Reconfigurable Tamper-resistant Hardware Support Against Insider Threats: The Trusted ILLIAC Approach

“An insider attack, sometimes referred to as an inside job, is defined as a crime perpetrated by, or with the help of, a person working for or trusted by the victim” [1]. This one-sided relationship of trust makes the insider attacks particularly insidious and difficult to protect against. This article motivates the need for secure and tamper-resistant storage of the secret information that is impenetrable even by the operating system and efficient ways of meeting this need. It highlights innovative new work being developed in the context of the Trusted ILLIAC project at the University of Illinois. A progression of techniques is presented providing increasing levels of security starting from a purely software-based approach, to hardware/software partitioned and hardware-only mechanisms. This is to guard the system effectively against insiders having increasing levels of intrusive access from user-level, administrative up to even physical access to the system under threat of attack. Techniques covered include software- and hardwarebased memory randomization, hardware for a threshold cryptography enabled mechanism to allow tamper-proof key management and support the software technique. Further, we describe an Information Flow Signatures based technique to provide runtime data integrity guarantees. Reconfigurable hardware is used to ensure the secure computation of critical data. In order to enable this trusted computing hardware we explore requirements for securely initializing it under the threat of an insider attack. The unique advantage of a hardware implemented mechanism is that the secret, either the key or the code that operates on securitycritical data, cannot be revealed or modified even by the operating system.

[1]  Russ Housley,et al.  An Internet Attribute Certificate Profile for Authorization , 2010, RFC.

[2]  Dinakar Dhurjati,et al.  SAFECode: enforcing alias analysis for weakly typed languages , 2005, PLDI '06.

[3]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.

[4]  Ravishankar K. Iyer,et al.  Toward Application-Aware Security and Reliability , 2007, IEEE Security & Privacy.

[5]  M. Joye,et al.  Recovering lost efficiency of exponentiation algorithms on smart cards , 2002 .

[6]  Hovav Shacham,et al.  On the effectiveness of address-space randomization , 2004, CCS '04.

[7]  Derek Bruening,et al.  Secure Execution via Program Shepherding , 2002, USENIX Security Symposium.

[8]  Paul Dabrowski,et al.  Ensuring Critical Data Integrity via Information Flow Signatures , 2007 .

[9]  Miguel Castro,et al.  Securing software by enforcing data-flow integrity , 2006, OSDI '06.

[10]  Mihai Budiu,et al.  Control-flow integrity principles, implementations, and applications , 2009, TSEC.

[11]  P. L. Montgomery Modular multiplication without trial division , 1985 .

[12]  Sean W. Smith,et al.  Building the IBM 4758 Secure Coprocessor , 2001, Computer.

[13]  Ravishankar K. Iyer,et al.  Hardware support for high performance, intrusion- and fault-tolerant systems , 2004, Proceedings of the 23rd IEEE International Symposium on Reliable Distributed Systems, 2004..

[14]  Victor Shoup,et al.  Practical Threshold Signatures , 2000, EUROCRYPT.

[15]  R. Power CSI/FBI computer crime and security survey , 2001 .

[16]  Mike Bond,et al.  Cryptographic Processors-A Survey , 2006, Proceedings of the IEEE.

[17]  Mark Weiser,et al.  Program Slicing , 1981, IEEE Transactions on Software Engineering.

[18]  Sean W. Smith Outbound Authentication for Programmable Secure Coprocessors , 2002, ESORICS.

[19]  Ravishankar K. Iyer,et al.  Transparent runtime randomization for security , 2003, 22nd International Symposium on Reliable Distributed Systems, 2003. Proceedings..

[20]  Christof Paar,et al.  Cryptography on FPGAs: State of the Art Implementations and Attacks , 2003 .