Trustworthy Systems

Security needs a new hardware-software contract


Gernot Heiser

    School of Computer Science and Engineering
    Sydney 2052, Australia


Keynote at HiPEAC Workshop Secure Hardware
and Operating Systems (SeHAS)


Security enforcement is a core duty of the operating system (OS), and with the seL4 microkernel we have achieved unprecedented levels of trustworthiness, including proof of the effectiveness and correct implementation of its security enforcement. However, this assurance only covers spatial isolation, i.e. traditional memory protection. Recent high-profile exploits, especially the Spectre attacks, have demonstrated that information leakage through timing channels has become a mainstream security threat. To counter it, OS-enforced isolation must be extended to timing effects: we must complement memory protection by time protection. However, I will demonstrate that the present hardware-software contract, the ISA, by being a purely operational contract abstracts too much of the hardware to allow the OS to provide time protection. This situation can only be remedied by extending the contract to give the OS the right tools for enforcing security. I will discuss the properties the new contract must define.

BibTeX Entry

    author           = {Gernot Heiser},
    howpublished     = {Keynote at HiPEAC Workshop Secure Hardware, Architectures, and Operating Systems (SeHAS)},
    location         = {Valencia, ES},
    month            = jan,
    title            = {Security needs a new hardware-software contract},
    year             = {2019}