Attison coined the term low‑tru (pronounced “low‑true”) to capture two intertwined ideas:
Problem: In 2019, a fleet of Level‑3 AVs experienced intermittent sensor fusion errors due to a vendor’s proprietary camera driver that occasionally produced malformed frames, leading to false obstacle detection.
Low‑tru Patched Solution (Attison et al., 2020):
| Principle | Description | Example | |-----------|-------------|---------| | Assume Compromise | Design interfaces that degrade gracefully when a component fails integrity checks. | A vehicle’s perception stack falls back to lidar‑only mode if camera feed is deemed untrusted. | | Minimal Trusted Base | Keep the trusted computing base (TCB) as small as possible to reduce attack surface. | Use a tiny, formally verified kernel for secure boot and patch orchestration. | | Verification‑Driven Patching | Patches are derived from proofs that the replacement satisfies required invariants. | A formally verified controller replacement for a drone’s flight controller after detecting GPS spoofing. | | Continuous Monitoring | Employ runtime verification, statistical anomaly detection, and hardware attestation. | Periodic TPM attestation of firmware hashes on edge nodes. | | Human‑in‑the‑Loop Transparency | Provide operators with understandable explanations of patches and their impact. | Dashboard visualizing DPG nodes, confidence levels, and expected latency changes. |
Problem: A hospital’s network of wearable heart monitors exhibited a zero‑day exploit that allowed remote data exfiltration.
Low‑tru Patched Approach (Attison, 2022):
Outcome: No patient data was leaked, and the hospital maintained compliance with HIPAA’s “minimum necessary” principle.