Keynote: Endpoint Security Diet: Gourmet Crypto is neither Sufficient nor Necessary!

Ahmad-Reza Sadeghi

Cryptographic research has developed a number of exotic privacy protecting ingredients and recipes such as Fully/Semi/Pseudo Homomorphic Encryption (FHE), Private Information Retrieval (PIR), Oblivious RAM (ORAM), and Secure Multi Party Computation (SMP) to name some. However, most of these recipes, although subject to substantial improvements, are still impractical (heavy to digest) and unsuitable for large scale real world deployment (too spicy for general taste), and more importantly, they are ineffective against malware that compromise the endpoint appliances. Indeed, very recently some Chefs from the Crypto Cooking Academy expressed their concern about the relevance of some of these schemes in practice, calling out for a community-wide effort to develop more effective crypto ingredients, although the actual problem was known to security experts for a long time.

In this talk we will focus on the endpoint (device) security, which we believe is vital for building privacy protecting systems for users. We are continuously witnessing malware attacks to various devices by various attackers including government organizations. Typically malware attacks do not aim at breaking the underlying crypto schemes but rather aim at bypassing them. We will first discuss the (necessary) ingredients for the endpoint security diet, and give a brief overview of some of the recent research results and technologies that aim to protect endpoints (runtime exploit mitigation, trusted hardware, etc.). Then we discuss the effectiveness of these technologies in practice and whether we need the gourmet crypto in this diet.