 So for the next talk on cows west stage we go into the fast track into the shorter talks and nevertheless this will be an interesting insight into something that has a lot of implications for transparency in systems and that's why the talk is called system transparency and It will be hold by Kai and Kai is a guy for Bochum and I give you the stage Hey so The 2020 is only a few days away and why we do not have flying cars or sexual robots We do live in a dystopian nightmare At a stop in nightmare where our computing is more and more controlled by unaccountable Silicon Valley companies This will there's no turning back the centralization of computing and data will only continue into the cloud because this makes things cheaper and Other losses to do things we couldn't do before 30 years ago, we were faced with a similar threat proprietary software staff at competition and prevented extension of software The result was the free software movement that had freed openness and freedom as it's called tenants Today we recognize that open and free software is the superior software development model Ironically free software won't help us this time because free software is one of the reasons why these cloud companies as a business model works So well What we need to do instead is to take one of the core ideas of free software transparency for the user and re-imagine that for the world of pass and sus So I'm Kai and I'm a hacker from Bochum and today I want to tell you about the system transparency project here And of course, nothing I will tell you here is just my idea I'm merely here to tell you about it and the system transparency project mostly grew out of the open source firmware community You could find here right behind the stage So system transparency has the goal of making the software running on a remote server That processes third-party data inspectable by that particular third party to do that we Proposed seven concepts The first one being that we need some kind of provisioning ritual because these servers are hard to get get a handle by right so we have this this Intransparent cloud and what we need to do is give every one of these servers and unique platform identity So we can decompose this cloud into individual servers, which allows us then to make specific statements about a specific service Second we need to make sure that the firmware the first and most privileged code that's executed on the machine is No to us and can't be changed by an attacker to do that We need to have some kind of integrity protection for the firmware running on the machine. Oh Sorry third Because we still have physical attackers We need to make sure that the machine is somehow temporary assistant or at least temporary evidence So we can see when at least attackers try to change the firmware and Thus try to attack the system Then we need some kind of platform attestation meaning that when before I connect to a machine I want to make sure that the software it runs and the identity It has is no to me before I send it my data, right? Otherwise I have to a problem that my data may be handled by a software I have no idea about and maybe is abused and and Because all of this platform attestation and also the protection Particularly protection of the firmware is done on the binaries We can only but we can only expect the source code We need to expect establish some strong link between the source code We were able to inspect and the binary that's actually handled by these platform attestation mechanisms Reproducible builds does exactly that right because I can recompile you for a source code I have expected and I will get the same binary that's running on the machine Then we need to limit the system access because even if we have integrity protected firmware And we know everything that has been executed as party boot We can still have in malicious Administrator locking into the system and changing things in ways. We can't control So we need to limit the system access. We need to have some kind of immutable infrastructure And lastly we need an transparency lock for all the software running on a particular server So we can monitor not only the current but as the past actions of platform Owners so we can audit them This is somehow like the certificate transparency mechanisms. We have with pki So sister transparency is not just a bunch of concepts. It's an actually broken implementation For that we use the super micro X 11 s HTF, which is a mid-range server board from super micro It has up to four cores 64 gigabits of RAM to 10 gigabit nicks and PCI express you can get these boards for less than thousand euros on the market and These can be used to use to do everything I will tell you now So in order to have some kind of unique platform identity We use and chip that's already sold it onto this main board called a TPM The TPM contains a unique certificate and a private key for that certificate That's inside this extra chip and can never leave it We can use that to use our unique platform identity and also it allows us to record what's booted What's executed as part of the boot chain? So the TPM has a special feature where it records the cryptographic checksum of all the code That's executed as part of the boot process We can then later read that out and verify that okay it booted exactly what we expected including the operating system Our X 11 runs open source firmware So we have a stack of core boot and Linux boot Cobalt doing the early initialization of the hardware and then later executing Linux boot Which boots into the operating system? We use the system bootloader based on this boot called ST boot to do all the Boot process especially fetching a new operating system from the network verifying it and then booting into it and Because we use coboot and coboot can be built reproducibly We can use that as our secure initial state we boot from We can everybody not only the platform owner can fetch the source code The cobo source code we run on the machine compile it and verify that this is the exact bit the bit exact copy of that What has been recorded by the TVM as part of the process? So we can make sure that this is exactly what a platform owner supposed to run on a machine Yeah, as I said, we have a special bootloader called ST boot that does does all the booting after the initial hardware setup We do in boot over HTTPS We then do a signature verification and some other stuff and then boot into the operating system We can boot pretty much any open source operating system So not only our firmware, but also our operating system can be built reproducibly In this case we built the kernel the initial RAM disk and the complete operating system To one blob that is always the bit exact copy of what everybody else has compiled We then sign that and the platform owner signs this hash signs the hash of these of this block We can also configure as T boot in a way that we require more than one signature So for example if the platform owner has five administrator Administrators as T boot can be configured in a way that at least three of them have has to assign the image before it's then booted Well, that's all nice The core idea of system transparency is that everybody else right users can verify what's running on the system and to do that we Also require the platform owner to request a new x5 for nine certificate for every operating system image He wants to deploy on a server fleet This certificate will contain the hash of the operating system image as part of the common name and because DCA that's issues the certificate is Working with the certificate transparency lock We have then the hash of the operating system image inside the append only certificate transparency lock That's run by Cloudflare and now we have an open append only and public Certificate transparency lock of all the current and past operating system images that have been deployed on a particular system and because ST boot before it boots checks that the Certificate transparency lock contains such a certificate. You can make sure that everything that boots on a particular server has been verified by us So in a nutshell this is transparency partitions the intransparent cloud of servers into a set of individual servers that have unique and Sorry as unique platform entities which makes allows us to do a specific statements about a specific service Right because we are still connecting to specific servers System transparency also Makes all the code running on a particular server visible to the users Which means that we force bad actors to lie about very specific things So for example if we have a VPN provider and they tell you well, we don't keep any locks In order to verify that you have to ask first figure out. Okay. What does keeping locks means? With system transparency, you can just get their operating system image get the source code and inspect the source code and decide whether you Consider their implementation of a VPN privacy respecting you and then compile that and verify that you get the exact bit exact copy Of that what has been inserted into certificate transparency lock and then can verify that. Okay. The thing I'm connecting to now Hasn't had that doesn't have any kind of vectors Now a malicious VPN provider has to lie about a very specific thing Which is this particular server with this particular unique ID runs this particular Operator system image with this particular hash Right and the more concrete these lies have to become that easier is to catch them No, sorry Also system transparency provides a public lock of everything that has been done also in the past by the operating system provider this means that we can Audit any provider more thoroughly than what we can do before right because we can check okay What happens before we had that we have used this machine? This also means that every platform owner every provider has to commit Publicly and irrevocably to every operation is the image before it is deployed on the machine Which means we as a concerned user can monitor the certificate transparency lock See for new operators and images and then verify them and when we decide okay. There are some changes. We don't like We can either stop using them their service or a lot of public and Lastly system transparency Works with open source firmware bootloaders and operating systems And this is important because this is the mechanism that actually allows us to inspect the source code and Summer closes the power gap between platform providers and platform users So what's the future? It is topia nightmare of 2020 We will hope to grow this ST boot and system transparency project into more major operators Opsource project, which means hopefully that the ST boots bootloader is maintained. We have better documentation. We have more features Also, we want to support more hardware. So currently we only we support everything that co boot and ST boot supports Which isn't that much? So we want to grow especially in the x86 market to support more servers that actually use in practice Speaking of practice We actually want to have in first transparent server running a production by the end of next year To prove to the public that this idea can actually work with real VPN providers, for example We also currently we're piggybacking on the certificate transparency effort We want to change change that and develop our own certificate transparency lock. For example this certificate It is sorry a software transparency lock can include then for example the source code of them of the thing we want to verify instead of just a pointer and Lastly currently we depending on the TPM which runs most of the time proprietary software We want to change that and figure out okay. How we can use open trust anchors For example the open Titan project or something based on risk 5 or something else and Lastly, we of course want to invite you to join our effort So in case you are interested in open source from there and the NDS T and System transparency project you may want to check us out We are just right behind the corner the open source firmware assembly is we are always happy to help you and Happy to help you with any hardware you have there, especially if it's about system transparency and So if you have a question now, you can either ask me or go to our website where we have all the documentation ready and if it was if you want just to talk to us in person you can go to the open source firmware assembly and Catch us there. Thank you Thank you Kai for a very concise talk. So we have a bit of time for questions. You can Heop and the microphones or we can see if there are Internet questions No internet questions Are there on-site questions? Come on anyway, if you Feel like oh, we have a question from the internet Yeah, the internet. Thanks you for the talk and wants to know what about mobile phones now. We can unlock bootloader, but Sorry, sorry, I don't understand it. Can you repeat it now? We can unlock bootloader But not to re-lock again. Sorry. I Yeah, should have read that earlier Give me a second. Okay, okay Maybe in the meantime You are queuing up. Okay. Yes Thank you for the great talk a very interesting project I've got one question one is Can you make sure you learn about any admin interaction with the cloud server in the end? Because that's one major concern. I would have if I run it on a right on a provider a hardware, right? So first you can inspect your practice damage, right? And you can when you see okay, there's an open SSH Server running, you know that the system isn't secure strictly secure, right because everybody can log in and change everything What we imagine is that either you forbid any SH axis whatsoever, which makes debugging a bit complicated Then you would have to for every change you want to do in the server You have to deploy new practices in which right this makes things very transparent, but as very annoying What we can imagine is that instead of dropping into bash for example You could have in restricted shell that drops the it's a it's on some script that it does allow you some things like restart a server Get some log output or whatever This of course only includes what the machine itself can do right if you're running in and in a hypervisor You have maybe other ways to look into the system This is the classic problem you have with trusted computing is you need to control everything or you need to say okay? My hypervisor or my hardware running on it is secure, right? This is this is an end problem We can't really solve Can I have a follow-up question? Yes consize question. Yes, sure I've from what you said I could imagine that there is a big company side interests specifically like from large infrastructure companies from Europe is that the case or We try to convince some of them But I mean if you if you go to Google or Amazon and tell them hey, I have this great idea about system transparency It's it's hard to get in there right but Yes, we know of some companies that do something similar right so the ideas we have here these seven concepts They existed somewhere else To write and this specific concepts were introduced to us by the Mova to VPN provider That they had these idea initially to somehow differentiate differentiate themselves from the other VPN providers Okay signal angel Could you repeat your internet question? Okay questions gone Is there another question from the microphone or? No Okay, I think that lands us perfectly at the end of the talk and As Kai said you can visit them at their assembly and you can connect with them in any way and Yeah, I'm looking forward to next year and yeah round of applause for him. Thank you