The Nexus is a new operating system for trustworthy computing. The primary capability it offers is to provide assurance about the future behavior of applications. Unlike traditional operating systems, the Nexus can issue trustworthy, verifiable, unforgeable certificates that attest that an application will or will not take a certain action in the future. This novel ability can serve as the basis for a new kind of system security.
For instance, the Nexus can provide assurance that a particular data item can only be viewed under a set of user-prescribed circumstances (e.g. "between the hours of 9 to 5, by a designee of the data owner"). It can ensure that a picture, though cropped and modified to adjust for color-balance, has not been altered to change its contents. It can guarantee that a body of text will be used in accordance with a use policy. It can provide credentials about how data was generated (e.g. "this email message was typed on the keyboard and is therefore not spam"). It can securely execute user-provided functions against a secret database without revealing the contents of that database (e.g. "this network is guaranteed to have k redundant failover links, even though we will not reveal the actual network topology").
The technical foundations backing these enhanced capabilities are two-fold:
- Hardware Root Of Trust. The Nexus uses Trusted Platform Modules to attest to machine-checkable facts in a secure, unforgeable fashion. A small TCB for the kernel limits the size of the code base that applications need to trust.
- Logical Attestation. The Nexus uses a technique,based on embedded logic statements,that reveal only an abstract,high-level fact, without divulging any other information. Unlike past work on trusted computing, the Nexus does not reveal binary hashes of user applications unless so desired,and therefore avoids platform lockdown.