Securing the use of sensitive data on remote devices using a hardware-software architecture

Many corporations, private organizations, and government agencies maintain sensitive data that must be accessed remotely by their employees using portable devices. The organizations have a responsibility to secure the data to ensure that it does not get used inappropriately or get disseminated beyond these trusted users. We have designed a computer architecture for these devices, combining new hardware and software, that allows trust to be placed in the devices even when they are not under the organization's physical control. We have designed, implemented, and tested the Authority-mode Secret-Protection Architecture, which places roots of trust in hardware in the processor chip. It provides new hardware mechanisms based on these roots of trust to protect the execution of trusted software and to provide that software with master secrets. The software uses the master secrets to secure the sensitive data and to communicate securely over the network. The user interacts with this software, which enforces security policies while giving access to data. The organization designates a central authority that will manage the software on the devices, set security policies, communicate with the devices, and control access to data. Our new hardware mechanisms bind together the device's on-chip roots of trust with the authority's data and trusted software, such that the authority can be assured that the security policies will always be enforced. To show how our design can be adapted to other platforms, we provide a modified architecture for embedded devices. We additionally demonstrate how the full architecture can be integrated with trustworthy system software in a mandatory access control system. Finally, we have built a testing framework that can help designers validate new security architectures like ours. The framework allows new architectures to be modeled in a virtualization environment, where a separate testing system has complete controllability and observability over hardware and software. It is used to test the effects of various security attacks and to assist in the development of trusted software for the new architecture. We use the framework to test the prototype hardware and software of our architecture.

[1]  Tim Dierks,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008 .

[2]  Ruby B. Lee,et al.  Scoping security issues for interactive grids , 2003, The Thrity-Seventh Asilomar Conference on Signals, Systems & Computers, 2003.

[3]  Paul England,et al.  The Darknet and the Future of Content Protection , 2002, Digital Rights Management Workshop.

[4]  Todd M. Austin,et al.  SimpleScalar: An Infrastructure for Computer System Modeling , 2002, Computer.

[5]  Bennet S. Yee,et al.  Dyad : a system for using physically secure coprocessors , 1991 .

[6]  Srivaths Ravi,et al.  Secure embedded processing through hardware-assisted run-time monitoring , 2005, Design, Automation and Test in Europe.

[7]  D. Richard Kuhn,et al.  Role-Based Access Control ( RBAC ) : Features and Motivations , 2014 .

[8]  Yang Xiao,et al.  Security in distributed, grid, mobile, and pervasive computing , 2007 .

[9]  Bernhard Kauer OSLO: Improving the Security of Trusted Computing , 2007, USENIX Security Symposium.

[10]  Jonathan K. Millen,et al.  Covert Channel Capacity , 1987, 1987 IEEE Symposium on Security and Privacy.

[11]  Ruby B. Lee,et al.  A processor architecture defense against buffer overflow attacks , 2003, International Conference on Information Technology: Research and Education, 2003. Proceedings. ITRE2003..

[12]  Mark Stamp,et al.  Digital Rights Management: The Technology Behind the Hype , 2003, J. Electron. Commer. Res..

[13]  Sushil Jajodia,et al.  LEAP+: Efficient security mechanisms for large-scale distributed sensor networks , 2006, TOSN.

[14]  Mark Stamp,et al.  iPhone Security Analysis , 2010, J. Information Security.

[15]  G. Edward Suh,et al.  AEGIS: architecture for tamper-evident and tamper-resistant processing , 2003 .

[16]  S. Gribble,et al.  Scale and performance in the Denali isolation kernel , 2002, OSDI '02.

[17]  Ruby B. Lee,et al.  The Reduced Address Space (RAS) for Application Memory Authentication , 2008, ISC.

[18]  Guilherme Ottoni,et al.  RIFLE: An Architectural Framework for User-Centric Information-Flow Security , 2004, 37th International Symposium on Microarchitecture (MICRO-37'04).

[19]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[20]  Tal Garfinkel,et al.  Terra: a virtual machine-based platform for trusted computing , 2003, SOSP '03.

[21]  Paul C. van Oorschot Revisiting Software Protection , 2003, ISC.

[22]  Weisong Shi,et al.  Wireless Sensor Network Security: A Survey , 2006 .

[23]  Pradeep K. Khosla,et al.  SWATT: softWare-based attestation for embedded devices , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[24]  Miodrag Potkonjak,et al.  Enabling trusted software integrity , 2002, ASPLOS X.

[25]  Hannes Tschofenig,et al.  Pre-Shared Key Ciphersuites for Transport Layer Security (TLS) , 2005, RFC.

[26]  Jianwei Huang,et al.  Secure Key Management Architecture Against Sensor-Node Fabrication Attacks , 2007, IEEE GLOBECOM 2007 - IEEE Global Telecommunications Conference.

[27]  David Lie,et al.  Splitting interfaces: making trust between applications and operating systems configurable , 2006, OSDI '06.

[28]  Peter J. Denning,et al.  Fault Tolerant Operating Systems , 1976, CSUR.

[29]  Steve R. White,et al.  ABYSS: An Architecture for Software Protection , 1990, IEEE Trans. Software Eng..

[30]  A. Appel,et al.  Windows Access Control Demystified ∗ , 2006 .

[31]  Mike Bond,et al.  Cryptographic Processors-A Survey , 2006, Proceedings of the IEEE.

[32]  Marcos Augusto M. Vieira,et al.  Survey on wireless sensor network devices , 2003, EFTA 2003. 2003 IEEE Conference on Emerging Technologies and Factory Automation. Proceedings (Cat. No.03TH8696).

[33]  Donggang Liu,et al.  Establishing pairwise keys in distributed sensor networks , 2005, TSEC.

[34]  T. Anderson Kernels for Safety ? , 1989 .

[35]  Ruby B. Lee,et al.  Runtime execution monitoring (REM) to detect and prevent malicious code execution , 2004, IEEE International Conference on Computer Design: VLSI in Computers and Processors, 2004. ICCD 2004. Proceedings..

[36]  Gil Neiger,et al.  Intel virtualization technology , 2005, Computer.

[37]  Giovanni Squillero,et al.  Automatic test program generation: a case study , 2004, IEEE Design & Test of Computers.

[38]  Ruby B. Lee,et al.  Hardware-rooted trust for secure key management and transient trust , 2007, CCS '07.

[39]  Hsien-Hsin S. Lee,et al.  InfoShield: a security architecture for protecting information usage in memory , 2006, The Twelfth International Symposium on High-Performance Computer Architecture, 2006..

[40]  Beng-Hong Lim,et al.  Virtualizing I/O Devices on VMware Workstation's Hosted Virtual Machine Monitor , 2001, USENIX Annual Technical Conference, General Track.

[41]  LouAnna Notargiacomo,et al.  Beyond the pale of MAC and DAC-defining new forms of access control , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[42]  Fabrice Bellard,et al.  QEMU, a Fast and Portable Dynamic Translator , 2005, USENIX Annual Technical Conference, FREENIX Track.

[43]  Ruby B. Lee,et al.  SP Reference Manual Addendum - Secure Stacks for TSMs and Emulation of SP Interrupt Protection , 2009 .

[44]  Steve H. Weingart,et al.  Validating a High-Performance , Programmable Secure Coprocessor , 1999 .

[45]  Ruby B. Lee,et al.  Protecting cryptographic keys and computations via virtual secure coprocessing , 2005, CARN.

[46]  Jaehong Park,et al.  Originator Control in Usage Control , 2002, POLICY.

[47]  David E. Culler,et al.  System architecture for wireless sensor networks , 2003 .

[48]  Leah H. Jamieson,et al.  AN ANALYSIS OF PROPOSED ATTACKS AGAINST GENUINITY TESTS , 2004 .

[49]  Felix Sheng-Ho Chang,et al.  Modular verification of code with SAT , 2006, ISSTA '06.

[50]  Alessio Lomuscio,et al.  MCMAS: A Model Checker for the Verification of Multi-Agent Systems , 2009, CAV.

[51]  Robert P. Goldberg,et al.  Survey of virtual machine research , 1974, Computer.

[52]  David E. Culler,et al.  System architecture directions for networked sensors , 2000, SIGP.

[53]  Jack B. Dennis,et al.  Programming semantics for multiprogrammed computations , 1966, CACM.

[54]  F. Pestoni,et al.  xCP: peer-to-peer content protection , 2004, IEEE Signal Processing Magazine.

[55]  Stefan M. Petters,et al.  Towards trustworthy computing systems: taking microkernels to the next level , 2007, OPSR.

[56]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[57]  Srivaths Ravi,et al.  Security as a new dimension in embedded system design , 2004, Proceedings. 41st Design Automation Conference, 2004..

[58]  David E. Culler,et al.  TinyOS: An Operating System for Sensor Networks , 2005, Ambient Intelligence.

[59]  Cynthia E. Irvine,et al.  A security architecture for transient trust , 2008, CSAW '08.

[60]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[61]  Xiaoxin Chen,et al.  Overshadow: a virtualization-based approach to retrofitting protection in commodity operating systems , 2008, ASPLOS.

[62]  Jaehong Park,et al.  Security architectures for controlled digital information dissemination , 2000, Proceedings 16th Annual Computer Security Applications Conference (ACSAC'00).

[63]  Tal Garfinkel,et al.  Understanding data lifetime via whole system simulation , 2004 .

[64]  Jingsha He,et al.  Key Management in Sensor Networks , 2006, WASA.

[65]  Cynthia E. Irvine,et al.  A Least Privilege Model for Static Separation Kernels , 2004 .

[66]  Robert E. Tarjan,et al.  If Piracy Is the Problem, Is DRM the Answer? , 2003, Digital Rights Management.

[67]  Dawn Xiaodong Song,et al.  A Cryptanalysis of the High-Bandwidth Digital Content Protection System , 2001, Digital Rights Management Workshop.

[68]  Min Wu,et al.  Reading Between the Lines: Lessons from the SDMI Challenge , 2001, USENIX Security Symposium.

[69]  Leah H. Jamieson,et al.  Establishing the Genuinity of Remote Computer Systems , 2003, USENIX Security Symposium.

[70]  Marwan Al-Zarouni,et al.  Taxonomy of iPhone Activation and SIM Unlocking Methods , 2007 .

[71]  Scott Devine,et al.  Disco: running commodity operating systems on scalable multiprocessors , 1997, TOCS.

[72]  Akhilesh Tyagi,et al.  Architecture support for 3D obfuscation , 2006, IEEE Transactions on Computers.

[73]  Ruby B. Lee,et al.  Framework for Design Validation of Security Architectures , 2008 .

[74]  Charanjit S. Jutla,et al.  Parallelizable Authentication Trees , 2005, IACR Cryptol. ePrint Arch..

[75]  Jean-Didier Legat,et al.  Architecture of security management unit for safe hosting of multiple agents , 1999, Electronic Imaging.

[76]  Gerald J. Popek,et al.  Formal requirements for virtualizable third generation architectures , 1974, CACM.

[77]  Markus G. Kuhn,et al.  Tamper resistance: a cautionary note , 1996 .

[78]  Radek Vingralek,et al.  How to Manage Persistent State in DRM Systems , 2001, Digital Rights Management Workshop.

[79]  Wenke Lee,et al.  Lares: An Architecture for Secure Active Monitoring Using Virtualization , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[80]  D. E. Bell,et al.  Secure Computer Systems : Mathematical Foundations , 2022 .

[81]  Dieter Gollmann,et al.  Software License Management with Smart Cards , 1999, Smartcard.

[82]  Robert J. Creasy,et al.  The Origin of the VM/370 Time-Sharing System , 1981, IBM J. Res. Dev..

[83]  Virgil D. Gligor,et al.  A key-management scheme for distributed sensor networks , 2002, CCS '02.

[84]  Mark Horowitz,et al.  Architecture validation for processors , 1995, Proceedings 22nd Annual International Symposium on Computer Architecture.

[85]  Alessandro Forin,et al.  UNIX as an Application Program , 1990, USENIX Summer.

[86]  Ruby B. Lee,et al.  Hardware-Assisted Application-Level Access Control , 2009, ISC.

[87]  Stefan Berger,et al.  vTPM: Virtualizing the Trusted Platform Module , 2006, USENIX Security Symposium.

[88]  Ruby B. Lee,et al.  A framework for testing hardware-software security architectures , 2010, ACSAC '10.

[89]  Mark Stamp,et al.  Digital Rights Management: The Technology Behidn The Hype , 2003 .

[90]  Sean W. Smith,et al.  Application Support Architecture for a High-Performance, Programmable Secure Coprocessor , 1999 .

[91]  Sean W. Smith,et al.  Building a high-performance, programmable secure coprocessor , 1999, Comput. Networks.

[92]  Sean W. Smith,et al.  Building the IBM 4758 Secure Coprocessor , 2001, Computer.

[93]  Robert S. Fabry,et al.  Capability-based addressing , 1974, CACM.

[94]  Marten van Dijk,et al.  Efficient memory integrity verification and encryption for secure processors , 2003, Proceedings. 36th Annual IEEE/ACM International Symposium on Microarchitecture, 2003. MICRO-36..

[95]  Ahmad-Reza Sadeghi,et al.  Enabling Fairer Digital Rights Management with Trusted Computing , 2007, ISC.

[96]  Krste Asanovic,et al.  Mondrian memory protection , 2002, ASPLOS X.

[97]  Ruby B. Lee,et al.  Enlisting Hardware Architecture to Thwart Malicious Code Injection , 2004, SPC.

[98]  Vijayalakshmi Atluri,et al.  Role-based Access Control , 1992 .

[99]  Magdy S. Abadir,et al.  A Survey of Hybrid Techniques for Functional Verification , 2007, IEEE Design & Test of Computers.

[100]  Trent Jaeger,et al.  Attestation-based policy enforcement for remote access , 2004, CCS '04.

[101]  Sandip Ray,et al.  Deductive Verification of Pipelined Machines Using First-Order Quantification , 2004, CAV.

[102]  Randal E. Bryant,et al.  Effective use of Boolean satisfiability procedures in the formal verification of superscalar and VLIW microprocessors , 2001, Proceedings of the 38th Design Automation Conference (IEEE Cat. No.01CH37232).

[103]  Fabien A. P. Petitcolas,et al.  Watermarking schemes evaluation , 2000, IEEE Signal Process. Mag..

[104]  Cynthia E. Irvine,et al.  Least Privilege in Separation Kernels , 2006, SECRYPT.

[105]  Moni Naor,et al.  Revocation and Tracing Schemes for Stateless Receivers , 2001, CRYPTO.

[106]  William A. Wulf,et al.  HYDRA , 1974, Commun. ACM.

[107]  David Zhang,et al.  Secure program execution via dynamic information flow tracking , 2004, ASPLOS XI.

[108]  Steve Mitchell,et al.  The long march to interoperable digital rights management , 2004, Proceedings of the IEEE.

[109]  Ruby B. Lee,et al.  Architecture for protecting critical secrets in microprocessors , 2005, 32nd International Symposium on Computer Architecture (ISCA'05).

[110]  Hermann Härtig,et al.  Reducing TCB size by using untrusted components: small kernels versus virtual-machine monitors , 2004, EW 11.

[111]  Ton Kalker,et al.  A Highly Robust Audio Fingerprinting System , 2002, ISMIR.

[112]  David R. Kuhn,et al.  Role-Based Access Control (RBAC): Features and Motivations | NIST , 1995 .

[113]  Mark S. Miller,et al.  Capability-Based Financial Instruments , 2000, Financial Cryptography.

[114]  J. Shapiro,et al.  EROS: a fast capability system , 2000, OPSR.

[115]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[116]  J. Strother Moore,et al.  Symbolic Simulation: An ACL2 Approach , 1998, FMCAD.

[117]  Ruby B. Lee,et al.  Securing the Dissemination of Emergency Response Data with an Integrated Hardware-Software Architecture , 2009, TRUST.

[118]  Marshall D. Abrams,et al.  Trusted system concepts , 1995, Comput. Secur..

[119]  William J. Caelli,et al.  DRM, Trusted Computing and Operating System Architecture , 2005, ACSW.

[120]  Tal Garfinkel,et al.  Virtual machine monitors: current technology and future trends , 2005, Computer.

[121]  Warren A. Hunt Mechanical Mathematical Methods for Microprocessor Verification , 2004, CAV.

[122]  Alan H. Karp,et al.  Polaris: virus-safe computing for Windows XP , 2006, CACM.

[123]  Patrice Godefroid,et al.  Automated Whitebox Fuzz Testing , 2008, NDSS.

[124]  Ralph C. Merkle,et al.  Protocols for Public Key Cryptosystems , 1980, 1980 IEEE Symposium on Security and Privacy.

[125]  Dawn Xiaodong Song,et al.  Random key predistribution schemes for sensor networks , 2003, 2003 Symposium on Security and Privacy, 2003..

[126]  David Lie,et al.  Hypervisor Support for Identifying Covertly Executing Binaries , 2008, USENIX Security Symposium.

[127]  Derek Bruening,et al.  Secure Execution via Program Shepherding , 2002, USENIX Security Symposium.

[128]  Dan Boneh,et al.  Architectural Support For Copy And Tamper-Resistant Software PhD Thesis , 2003 .

[129]  Ariel J. Feldman,et al.  Lest we remember: cold-boot attacks on encryption keys , 2008, CACM.

[130]  Jianwei Huang,et al.  Re-examining Probabilistic Versus Deterministic Key Management , 2007, 2007 IEEE International Symposium on Information Theory.

[131]  Giovanni Squillero,et al.  Automatic test program generation for pipelined processors , 2003, SAC '03.

[132]  Ruby B. Lee,et al.  Virtualization of a Processor-based Crypto-Protection Mechanism and Integration within a Separation Kernel Architecture , 2006 .

[133]  Jochen Liedtke,et al.  On micro-kernel construction , 1995, SOSP.

[134]  Intel Corp,et al.  Virtualization Without Direct Execution or Jitting: Designing a Portable Virtual Machine Infrastructure , 2008 .

[135]  Stephen Smalley,et al.  Integrating Flexible Support for Security Policies into the Linux Operating System , 2001, USENIX Annual Technical Conference, FREENIX Track.

[136]  John M. Rushby,et al.  Design and verification of secure systems , 1981, SOSP.

[137]  Claire Vishik,et al.  TPM Virtualization: Building a General Framework , 2008 .

[138]  R. Sailer,et al.  sHype : Secure Hypervisor Approach to Trusted Virtualized Systems , 2005 .

[139]  Joshua Mason,et al.  Security Evaluation of Apple ’ s iPhone , 2007 .

[140]  William A. Arbaugh,et al.  A secure and reliable bootstrap architecture , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[141]  Avi Ziv,et al.  Coverage directed test generation for functional verification using Bayesian networks , 2003, Proceedings 2003. Design Automation Conference (IEEE Cat. No.03CH37451).

[142]  J. Doug Tygar,et al.  Side Effects Are Not Sufficient to Authenticate Software , 2004, USENIX Security Symposium.

[143]  Wenke Lee,et al.  Secure and Flexible Monitoring of Virtual Machines , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[144]  Andrew S. Tanenbaum,et al.  A DRM security architecture for home networks , 2004, DRM '04.

[145]  Hermann Härtig,et al.  The Nizza secure-system architecture , 2005, 2005 International Conference on Collaborative Computing: Networking, Applications and Worksharing.

[146]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[147]  David E. Culler,et al.  The Emergence of Networking Abstractions and Techniques in TinyOS , 2004, NSDI.

[148]  Jochen Liedtke,et al.  The performance of μ-kernel-based systems , 1997, SOSP.

[149]  Lionel Torres,et al.  TEC-Tree: A Low-Cost, Parallelizable Tree for Efficient Defense Against Memory Replay Attacks , 2007, CHES.

[150]  Srivaths Ravi,et al.  Security in embedded systems: Design challenges , 2004, TECS.

[151]  Hsien-Hsin S. Lee,et al.  Memory-Centric Security Architecture , 2005, HiPEAC.

[152]  Elaine Shi,et al.  The Sybil attack in sensor networks: analysis & defenses , 2004, Third International Symposium on Information Processing in Sensor Networks, 2004. IPSN 2004.

[153]  G. Edward Suh,et al.  Design and implementation of the AEGIS single-chip secure processor using physical random functions , 2005, 32nd International Symposium on Computer Architecture (ISCA'05).

[154]  J. William Atwood,et al.  Requirements for enforcing digital rights management in multicast content distribution , 2010, Telecommun. Syst..

[155]  Stefan Berger,et al.  Building a MAC-based security architecture for the Xen open-source hypervisor , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[156]  Trent Jaeger,et al.  Design and Implementation of a TCG-based Integrity Measurement Architecture , 2004, USENIX Security Symposium.

[157]  Johannes Winter,et al.  Trusted computing building blocks for embedded linux-based ARM trustzone platforms , 2008, STC '08.

[158]  James Newsom,et al.  Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software, Network and Distributed System Security Symposium Conference Proceedings : 2005 , 2005 .

[159]  Ruby B. Lee,et al.  Scalable architectural support for trusted software , 2010, HPCA - 16 2010 The Sixteenth International Symposium on High-Performance Computer Architecture.

[160]  Peter Kruus,et al.  CONSTRAINTS AND APPROACHES FOR DISTRIBUTED SENSOR NETWORK SECURITY , 2000 .

[161]  Robert P. Colwell,et al.  Performance effects of architectural complexity in the Intel 432 , 1988, TOCS.

[162]  Ruby B. Lee,et al.  Capacity estimation of non-synchronous covert channels , 2005, 25th IEEE International Conference on Distributed Computing Systems Workshops.