Event Archive – Cybersecurity

Trust – and with it, related notions like trustworthiness – has a long history in philosophy, business, and other settings.  In systems thinking, it has at various times been in favour as a counterpart of security.  Meanwhile, we see increasingly many systems based on ‘AI’: and calls for that AI to be trustworthy.  Applying ill-defined criteria to an ill-defined class of systems does not appear to be a constructive pastime.   We propose a hierarchy of kinds of trustworthiness.  The high-level concerns of traceability, fairness, ethics, responsibility, explainability, and so on must be supported by a layer of what has come to be known as ‘trusted execution’ – in order to anchor a computation or service in the code and data which delivers it.  That layer in turn needs a foundational layer to provide a body of evidence on the provenance of the data and models in use: this foundation can be provided by an ‘AI bill of materials’ derived from the SBOM concept.  This talk reports work in progress.

Memory safety has been a concern for a long time in software implementation. The lack of memory safety has led to the majority of vulnerabilities in both Operating Systems and Applications. For example, the Chromium project has pointed out that 70% of critical vulnerabilities are related to memory safety. In recent years, CHERI has been promoted as a promising solution to address the memory safety problem at the hardware level. CHERI aims at providing fine-grained memory management at the hardware level which is adaptable to potentially unsafe memory programming languages such as C/C++. According to a recent study by Microsoft, CHERI enables us to mitigate at least two-thirds of all memory safety vulnerabilities. In this talk, we look at a quick introduction to CHERI and its under-the-hood protection principles.

We all know what we SHOULD have ready, and what to do.  But reality will include untested plans, egos and the pressures to get a business up and running. This will give a first-hand account of a Ransomware attack and the, many, lessons learned.