[seL4] Re: Inquiry to Verified Components

Say we have two actors: (1) the device, aka prover, installed with sel4 and our attestation service, and (2) the device owner, aka, the verifier. Verifier decides what applications can run on the prover. For example, there are two applications: app1 and app2. Once configured, the verifier deploys the prover at a remote location. Now when the verifier wants to connect to app1 to request a service, it sends an attestation request to our attestation process to check the status of app1, i.e., whether app1 is running and in good condition. As a response to the request, the verifier gets a signature indicating that app1 is alive and healthy, and also an encryption key that the verifier can use to further communicate with app1. Similarly, the same goes for app2. We imagine attestation to be implemented like this: signature_app1 = ECDSA{signing_key, nonce, SHA2(binary_of_app1) || SHA2(encryption_key_of_app1)}, where signing_key is the secret key of the attestation process. On Wed, Jan 25, 2023 at 2:05 PM Zenaan Harkness wrote:

On 1/26/23, Sashidhar Jakkamsetti wrote:

...

To briefly introduce what we are working on: We aim to build a remote attestation service for the processes running atop seL4, and for that, we are planning to spawn a separate (formally-verified) process that handles attestation. This attestation process needs to be high-assurance for obvious reasons because it contains a secret key that is used for implementing digital signatures. For more details on this, please refer to one of our old papers: https://urldefense.com/v3/__https://arxiv.org/pdf/1703.02688.pdf__;!!CzAuKJ4... , which discusses a basic version of attestation (but without formal guarantees though).

Please briefly describe the use case for this implementation.

Thank you, Zenaan

-- Sashidhar Jakkamsetti University of California Irvine, Ph.D. https://sites.uci.edu/sashidharjakkamsetti/