Trust-Management, Intrusion-Tolerance, Accountability, and Reconstitution Architecture (TIARA)

Abstract : This report describes the Trust-management, Intrusion-tolerance, Accountability, and Reconstitution Architecture (TIARA) system, a broad design effort including novel computer architecture, operating system and application middleware. TIARA illustrates that a highly secure computer system can be designed without sacrificing performance. TIARA involves three major sub-efforts: A hardware security tagged architecture (STA) that tags each word of the computer's memory with metadata such as the data type and compartment of the data. The STA hardware enforces access rules controlling which principals are allowed to perform which operations on which data. This allows the construction of a novel Zero-kernel Operating System (ZKOS) that has no single all privileged kernel and that provides strong guarantees against penetration. Finally TIARA provides a level of application middleware that enforces architectural level constraints and maintains the provenance of application data. All common exploits are preventable by the TIARA architecture and this incurs only a minor increase in chip area.

[1]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[2]  Daniel G. Bobrow,et al.  Common lisp object system specification , 1988, SIGP.

[3]  Henry G. Baker,et al.  List processing in real time on a serial computer , 1978, CACM.

[4]  David Elliott Bell,et al.  Looking back at the Bell-La Padula model , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[5]  O. Sami Saydjari,et al.  LOCK trek: navigating uncharted space , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[6]  H. Lipson Tracking and Tracing Cyber-Attacks: Technical Challenges and Global Policy Issues , 2002 .

[7]  Cynthia E. Irvine,et al.  High robustness requirements in a Common Criteria protection profile , 2006, Fourth IEEE International Workshop on Information Assurance (IWIA'06).

[8]  John M. Rushby,et al.  Design and verification of secure systems , 1981, SOSP.

[9]  Peter G. Neumann,et al.  PSOS revisited , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[10]  Elliott I. Organick,et al.  The multics system: an examination of its structure , 1972 .

[11]  Robert J. Creasy,et al.  The Origin of the VM/370 Time-Sharing System , 1981, IBM J. Res. Dev..

[12]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[13]  Srivaths Ravi,et al.  Architectural Support for Run-Time Validation of Program Data Properties , 2007, IEEE Transactions on Very Large Scale Integration (VLSI) Systems.

[14]  D. Richard Kuhn,et al.  Role-Based Access Controls , 2009, ArXiv.

[15]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[16]  Guru Venkataramani,et al.  FlexiTaint: A programmable accelerator for dynamic taint propagation , 2008, 2008 IEEE 14th International Symposium on High Performance Computer Architecture.

[17]  David Mazières,et al.  Securing untrustworthy software using information flow control , 2007 .

[18]  Michael D. Schroeder,et al.  FINAL REPORT OF THE MULTICS KERNEL DESIGN PROJECT , 1978 .

[19]  O. Sami Saydjari LOCK : An Historical Perspective , 2002, ACSAC.

[20]  Alan H. Karp,et al.  Using Split Capabilities for Access Control , 2003, IEEE Softw..

[21]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[22]  Richard D. Greenblatt,et al.  A LISP machine , 1974, CAW '80.

[23]  Thomas F. Knight,et al.  A capability representation with embedded address and nearly-exact object bounds , 2000 .

[24]  Frederick P. Brooks,et al.  Architecture of the IBM System/360 , 2000, IBM J. Res. Dev..

[25]  William G. Griswold,et al.  An Overview of AspectJ , 2001, ECOOP.

[26]  Herbert Bos,et al.  Can we make operating systems reliable and secure? , 2006, Computer.

[27]  Howard E. Shrobe,et al.  Initial Report on a Lisp Programmer's Apprentice , 1978, IEEE Transactions on Software Engineering.

[28]  Richard E. Smith Cost profile of a highly assured, secure operating system , 2001, TSEC.

[29]  J. Shapiro,et al.  EROS: a fast capability system , 2000, OPSR.

[30]  David Sands,et al.  Dimensions and principles of declassification , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[31]  Cynthia E. Irvine,et al.  Toward a Medium-Robustness Separation Kernel Protection Profile , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[32]  Elliott I. Organick,et al.  Computer System Organization: The B5700/B6700 Series , 1973 .

[33]  Guilherme Ottoni,et al.  RIFLE: An Architectural Framework for User-Centric Information-Flow Security , 2004, 37th International Symposium on Microarchitecture (MICRO-37'04).

[34]  David D. Clark,et al.  A Comparison of Commercial and Military Computer Security Policies , 1987, 1987 IEEE Symposium on Security and Privacy.

[35]  Jim Alves-Foss,et al.  A multi-layered approach to security in high assurance systems , 2004, 37th Annual Hawaii International Conference on System Sciences, 2004. Proceedings of the.

[36]  Robert Balzer,et al.  AWDRAT: Architectural Differencing, Wrappers, Diagnosis, Recovery, Adaptivity and Trust Management , 2006 .

[37]  Torben Amtoft,et al.  Information Flow Analysis in Logical Form , 2004, SAS.

[38]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[39]  Frederic T. Chong,et al.  Minos: Architectural support for protecting control data , 2006, TACO.

[40]  Tal Garfinkel,et al.  Virtual machine monitors: current technology and future trends , 2005, Computer.

[41]  Thomas F. Knight,et al.  A Minimal Trusted Computing Base for Dynamically Ensuring Secure Information Flow , 2001 .

[42]  Henry M. Levy,et al.  Capability-Based Computer Systems , 1984 .

[43]  David Zhang,et al.  Secure program execution via dynamic information flow tracking , 2004, ASPLOS XI.

[44]  Christoforos E. Kozyrakis,et al.  Raksha: a flexible information flow architecture for software security , 2007, ISCA '07.

[45]  Elliott I. Organick,et al.  A programmer's view of the intel 432 system. mcgraw hill , 1983 .

[46]  RICHARD J. FEIERTAG,et al.  The foundations of a provably secure operating system (PSOS) , 1979, 1979 International Workshop on Managing Requirements Knowledge (MARK).

[47]  John F. Barkley,et al.  Implementing role-based access control using object technology , 1996, RBAC '95.

[48]  Alexander Egyed,et al.  AWDRAT: A Cognitive Middleware System for Information Survivability , 2007, AI Mag..

[49]  Gregor Snelting,et al.  Efficient path conditions in dependence graphs for software safety analysis , 2006, TSEM.

[50]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[51]  David A. Moon,et al.  Garbage collection in a large LISP system , 1984, LFP '84.

[52]  Mark S. Miller,et al.  Capability Myths Demolished , 2003 .

[53]  Alessandro Forin,et al.  UNIX as an Application Program , 1990, USENIX Summer.

[54]  David A. Moon,et al.  Architecture of the Symbolics 3600 , 1985, ISCA '85.

[55]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[56]  Robbert van Renesse,et al.  Using Sparse Capabilities in a Distributed Operating System , 1986, ICDCS.

[57]  Joshua D. Guttman,et al.  Verifying information flow goals in Security-Enhanced Linux , 2005, J. Comput. Secur..

[58]  Daniel F. Sterne,et al.  A Domain and Type Enforcement UNIX Prototype , 1995, Comput. Syst..

[59]  Milo M. K. Martin,et al.  Hardbound: architectural support for spatial safety of the C programming language , 2008, ASPLOS.

[60]  Sonya E. Keene,et al.  Object-oriented programming in COMMON LISP - a programmer's guide to CLOS , 1989 .

[61]  Henry Minsky,et al.  Symbolics ivory processor: a 40 bit tagged architecture lisp microprocessor. , 1987 .

[62]  Krste Asanovic,et al.  Mondrian memory protection , 2002, ASPLOS X.