leap Year Summit. The ideas are a summary of the discussion of the participants in the Hardware-Enabled Trust session.  They do not necessarily represent the opinions of the co-editors or the organizations they represent. The Summit is managed by QinetiQ North America at the request of the NITRD Program, Office of the Assistant Secretary of Defense Networks and Information Integration, and the White House Office of Science and Technology Policy. 

Please provide your comments, if any, by September 3, 2009 for utilization by the Summit’s program co-chairs. To add a comment, select the “Add” tab in the left navigation menu, select (highlight) the portion of the document you are commenting on, and provide your comment.  If commenting on an entire section, you may select the section heading to anchor your comment.

If you have any further questions or comments, please visit the National Cyber Leap Year Web site at the following address: http://www.nitrd.gov/NCLYSummit.aspx, or send email to .

What is the new game? 

One of the hardest things about today’s game is not being aware when we’re losing. Our trusty PC has no way to notify us that it has in fact become an enemy agent or a zombie, secretly exfiltrating our financial secrets to identity thieves, or spamming our neighbors for some botmaster. Since we have no real plan for checking and restoring the integrity of our assets once we start using them, we are forced into the impossible position of having to deploy impregnable systems. In the new game we persistently monitor our assets for changes in trustworthiness by embedding tamper-resistant roots of trust in the architecture. Attacks can be stopped in their tracks if we can isolate and decontaminate their host. 



1 Introduction

There was no attempt to provide comprehensive coverage of all the ideas in the areas of hardware-enabled trust. The list above is a simplified categorization of the product of a brainstorming session. Below is a snapshot of the discussions of Group 5, covering most of the topics discussed during the session. Some of the ideas discussed in this appendix are covered in more detail in the Chairs’ report. 

Seven (7), ten year long-term goals were initially identified from which ideas were identified and put into seven (7) categories. These ideas were subsequently regrouped into six (6) and finally four (4) ideas. The distillation process is discussed following the description of the four (4) final game changing ideas.  

The group developed action plans for the focus areas and in the process revised the focus areas to include: 

A general purpose action plan strategy is: 

Common aspects of action plans: 

2 End to End (e2e) Trust

2.1 Description

2.2 Inertia

2.3 Progress

Other possibilities 

2.4 Action Plan

2.5 Jump-Start Plan

Establish an operational pilot implementing these concepts including infrastructure to enable remote attestation (short term TCG-based; subsequently next generation of trust technologies) 



3 Enable Hardware to Counter Attacks

3.1 Description

3.2 Inertia

3.3 Progress

3.4 Action Plan

Elevate the importance of security in the design of hardware performance and power features. Make security a 1st class citizen in hardware design 

3.5 Jump-Start Plan



4 Enable hardware to counter attacks—Hardware that does not leak hardware defenses for information-leakage attacks (side-channel attacks)

4.1 Description

Example: software cache-base side-channel attacks 

4.2 Inertia

4.3 Progress

Other discussions  

4.4 Action Plan

Short term  

Long Term  

4.5 Jump-Start Plan

5 Enable hardware to counter attacks—Continuous hardware monitoring of normal behavior

5.1 Description

5.2 Inertia

5.3 Progress

5.4 Action Plan

5.5 Jump-Start Plan



6 Resilience

6.1 Description

Commodity hardware still executes critical services even when compromised 

6.2 Inertia


6.3 Progress

6.4 Action Plan


6.5 Jump-Start Plan



7 Trustworthy Storage and Data

7.1 Description

Types of Data 

7.2 Inertia

Why hasn’t this been done? 

What would derail the change? 

7.3 Progress

Technically Feasible 

Environmentally Feasible 

Existing standards work ongoing in this space 

7.4 Action Plan

Joint Academic/Industry project to build and demonstrate a SAN controller to defend against all of these classes of attacks 


Multiple approaches 

7.5 Jump-Start Plan

See 60-90day implementation above 


Game change by the bad guys 

8 History of Idea Development

As noted previously, the group first identified long-term goals and grouped them into seven (7) categories and ultimately focused on four (4) broad, encompassing ideas as outlined in sections 1 through 5.  

8.1 Leap-ahead, Long Term Goals – 10 year

  1. We will build a computer that will not execute malware 

  2. We will be able to make a determination whether to trust a device, a network, or a software package based on dynamically acquired and exchanged standard trust information and user defined trust and security policies 

  3. A user will be able to make an informed decision about purchasing a device or a service based, in part, on independent security scoring. 

  4. Transactions will be dynamically re-routed into an optimal trusted path, independently from their origination in terms of device, network, and application. 

  5. Distributed data objects will be able to protect themselves based on minimum security sets and user defined policies. 

  6. Security will be considered a core feature when architecting hardware. 

  7. New trust models will be introduced that are rooted in hardware instead of enforcing hierarchical interdependencies across the software stack 

8.2 Initial Ideas

Ideas were generated and grouped into categories.  

  1. New trust models enabled by hardware (substituting hierarchical models with hardware-rooted models with fewer inter-dependencies) 

  2. Resilience as a foundation for security features 

  3. Hardware defenses for hardware attacks 

  4. Evaluation and dynamic measurement 

  5. End-to-end trust in a heterogeneous environment, in order to enable end-to-end communications assuring an acceptable level of security in a heterogeneous (diverse networks and devices, from sensors to servers) and distributed (e.g. cloud computing) environment  

  6. Trustworthy storage and data rooted in hardware 

  7. Designing crypto/randomization into core computer hardware in order to support secure execution and secure storage 

8.2.1 Idea Development

  1. New trust models enabled by hardware – what does it mean? List of ideas. 

     2. Resilience as a foundation for security – what can be done? List of ideas. 

     3. Hardware defense for hardware attacks – what can we do? List of ideas. 

     4. Evaluation –having implemented security features, we need a reliable way to evaluate them. List of ideas. 

     5. End-to-end trust in heterogeneous and distributed environments 

     6. Trustworthy storage and data – what can be done? List of ideas. 

     7. Designing crypto/randomization into core computer hardware for secure storage and secure execution – List of Ideas 

8.3 Focus Areas

A set of ideas was selected by the co-chairs for more detailed examination. 

8.4 Game changing Ideas

The group developed detailed plans for the four (4) game changing ideas discussed in sections 1 though 5 and in the process revised the focus areas to include: 


Related Links:









Partner Links