HCI target rationale - betrusted-io/betrusted-wiki GitHub Wiki

THIS PAGE IS SUPERSEDED BY THE OFFICIAL GITHUB PAGES PAGE

Initial target list

  • How do we implement multi-lingual IMEs and unicode font rendering? In other words, how do we accommodate the linguistic diversity of a global userbase?
  • How do we implement the secure rendering of bitmap images? In other words, what's the trade-off between a sufficiently simple image format with a small attack surface and a sufficiently rich image format for interoperability?
  • How to implement a secure chat? In other words, how do we get Signal to fit inside a secure enclave?
  • How to implement a peer to peer secure voice call and/or audio snippets in chat?

Principles and assumptions

The core requirement that drives the HCI target rationale is the facilitation of secure communication between individuals in their native tongues. An English-only ASCII interface, while simple, would impair the adoption of betrusted.io in a significant fraction of significant use cases.

A Signal-style chat client as of early 2019 serves as an exemplar of what would be nice to achieve. Asynchronous voice messages or possibly fully synchronous voice calling helps to accommodate languages that lack a usable IME as well as individuals who are illiterate.

Bitmap images are included as a "nice to have" feature that can most likely be included without introducing significant additional attack surface. However, the camera which takes the original image is likely in an unsecured domain, so until a camera can be included within the enclave's footprint image sharing can not be hermetically secure.

Video formats are initially ruled out due to the complexity of the codecs, as well as the sheer computational and memory demands of implementing streaming video; the enclave would end up more a video processor than an enclave! Furthermore, the basic secure I/O device is imagined to have just a black and white screen with a keyboard, and the value of video on a black and white screen is questionable. This does not mean to rule out video ever being a feature of the system, but at least for the FPGA dev board and initial SoC implementation, video support is resolutely out of scope.