Bastion is a hardware-software security architecture for protecting a trusted hypervisor, which then provides fine-grained protection of trusted software modules in application or operating system space. Unlike SP which supports one trusted domain at a time, Bastion scales to provide support for multiple mutually-distrustful security domains. Bastion also provides a memory integrity tree for runtime memory authentication and protection from memory replay attacks. New mechanisms for tailored attestation and secure storage per trust domain are provided, which can be used to secure the input and output of these Bastion-protected modules. While past solutions protect the hypervisor from runtime software attacks, Bastion also protects the hypervisor from physical attacks and offline attacks, and provides it with a secure launch mechanism. This protected Bastion hypervisor provides mechanisms for separate execution compartments for each security-critical task running in the virtual machines hosted by the hypervisor. These compartments are protected against both hardware attacks and software attacks originating from a potentially compromised operating system. We implement and evaluate a Bastion prototype by modifying the source code of the OpenSPARC processor and hypervisor systems.
The Secret-Protection (SP) architecture provides applications with direct hardware protection of a trusted software module (TSM), which does not depend on whether the underlying Operating System has been compromised by attackers or not. This enables arbitrary security policies to be implemented by software in a TSM at the application level, and protected by SP hardware features in the microprocessor. SP provides a minimal set of hardware trust anchors and security mechanisms to provide a secure execution encironment and secure storage for a security-critical task implemented as a TSM. SP has been found useful in different scenarios including a user storing his sensitive information in the Cloud , an authority trusting its SP-enabled devices in the field , implementing arbitrary information sharing policies at the application level , for devices such as non-copyable disks , for improving key establishment in mobile ad-hoc networks , and for improving accountability in hosted virtual networks . We are also scaling the SP architecture to support mutiple simultaneously trusted software modules from mutually-distrustful security domains (see Bastion architecture below).