Securing the Use of Sensitive Data on Remote Devices Using a Hardware-Software Architecture


Dwoskin, J.S.


PhD Thesis, Electrical Engineering Department, Princeton University, Princeton, NJ, p.294 (2010)



Many corporations, private organizations, and government agencies maintain sensitive data that must be accessed remotely by their employees using portable devices. The organizations have a responsibility to secure the data to ensure that it does not get used inappropriately or get disseminated beyond these trusted users. We have designed a computer architecture for these devices, combining new hardware and software, that allows trust to be placed in the devices even when they are not under the organization's physical control. We have designed, implemented, and tested the Authority-mode Secret-Protection Architecture, which places roots of trust in hardware in the processor chip. It provides new hardware mechanisms based on these roots of trust to protect the execution of trusted software and to provide that software with master secrets. The software uses the master secrets to secure the sensitive data and to communicate securely over the network. The user interacts with this software, which enforces security policies while giving access to data. The organization designates a central authority that will manage the software on the devices, set security policies, communicate with the devices, and control access to data. Our new hardware mechanisms bind together the device's on-chip roots of trust with the authority's data and trusted software, such that the authority can be assured that the security policies will always be enforced. To show how our design can be adapted to other platforms, we provide a modi ed architecture for embedded devices. We additionally demonstrate how the full archi- tecture can be integrated with trustworthy system software in a mandatory access control system. Finally, we have built a testing framework that can help designers validate new security architectures like ours. The framework allows new architectures to be mod- eled in a virtualization environment, where a separate testing system has complete controllability and observability over hardware and software. It is used to test the e ects of various security attacks and to assist in the development of trusted software for the new architecture. We use the framework to test the prototype hardware and software of our architecture.