Table of Contents

Introduction xv

Chapter 1 Why Trust? 1

Analysing Our Trust Statements 4

What Is Trust? 5

What Is Agency? 8

Trust and Security 10

Trust as a Way for Humans to Manage Risk 13

Risk, Trust, and Computing 15

Defining Trust in Systems 15

Defining Correctness in System Behaviour 17

Chapter 2 Humans and Trust 19

The Role of Monitoring and Reporting in Creating Trust 21

Game Theory 24

The Prisoner’s Dilemma 24

Reputation and Generalised Trust 27

Institutional Trust 28

Theories of Institutional Trust 29

Who Is Actually Being Trusted? 31

Trust Based on Authority 33

Trusting Individuals 37

Trusting Ourselves 37

Trusting Others 41

Trust, But Verify 43

Attacks from Within 43

The Dangers of Anthropomorphism 45

Identifying the Real Trustee 47

Chapter 3 Trust Operations and Alternatives 53

Trust Actors, Operations, and Components 53

Reputation, Transitive Trust, and Distributed Trust 59

Agency and Intentionality 62

Alternatives to Trust 65

Legal Contracts 65

Enforcement 66

Verification 67

Assurance and Accountability 67

Trust of Non-Human or Non-Adult Actors 68

Expressions of Trust 69

Relating Trust and Security 75

Misplaced Trust 75

Chapter 4 Defining Trust in Computing 79

A Survey of Trust Definitions in Computer Systems 79

Other Definitions of Trust within Computing 84

Applying Socio-Philosophical Definitions of Trust to Systems 86

Mathematics and Trust 87

Mathematics and Cryptography 87

Mathematics and Formal Verification 89

Chapter 5 The Importance of Systems 93

System Design 93

The Network Stack 94

Linux Layers 96

Virtualisation and Containers: Cloud Stacks 97

Other Axes of System Design 99

“Trusted” Systems 99

Trust Within the Network Stack 101

Trust in Linux Layers 102

Trust in Cloud Stacks 103

Hardware Root of Trust 106

Cryptographic Hash Functions 110

Measured Boot and Trusted Boot 112

Certificate Authorities 114

Internet Certificate Authorities 115

Local Certificate Authorities 116

Root Certificates as Trust Pivots 119

The Temptations of “Zero Trust” 122

The Importance of Systems 125

Isolation 125

Contexts 127

Worked Example: Purchasing Whisky 128

Actors, Organisations, and Systems 129

Stepping Through the Transaction 130

Attacks and Vulnerabilities 134

Trust Relationships and Agency 136

Agency 136

Trust Relationships 137

The Importance of Being Explicit 145

Explicit Actions 145

Explicit Actors 149

Chapter 6 Blockchain and Trust 151

Bitcoin and Other Blockchains 151

Permissioned Blockchains 152

Trust without Blockchains 153

Blockchain Promoting Trust 154

Permissionless Blockchains and Cryptocurrencies 156

Chapter 7 The Importance of Time 161

Decay of Trust 161

Decay of Trust and Lifecycle 163

Software Lifecycle 168

Trust Anchors, Trust Pivots, and the Supply Chain 169

Types of Trust Anchors 170

Monitoring and Time 171

Attestation 173

The Problem of Measurement 174

The Problem of Run Time 176

Trusted Computing Base 177

Component Choice and Trust 178

Reputation Systems and Trust 181

Chapter 8 Systems and Trust 185

System Components 185

Explicit Behaviour 188

Defining Explicit Trust 189

Dangers of Automated Trust Relationships 192

Time and Systems 194

Defining System Boundaries 198

Trust and a Complex System 199

Isolation and Virtualisation 202

The Stack and Time 205

Beyond Virtual Machines 205

Hardware-Based

Type 3 Isolation 207

Chapter 9 Open Source and Trust 211

Distributed Trust 211

How Open Source Relates to Trust 214

Community and Projects 215

Projects and the Personal 217

Open Source Process 219

Trusting the Project 220

Trusting the Software 222

Contents xiii

xiv Contents

Supply Chain and Products 226

Open Source and Security 229

Chapter 10 Trust, the Cloud, and the Edge 233

Deployment Model Differences 235

What Host Systems Offer 237

What Tenants Need 237

Mutually Adversarial Computing 240

Mitigations and Their Efficacy 243

Commercial Mitigations 243

Architectural Mitigations 244

Technical Mitigations 246

Chapter 11 Hardware, Trust, and Confidential Computing 247

Properties of Hardware and Trust 248

Isolation 248

Roots of Trust 249

Physical Compromise 253

Confidential Computing 256

TEE TCBs in detail 261

Trust Relationships and TEEs 266

How Execution Can Go Wrong—and Mitigations 269

Minimum Numbers of Trustees 276

Explicit Trust Models for TEE Deployments 278

Chapter 12 Trust Domains 281

The Composition of Trust Domains 284

Trust Domains in a Bank 284

Trust Domains in a Distributed Architecture 288

Trust Domain Primitives and Boundaries 292

Trust Domain Primitives 292

Trust Domains and Policy 293

Other Trust Domain Primitives 296

Boundaries 297

Centralisation of Control and Policies 298

Chapter 13 A World of Explicit Trust 301

Tools for Trust 301

The Role of the Architect 303

Architecting the System 304

The Architect and the Trustee 305

Coda 307

References 309

Index 321

About the Author

MIKE BURSELL is CEO and co-founder of Profian, a Confidential Computing company. He holds multiple security patents, is a sought-after speaker at global technology conferences, and has contributed to major reports and security specifications for the European Telecommunications Standards Institute.