Virtualization of a Processor-based Crypto-Protection Mechanism and Integration within a Separation Kernel Architecture

This paper describes the design of an integrated high assurance separation kernel and a Secret Protected (SP) hardware for cryptographic services. Integrating SP with the separation kernel requires (1) augmenting the SP instruction set with additional hardware instructions to aid virtualization and ensure that the confidentiality of user's secrets are protected to the same extent as in the original design of SP (2) augmenting the separation kernel to ensure minimization of information flow via covert channels resulting from integration of SP (3) reconciling the user specific model and the usage model of the integrated design and (4) controlling flow of information about user's secrets across the different Secrecy, and Integrity labels. The architecture called Secure Core, is designed for networked mobile devices to be used by a single user at a time. We define usage scenarios in which users may need to assume different roles, that translate into different security profiles for the user. We begin with a description of the separation kernel and the SP architecture. This is followed by a description of the hardware requirements for virtualization of SP integration and use of the virtualized cryptographic SP services. We find that the main changes required to SP are the ability to save and restore SP state as the SecureCore kernel switches between virtual machines, so that isolation properties are maintained when using SP. We conclude with a security analysis, including the effect of the virtualization and integration on the confidentiality/integrity of user secrets as well as enforcement of MAC on user secrets like cryptographic keys. The integration of SP hardware-based secure cryptographic services with the separation kernel software architecture provides essential isolation, confinement, key-management and cryptographic services, forming a strong Secure Core as a basis for future secure PDAs, and a rich environment for secure system research.

[1]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[2]  John M. Rushby,et al.  Proof of separability: A verification technique for a class of a security kernels , 1982, Symposium on Programming.

[3]  Robert P. Goldberg,et al.  Architectural Principles for Virtual Computer Systems , 1973 .

[4]  David P. Reed,et al.  Synchronization with eventcounts and sequencers , 1979, CACM.

[5]  K J Biba,et al.  Integrity Considerations for Secure Computer Systems , 1977 .

[6]  Roger R. Schell,et al.  Mechanism Sufficiency Validation by Assignment , 1981, 1981 IEEE Symposium on Security and Privacy.

[7]  李幼升,et al.  Ph , 1989 .

[8]  Cynthia E. Irvine,et al.  Data Integrity Limitations in Highly Secure Systems , 2001 .

[9]  Intel Corportation,et al.  IA-32 Intel Architecture Software Developers Manual , 2004 .

[10]  Ruby B. Lee,et al.  Architecture for protecting critical secrets in microprocessors , 2005, 32nd International Symposium on Computer Architecture (ISCA'05).

[11]  Cynthia E. Irvine A multilevel file system for high assurance , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[12]  W. Vanfleet,et al.  I Where We Have Been Where We Are Going Mils:architecture for High-assurance Embedded Computing , 2022 .

[13]  Gil Neiger,et al.  IntelŴVirtualization Technology: Hardware Support for Efficient Processor Virtualization , 2006 .

[14]  Stefan Berger,et al.  vTPM: Virtualizing the Trusted Platform Module , 2006, USENIX Security Symposium.

[15]  Peter G. Neumann,et al.  Principled assuredly trustworthy composable architectures , 2003 .

[16]  K. J. Bma Integrity considerations for secure computer systems , 1977 .

[17]  Terry V. Benzel,et al.  Design Principles for Security , 2005 .