Bastion Security Architecture

Architecture and Application

Bastion is a hardware-software security architecture for protecting a trusted hypervisor, which then provides fine-grained protection of trusted software modules in application or operating system space. Unlike SP which supports one trusted domain at a time, Bastion scales to provide support for multiple mutually-distrustful security domains. Bastion also provides a memory integrity tree for runtime memory authentication and protection from memory replay attacks. New mechanisms for tailored attestation and secure storage per trust domain are provided, which can be used to secure the input and output of these Bastion-protected modules. While past solutions protect the hypervisor from runtime software attacks, Bastion also protects the hypervisor from physical attacks and offline attacks, and provides it with a secure launch mechanism. This protected Bastion hypervisor provides mechanisms for separate execution compartments for each security-critical task running in the virtual machines hosted by the hypervisor. These compartments are protected against both hardware attacks and software attacks originating from a potentially compromised operating system. We implement and evaluate a Bastion prototype by modifying the source code of the OpenSPARC processor and hypervisor systems.

  1. Champagne, D., Lee, R.B., "Scalable Architectural Support for Trusted Software", The 16th IEEE International Symposium on High-Performance Computer Architecture (HPCA), Bangalore, India, Jan 9-14 2010.[slides]
  2. Champagne, D., "Scalable Security Architecture for Trusted Software", PhD Thesis, Electrical Engineering Department, Princeton, NJ, Princeton University, pp. 231, 2010