Scalable Security Architecture for Trusted Software


Champagne, D.


PhD Thesis, Electrical Engineering Department, Princeton University, Princeton, NJ, p.231 (2010)


Security-critical tasks executing on general-purpose computers require protection against software and hardware attacks to achieve their security objectives. Security services providing this protection can be offered by mechanisms rooted in processor hardware, since its storage and computing elements are typically outside the reach of attackers. This thesis presents the Bastion architecture, a hardware-software security architecture for providing protection scalable to a large number of security-critical tasks. Protection is enabled by three sets of new mechanisms: for protecting a trusted hypervisor, for fine-grained protection of modules in application or operating system space, and for securing the input and output of Bastion-protected software modules. This thesis also presents an implementation and evaluation of Bastion, and explores alternatives for one of its core security functions: memory authentication. The hypervisor, a layer of software dedicated to the virtualization of machine resources, is increasingly being involved in security solutions. We use it in Bastion as a manager of security-critical tasks. While past solutions protect the hypervisor from runtime software attacks, Bastion also protects the hypervisor from physical attacks, protects it from offline attacks, and provides it with a secure launch mechanism. Within this protected Bastion hypervisor, we design a second set of mechanisms that provide separate execution compartments for each security-critical task running in the virtual machines hosted by the hypervisor. These compartments are protected against both hardware attacks and software attacks originating from a potentially compromised operating system. To enable security-critical tasks to communicate with the outside world, we provide a third set of mechanisms for secure input and output to and from Bastion-protected compartments. We implement and evaluate a Bastion prototype by modifying the source code of the OpenSPARC processor and hypervisor systems. Addionally, we survey the design space of alternatives to the Bastion memory authentication mechanism, which is central to protecting critical software execution in Bastion. These contributions can improve security in the digital world by informing the design of the next generation of general-purpose computing platforms.

Thesis_Champagne_2010.pdf2.92 MB