How do you keep a secret about your personal life in an age where your daughter’s glasses record and share everything she senses, your wallet records and shares your financial transactions, and your set-top box records and shares your family’s energy consumption?
Your personal data has become a prime asset for many companies around the Internet, but can you avoid — or even detect — abusive usage? Today, there is a wide consensus that individuals should have increased control on how their personal data is collected, managed and shared. Yet there is no appropriate technical solution to implement such personal data services: centralized solutions sacrifice security for innovative applications, while decentralized solutions sacrifice innovative applications for security.
In this paper, we argue that the advent of secure hardware in all personal IT devices, at the edges of the Internet, could trigger a sea change.
We propose the vision of trusted cells: personal data servers running on secure smart phones, set-top boxes, secure portable tokens or smart cards to form a global, decentralized data platform that provides security yet enables innovative applications. We motivate our approach, describe the trusted cells architecture and define a range of challenges for future research.
A trusted cell implements a client-side reference monitor  on top of secure hardware. At a minimum, the hardware must guarantee a clear separation between secure and non-secure software. We abstract a Trusted Cell as a Trusted Execution Environment, a tamper-resistant memory where cryptographic secrets are stored, (3) an optional and potentially untrusted mass storage and (4) communication facilities. Physically, a trusted cell can either be a stand-alone hardware device (e.g., a smart token) or be embedded in an existing device (e.g., a smartphone based on ARM’s TrustZone architecture).
The very high security provided by trusted cells comes from a combination of factors: (1) the obligation to physically be in contact with the device to attack it, (2) the tamper-resistance of (part of) its processing and storage units making hardware and side-channel attacks highly difficult, (3) the certification of the hardware and software attacks (e.g., Trojan) also highly difficult, (4) the capacity to be auto-administered, contrary to high-end multi-user servers, avoiding insider (i.e., DBA) attacks, and (5) the impossibility even for the trusted cell owner to directly access the data stored locally or spy the local computing (she must authenticate and only gets data according to her privileges.
This trusted cell vision is based on the premise of ubiquitous and open secure hardware. Trusted cells enforce access and usage control at the edges of the Internet, and thus constitute a sea change with respect to personal data management. This vision undoubtedly opens a set of exciting challenges that must be explored by the database community.
To read this external content in full, download the complete paper from the online open research archives at the IT University of Copenhagen.