Introducing System Transparency
Introducing System Transparency - a novel design approach for computer systems intended to offer deterrence, prevention, and detection of attacks by combining a provisioning ritual, write-protected firmware, tamper detection, reproducible builds, remote attestation, immutable infrastructure, and a signed and auditable append-only log. Used correctly it will prevent malware persistence, provide an extensive and trustworthy audit trail, and eventually self-heal after compromise. Within certain limitations it can be used to prove to the owner, system administrator, user, or a third party, exactly what is currently running on the system, and what it has been permitted to run in the past.
It facilitates trust in the hardware and initial state of the system through the provisioning ritual and tamper detection switches, which together with a TPM and firmware write-protection establishes the root-of-trust as well as prevents malware persistence.
The use of reproducible builds in combination with immutable infrastructure deter and prevent malicious modification during the build stage as well as during runtime. The use of remote attestation of the boot chain in combination with a transparency log provide assurances of the current system configuration, as well as an audit trail of previous configurations.
A platform using System Transparency that is compromised due to an unpatched application can simply reboot, load an updated system image, and attest its new, patched, and uncompromised boot chain to its system administrator or users.