Joanna Rutkowska recently gave a keynote address at Black Hat Europe 2017. The slides from the presentation, Security through Distrusting, are avaialble here:

There are different approaches to making (computer) systems (reasonably) secure and trustworthy:

At one extreme, we would like to ensure everything (software, hardware, infrastructure) is trusted. This means the code has no bugs or backdoors, patches are always available and deployed, admins always competent and trustworthy, and the infrastructure always reliable…

On the other end of the spectrum, however, we would like to distrust (nearly) all components and actors, and have no single almighty element in the system.

In my opinion, the industry has been way too much focused on this first approach, which I see as overly naive and non-scalable to more complex systems.

In this talk, based on my prior work as both offensive researcher in the past, as well as an engineer and architect on the defense side in the recent years, I will attempt to convince the audience that moving somehow towards the “security through distrusting” principle might be a good idea. Equally important though, the talk will discuss the trade-offs that this move requires and where can we find the sweet spot between the two approaches.