Source:
PhD Thesis, Electrical Engineering Department, Princeton University, Princeton, NJ, p.294 (2010)
URL:
https://docs.google.com/viewer?url=http%3A%2F%2Fpalms.ee.princeton.edu%2FPALMSopen%2Fdissertations%2FDwoskinThesis-20100429-v2.0-doublespace.pdf
Abstract:
Many corporations, private organizations, and government agencies maintain sensitive
data that must be accessed remotely by their employees using portable devices. The
organizations have a responsibility to secure the data to ensure that it does not
get used inappropriately or get disseminated beyond these trusted users. We have
designed a computer architecture for these devices, combining new hardware and
software, that allows trust to be placed in the devices even when they are not under
the organization's physical control.
We have designed, implemented, and tested the Authority-mode Secret-Protection
Architecture, which places roots of trust in hardware in the processor chip. It provides
new hardware mechanisms based on these roots of trust to protect the execution of
trusted software and to provide that software with master secrets. The software uses
the master secrets to secure the sensitive data and to communicate securely over the
network. The user interacts with this software, which enforces security policies while
giving access to data.
The organization designates a central authority that will manage the software on
the devices, set security policies, communicate with the devices, and control access
to data. Our new hardware mechanisms bind together the device's on-chip roots of
trust with the authority's data and trusted software, such that the authority can be
assured that the security policies will always be enforced.
To show how our design can be adapted to other platforms, we provide a modied
architecture for embedded devices. We additionally demonstrate how the full archi-
tecture can be integrated with trustworthy system software in a mandatory access
control system.
Finally, we have built a testing framework that can help designers validate new
security architectures like ours. The framework allows new architectures to be mod-
eled in a virtualization environment, where a separate testing system has complete
controllability and observability over hardware and software. It is used to test the
eects of various security attacks and to assist in the development of trusted software
for the new architecture. We use the framework to test the prototype hardware and
software of our architecture.