Sun Jan 21 11:26:44 EST 2018
Trusted code, an exercise
I will need to run some applications that are considered critical. An
example is a thermostat.
The separation primitives for these will be host-based: I no longer
trust same-host privilige separation after the spectre madness, and it
seems that accepting this now and dealing with it at a design level is
the only sane solution. This means:
- Sensor, controller, actuator all run on dedicated hosts (network or
- Communication is packet switched with broadcast option
- Communication is encrypted + authenticated (E+A)
It is assumed the medium is not trusted, but the end-point hardware
is (i.e. key storage is considered safe). Physical access
compromise is considered to be an independent problem.
- Attack surface is untrusted physical network. None of these hosts
will "pull" information from non-trusted internet systems. All
input comes from trusted nodes, e.g. hardware terminals, and is E+A.
- Debug access is through SSH, extending the attack surface to
To do this on a small microcontroller requires a bit of effort. I
cannot point straight at reusable code. So maybe for the time being,
roll my own, then replace it with something better later.