Introspection engine

Andrew ‘bunnie’ Huang, Edward Snowden

Our work proposes to monitor radio activity using a measurement tool contained in a phone-mounted battery case. We call this tool an introspection engine. The introspection engine has the capability to alert a reporter of a dangerous situation in real-time.

 

Our introspection engine is designed with the following goals in mind:

1. Completely open source and user-inspectable (“You don’t have to trust us”)

2. Introspection operations are performed by an execution domain completely separated from the phone’s CPU (“don’t rely on those with impaired judgment to fairly judge their state”)

3. Proper operation of introspection system can be field-verified (guard against “evil maid” attacks and hardware failures)

4. Difficult to trigger a false positive (users ignore or disable security alerts when there are too many positives)

5. Difficult to induce a false negative, even with signed firmware updates (“don’t trust the system vendor” – state-level adversaries with full cooperation of system vendors should not be able to craft signed firmware updates that spoof or bypass the introspection engine)

6. As much as possible, the introspection system should be passive and difficult to detect by the phone’s operating system (prevent black-listing/targeting of users based on introspection engine signatures)

7. Simple, intuitive user interface requiring no specialized knowledge to interpret or operate (avoid user error leading to false negatives; “journalists shouldn’t have to be cryptographers to be safe”)

8. Final solution should be usable on a daily basis, with minimal impact on workflow (avoid forcing field reporters into the choice between their personal security and being an effective journalist)

from Against the Law: Countering Lawful Abuses of Digital Surveillance

 


 

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.