Execution leases: A hardware-supported mechanism for enforcing strong non-interference

摘要

High assurance systems such as those found in aircraft controls and the financial industry are often required to handle a mix of tasks where some are niceties (such as the control of media for entertainment, or supporting a remote monitoring interface) while others are absolutely critical (such as the control of safety mechanisms, or maintaining the secrecy of a root key). While special purpose languages, careful code reviews, and automated theorem proving can be used to help mitigate the risk of combining these operations onto a single machine, it is difficult to say if any of these techniques are truly complete because they all assume a simplified model of computation far different from an actual processor implementation both in functionality and timing. In this paper we propose a new method for creating architectures that both a) makes the complete information-flow properties of the machine fully explicit and available to the programmer and b) allows those properties to be verified all the way down to the gate-level implementation the design. The core of our contribution is a new call-and-return mechanism, Execution Leases, that allows regions of execution to be tightly quarantined and their side effects to be tightly bounded. Because information can flow through untrusted program counters, stack pointer or other global processor state, these and other states are leased to untrusted environments with an architectural bound on both the time and memory that will be accessible to the untrusted code. We demonstrate through a set of novel micro-architectural modifications that these leases can be enforced precisely enough to form the basis for information-flow bounded function calls, table lookups, and mixed-trust execution. Our novel architecture is a significant improvement in both flexibility and performance over the initial Gate-Level Information Flow Tracking architectures, and we demonstrate the effectiveness of the resulting design through the development of a -new language, compiler, ISA, and synthesizable prototype.