SYSSEC: July 2008 Archives

 

July 21, 2008

Gizmodo covers the fully buzzword compliant CherryPal PC. The general idea is that it's a lightweight home device that relies on "cloud computing" for its backend computational operations. Some surprising security claims are also being made. Here's what's on Gizmodo (in what looks like a press release):
CherryPal is the only company that provides a patent-pending combination of both hardware and software encryption, making it highly secure. The CherryPal also offers a patent-pending single software layer technology. This collapses the operating system and browser into one layer, where there had traditionally been three separate layers. It makes the computer exponentially faster and virtually eliminates any risk of bugs or viruses for the user.

There appear to be two claims here. First, they are using "a combination of both hardware and software encryption", which makes things really secure. Now, it's true that there are settings in which hardware encryption is more secure than software encryption, but it's hard to see why they apply here. The major advantage of hardware encryption is that you can build hardware which makes the keying material inaccessible even if you have control of the device. So, for instance, if your device is remotely compromised the attacker wouldn't be able to steal the keys. As I said, there are situations where this is important, but it's not clear that this one; if your machine is remotely compromised, you're probably going to want to completely wipe it, and it's not really that hard to replace the crypto keys as well. Moreover, it's not clear from this material that they even are using hardware-based key isolation.

The second claim is this thing about the "patent-pending single software layer". I'm not sure what this means either. I usually think of the operating system and browser as two layers, so I'm not sure what the third layer is. It sounds like the claim is that the browser is running directly on the metal, which isn't impossible, but it's pretty unclear what the advantage is. One of the major features of modern systems is precisely that they separate the OS from the applications; this allows the OS to enforce policies on the application, as well as to contain compromise of the application (though of course you still have to worry about privilege escalation attacks.) I'm not aware of any security theory that indicates that it's more secure to have only one software component. While we're on the topic, since this sort of monolithic design is the way that systems used to work, it's not clear what's patentable here. (A little searching didn't turn up the patents, but if someone points me to them, I'll take a look.)

Oh, this is good too:

CherryPal is also the first company since Apple Computers to use a Power Architecture-based processor in a personal computer by employing the Freescale MPC5121e mobileGT processor. This chip allows for built-in graphics and audio processing, all while consuming only 400 MHz of power.

400 MHz isn't really that usual a unit of power. Am I supposed to multiply by Planck's constant here?