Architecture and Application

Bastion is a hardware-software security architecture for protecting a trusted hypervisor, which then provides fine-grained protection of trusted software modules in application or operating system space. Unlike SP which supports one trusted domain at a time, Bastion scales to provide support for multiple mutually-distrustful security domains. Bastion also provides a memory integrity tree for runtime memory authentication and protection from memory replay attacks. New mechanisms for tailored attestation and secure storage per trust domain are provided, which can be used to secure the input and output of these Bastion-protected modules. While past solutions protect the hypervisor from runtime software attacks, Bastion also protects the hypervisor from physical attacks and offline attacks, and provides it with a secure launch mechanism. This protected Bastion hypervisor provides mechanisms for separate execution compartments for each security-critical task running in the virtual machines hosted by the hypervisor. These compartments are protected against both hardware attacks and software attacks originating from a potentially compromised operating system. We implement and evaluate a Bastion prototype by modifying the source code of the OpenSPARC processor and hypervisor systems.

1. Champagne, D., Lee, R.B., "Scalable Architectural Support for Trusted Software", The 16th IEEE International Symposium on High-Performance Computer Architecture (HPCA), Bangalore, India, Jan 9-14 2010.
2. Champagne, D., "Scalable Security Architecture for Trusted Software", PhD Thesis, Electrical Engineering Department, Princeton, NJ, Princeton University, pp. 231, 2010

Architecture and Application

The Secret-Protection (SP) architecture provides applications with direct hardware protection of a trusted software module (TSM), which does not depend on whether the underlying Operating System has been compromised by attackers or not. This enables arbitrary security policies to be implemented by software in a TSM at the application level, and protected by SP hardware features in the microprocessor. SP provides a minimal set of hardware trust anchors and security mechanisms to provide a secure execution encironment and secure storage for a security-critical task implemented as a TSM. SP has been found useful in different scenarios including a user storing his sensitive information in the Cloud [1], an authority trusting its SP-enabled devices in the field [2], implementing arbitrary information sharing policies at the application level [3], for devices such as non-copyable disks [4], for improving key establishment in mobile ad-hoc networks [5], and for improving accountability in hosted virtual networks [6]. We are also scaling the SP architecture to support mutiple simultaneously trusted software modules from mutually-distrustful security domains (see Bastion architecture below).

1. Ruby B. Lee, Peter C. S. Kwan, John Patrick McGregor, Jeffrey Dwoskin, and Zhenghong Wang, “Architecture for Protecting Critical Secrets in Microprocessors,” Proceedings of the 32nd International Symposium on Computer Architecture (ISCA 2005), pp. 2-13, June 2005.
2. Jeffrey S Dwoskin, Ruby B. Lee, "Hardware-rooted Trust for Secure Key Management and Transient Trust", ACM Conference on Computer and Communications Security (CCS) 2007, Alexandria, VA, pp. 389-400, October 2007.
3. Yu-Yuan Chen and Ruby B. Lee, “Hardware-Assisted Application-Level Access Control”, accepted as full paper at Information Security Conference (ISC 2009), Pisa Italy, September 7-9, 2009.
4. M. S. Wang and R. B. Lee, “Architecture for a Non-Copyable Disk (NCdisk) Using a Secret-Protection (SP) SoC Solution”, Proc. Asilomar Conference, Nov 2007.
5. J. Dwoskin, D. Xu, J. Huang, M Chiang, R. Lee, "Secure Key Management Architecture Against Sensor-node Fabrication Attacks", Proc. IEEE GLOBECOM, Nov 2007.
6. Keller, E., Lee, R.B., Rexford, J., "Accountability in Hosted Virtual Networks", VISA 2009, ACM Sigcomm workshop, Barcelona, Spain, August 17.
7. Jeffrey S. Dwoskin " Securing the Use of Sensitive Data on Remote Devices Using a Hardware-Software Architecture", Ph.D. Thesis, Princeton University. June 2010.

Implementation

• Jeff Dwoskin, Ruby Lee, SP Processor Architecture Reference Manual, Princeton University Department of Electrical Engineering Technical Report CE-L2007-009, 11/21/2007.
• Yu-Yuan Chen and Ruby B. Lee, “Hardware Implementation of SP module with PAX cryptoprocessor”, Princeton University Department of Electrical Engineering Technical Report CE-L2008-006, April 2008.

Testing

• Jeffrey Dwoskin, Mahadevan Gomathisankaran and Ruby B. Lee, “A Framework for Testing Hardware-Software Security Architectures”, in submission.