Trustworthy Distributed Systems through Integrity-Reporting Jun Ho Huh and Andrew Martin Oxford University Computing Laboratory Parks Road, Oxford, OX1 3QD, UK {jun.huh, andrew.martin}@kellogg.ox.ac.uk Abstract With the growing influence of e-Science, substantial quantities of re- search are being facilitated, recorded, and reported by means of distributed com- puting. As a result, the scope for malicious intervention continues to grow, and so do the rewards available to those able to steal the models and data that have signif- icant commercial value. Researchers are often reluctant to exploit the full benefits of distributed computing because they fear the compromise of their sensitive data or the uncertainty of the returned results. In this chapter, we propose two types of trustworthy distributed systems – one suitable for a computational system and the other for a distributed data system. Central to these systems is the novel idea of configuration resolver, which, in both designs, is responsible for filtering trust- worthy hosts and ensuring that jobs are dispatched to those considered trustwor- thy. Furthermore, the blind analysis server enables statistical analyses to be per- formed on sensitive raw data – collected from multiple sites – without disclosing it to anyone. Keywords: trusted computing, trustworthy distributed systems, configuration veri- fication server, blind data analysis, trustworthy grid 1 Introduction In recent years, distributed systems have enjoyed a huge burst of popularity, most chiefly in the commodity computing model described as ‘Cloud Computing’. The term applies to a broad range of systems architectures, often categorized under the headings of Software/Platform/Infrastructure as a Service – and perhaps also sub- sumes one of its progenitors ‘Grid computing’. A clear driver for such adoption is the benefit of using shared resources: load can be balanced across large numbers of hosts, peaks easily accommodated, and massive initiatives run as background tasks on systems which would otherwise be idle. To these is now added a ‘green’ agenda – that by taking advantage of econo-