Security needs a new hardware-software contract
Authors
School of Computer Science and Engineering
UNSW,
Sydney 2052, Australia
Published:
Keynote at HiPEAC Workshop Secure HardwareArchitectures
and Operating Systems (SeHAS)
Abstract
Security enforcement is a core duty of the operating system (OS), and with the seL4 microkernel we have achieved unprecedented levels of trustworthiness, including proof of the effectiveness and correct implementation of its security enforcement. However, this assurance only covers spatial isolation, i.e. traditional memory protection. Recent high-profile exploits, especially the Spectre attacks, have demonstrated that information leakage through timing channels has become a mainstream security threat. To counter it, OS-enforced isolation must be extended to timing effects: we must complement memory protection by time protection. However, I will demonstrate that the present hardware-software contract, the ISA, by being a purely operational contract abstracts too much of the hardware to allow the OS to provide time protection. This situation can only be remedied by extending the contract to give the OS the right tools for enforcing security. I will discuss the properties the new contract must define.
BibTeX Entry
@misc{Heiser_19:hipeac,
author = {Gernot Heiser},
howpublished = {Keynote at HiPEAC Workshop Secure Hardware, Architectures, and Operating Systems (SeHAS)},
location = {Valencia, ES},
month = jan,
title = {Security needs a new hardware-software contract},
year = {2019}
}
Slides
BibTeX