Hector Martin

It's the easiest way to fix these flaws: have a fundamentally separate SoC with a small attack surface in a purely management role, which is responsible for confirming main CPU's behavior is in line with expectations. Like ME, but external and auditable.

How would this work? If it has to monitor everything the main CPU does, it has to be as powerful as the main CPU. If it doesn't, then you could make the main CPU do evil things that it wouldn't catch.

It wouldn’t be to different from monitoring software currently used. The goal is detection of malicious activity, so if you can do classification and identification fast enough you don’t need to replicate the CPU.

I mean, we all know antivirus doesn't work. Reactive technologies are great and all, but how would you fundamentally distinguish malicious behavior from normal operation besides known signatures?

I am similarly lost as to the how, but I’m given the impression that it is already employed in some high security environments. I was once told in avionics systems the working assumption is an attacker is already inside, and may have rooted one of the computers onboard.

The implication being multiple systems would filter each other’s data, identify strange behavior, and restart each other as required. I don’t think it’s easy or efficient, but like most attacks we gauge risk and acessabulity to the surface when we craft countermeasures.

I think you're mixing together redundant voting systems and security. Having things like 3 identical systems doing the same thing and cross checking each other is common in avionics, but that's for reliability. If you're an attacker you just compromise all 3 at once.

The context as it presented to me at the time was that the systems were not redundant, they just didn’t trust the other computing subsystems sitting on a common platform. I don’t know the how unfortunately.