Raising the efficacy of a Trusted Platform Module security device

The Trusted Computing Group has set out to make interactions between computing devices more secure: But how effective is the technology it propagates? In this article, Andrew Lee-Thorp discusses the technology's potential limitations.

In an increasingly networked world, computing devices need to communicate quickly and safely with each other. But how does one machine or application know it is safe to communicate with another, especially if it has not interacted with that machine or application before?

That is the challenge that some of the biggest companies in the technology business -- Microsoft, Intel Corp., Hewlett-Packard Co. and Oracle Corp. to name a few -- are taking on via the Trusted Computing Group (TCG). TCG is a not-for-profit organisation formed to develop, define and promote open, vendor-neutral industry standards for trusted computing building blocks and software interfaces across multiple platforms.

The TCG's Trusted Platform Module aims to provide a method of secure attestation that will allow computing devices to check before connecting to a new piece of hardware or software that it is secure and malware free. The platform has the potential to mitigate many of the problems that currently beleaguer systems architects today, such as rootkits and Trojans.

However, a new article, based on Andrew Lee-Thorp's information security MSc thesis, challenges some of the technology advanced by the TCG, and sets out to show where and how it could -- and might not -- be ineffective in guaranteeing security.

The article explains how the Trusted Platform Module security device (TPM) works, as well as various scenarios in which it could work effectively. But it also goes on to demonstrate the limitations that such an approach could encounter when trying to manage the fine detail of large systems.

The author also gives suggestions on how the industry standards could be developed to overcome these limitations.

About the author:
Andrew Lee-Thorp started his career as a researcher and student in Oceanography before switching to his other main interest -- computer science. His first introduction to security was the EMV ICC specification (Chip & PIN) which he implemented on the MULTOS smart card platform. His principal interests are in operating system and application security as well as penetration testing and UNIX security.

The article is based on a thesis written in the Information Security Group at Royal Holloway University of London.It is one of nine that SearchSecurity.co.UK is publishing exclusively in 2010 as part of its close collaboration with RHUL, which is in its third year.

Read more on IT risk management