Recently, there has been intense interest in the implementation of a trusted computing platform. Industry projects such as the Trusted Computing Platform Alliance, Microsoft's Palladium Project, and Intel's LaGrand Technologies all aim to embed hardware to support some amount of protection for applications so that they can be tamper-resistant.; In this work, we propose a new processor architecture called “XOM”, which stands for eXecute Only Memory. XOM provides copy and tamper-resistance for software by supporting compartments, which protect both the code and data of programs. Compartments are implemented by a combination of architectural methods, in the form of on-chip access control tags, and cryptographic methods, in the form of ciphers and hashes that protect data off-chip. The trust model of the computing system is changed so that applications trust the hardware, instead of the operating system, to protect their code and data. A XOM processor was simulated by extending a MIPS-based processor model in the SimOS simulator.; An operating system, XOMOS, was constructed run on the XOM architecture. Because the applications do not trust the operating system with their data, this presents an interesting challenge for operating system design. This work shows that an untrusted operating system can be implemented on top of trusted hardware, such that the operating system has sufficient rights to manage resources, but does not have the rights to read or modify user application code or data. This is demonstrated by a port of the IRIX 6.5 operating system to the XOM processor, to create XOMOS. We were able to run some applications on XOMOS in our simulator and found overheads to be less than 5%.; We used a model checker to verify the security of the XOM processor architecture. A realistic “actual” processor was modeled along with an adversary, and compared against a “idealized” model that has no adversary. Inconsistencies between the two models are flagged as failures in the protection guarantees that the processor aims to provide. We thus demonstrate that the processor is able to provide tamper-resistance, and that the most difficult attack to defend against is a memory replay attack.
展开▼
机译:最近,人们对实现可信赖的计算平台产生了浓厚的兴趣。诸如可信计算平台联盟,微软的Palladium项目和英特尔的LaGrand Technologies之类的行业项目都旨在嵌入硬件,以为应用程序提供一定程度的保护,以使其具有防篡改性。在这项工作中,我们提出了一种称为“ XOM”的新处理器架构,它表示eXecute Only Memory。 XOM通过支持隔室为软件提供了防复制和防篡改功能,可同时保护程序的代码和数据。隔离专区是通过架构方法(以片上访问控制标签的形式)和加密方法(以保护芯片外数据的密码和散列的形式)的组合来实现的。更改了计算系统的信任模型,以便应用程序信任硬件而不是操作系统,以保护其代码和数据。通过在SimOS模拟器中扩展基于MIPS的处理器模型来模拟XOM处理器。在XOM体系结构上运行了一个名为XOMOS的操作系统。因为应用程序不信任其数据与操作系统,所以这对操作系统设计提出了一个有趣的挑战。这项工作表明,可以在受信任的硬件之上实现不受信任的操作系统,从而使该操作系统具有足够的权限来管理资源,但没有读取或修改用户应用程序代码或数据的权限。 IRIX 6.5操作系统到XOM处理器的端口(用于创建XOMOS)对此进行了演示。我们能够在模拟器中的XOMOS上运行一些应用程序,发现开销不到5%。我们使用模型检查器来验证XOM处理器体系结构的安全性。将现实的“实际”处理器与对手一起建模,并将其与没有对手的“理想化”模型进行比较。这两个模型之间的不一致被标记为处理器保证提供的保护失败。因此,我们证明了处理器能够提供防篡改功能,最难防御的攻击是存储器重播攻击。
展开▼
