We are engaged on a quest for the desktop holy grail – a system that is trustworthy by design. We have reached our destination – Byzantium (not Bromium) – where you and I will lead units of the Byzantine army under Belisarius, perhaps the most celebrated military strategist of the Byzantine Empire. On our campaign we will learn key lessons about how to build a trustworthy system, though my examples may puzzle you. The final chapter in this journey will be a full description of the Bromium system architecture.
As Byzantine Generals, we will need to agree on a plan of attack in order to achieve our military goals, even though we are geographically separated, and in spite of the fact that our messengers might be unreliable or traitorous, that individual cohorts might be defeated, and in the worst case, that your lieutenants or some of the other generals could be traitors. How can we achieve this? Getting back to reality: We want to make your desktop and applications resilient – by design. By way of a reminder, here are some of the key requirements for a trustworthy system that we’ve discovered on our quest:
- My desktop must be robust to human error
- It must be invulnerable to unknown attacks
- It must protect me when I enter domains of unfathomable trust
- It must protect me even though there are zero-day vulnerabilities in the OS or apps, and even when it has not been patched
- It must enforce the principle of least privilege for data access to ensure security and compliance (for example, consumer use of an enterprise laptop), even when the system is has been attacked
- It must behave as expected, at all times. In other words it must be a joy to use, and empower the user via an unchanged rich, local user experience
- It must be simple to deploy and manage, and must not require new management tools or skill sets
The “Byzantine Generals Problem” is well known in computer science and is fundamental to our approach. It formulates the requirements to reach agreement in a distributed system, in the presence of arbitrary failures and attacks. It is as relevant to today’s mobile enterprise devices as it is to a large distributed system like Netflix (which seems to have also learned much from the Trojan War). There are numerous variants of the problem, and to simplify the discussion, let’s first discuss how a single general (you), with a plan, can order your cohorts into battle to maximize the your chance of success. This requirements for this simpler problem relate to the need for “Byzantine Fault Tolerance”.
Getting back to reality: Our first problem is how to ensure that a single device (your PC) remains a bastion of trust, no matter how or where you use it. Your challenge as a general is to (a) secure yourself and (b) direct your cohorts to carry out the attack. In a later post I will (c) introduce the requirement that you agree with one or more other generals to co-ordinate your attack with them (i.e: distributed agreement is required). A solution to the Two Generals Problem (video, text) is required for IAM and delivery of SaaS or remoted applications (e.g.: RDS) to your PC.
The goal is to ensure that the correct execution of your plan is not vulnerable to Byzantine failures. You and your cohorts here represent a single PC and all of its applications, so we will permit reliable communication, but both you and your cohorts may lie, for different reasons – you to protect your mission, and your cohorts for any reason at all. You, the general, represent the “gold” system (OS, applications) that IT provisions on the desktop device (the SOE). As general you can also securely and privately communicate with the Emperor (centralized IT policy and desktop management).
In the Bromium solution, for (a) we will offer you the services of a friendly Titan, Hyperion (god of light), whose job it is to protect you at all cost, and who has a magic shield that separates light from dark. (Buy one here). Hyperion is trustworthy, and can prove it.
Let’s tackle problem (b): How can you conduct your attack in such a way as to minimize the possibility of failure?
- Like the great Belisarius, you will adopt the Small Force Theory: A small, nimble army has a key advantages over a large one.
- You must transform your execution model into one in which inter-dependencies between your units are de-coupled as far as possible: Instruct each cohort where to be, and what to do, but make no cohort’s ability to execute its role in the attack dependent on the fidelity or invincibility of any other.
- Cohorts must be mutually distrustful, and no cohort can independently communicate with any other. All decisions and all communications require you – the general. Both you and your cohorts may lie, so messages cannot be trusted, but Hyperion will faithfully relay all all communication between you and your lieutenants.
- When you issue instructions to your lieutenants, you will adopt the “principle of least privilege”: “10th Cohort: Be at the bridge at dawn” and not “My plan is X, I fear Y and Z, I worry that the enemy may counter me at B, so be at the bridge at dawn and look for the 11th Cohort to your right. When you see them come over the hill, attack the city together.”
- You control all resources needed for the battle. A cohort can only obtain resources or supplies with your permission.
- Who can you trust? Yourself, Hyperion, and all other resources the Emperor (Justinian I) provided.
Hyperion is key to your survival and to your success on the field of battle. His shield separates light from dark, protecting you from attacks by the enemy or any of your lieutenants that are traitors. Hyperion is, ultimately, vulnerable, but vastly less so than you are yourself, and if all goes pear shaped, you still have your trusty sword.
We’ve covered a lot of ground together on our quest. Thank you for your company. My next post will describe real technology, putting the Byzantine Generals and Hyperion to work to deliver a desktop that is trustworthy by design.
- Tags: Virtualization