Trustworthy Systems

We need a new hardware-software contract


Gernot Heiser

    School of Computer Science and Engineering
    Sydney 2052, Australia


Invited Talk at the Lorentz Center SHARD Workshop


Security enforcement is a core duty of the operating system (OS), and with the seL4 microkernel we have achieved unprecedented levels of trustworthiness, including proof of the effectiveness and correct implementation of its security enforcement. However, this assurance only covers spacial isolation, i.e. traditional memory protection. Recent high-profile exploits, especially the Spectre attacks, have demonstrated that information leakage through timing channels has become a mainstream security threat. To counter it, OS-enforced isolation must be extended to timing effects: we must complement memory protection by time protection. However, I will demonstrate that the present hardware-software contract, the ISA, by being a purely operational contract abstracts too much of the hardware to allow the OS to provide time protection. This situation can only be remedied by extending the contract to give the OS the right tools for enforcing security. I will discuss the properties the new contract must define, and how we can hope to use it to achieve provable time protection.

BibTeX Entry

    author           = {Gernot Heiser},
    howpublished     = {Invited Talk at the {Lorentz Center} {SHARD} Workshop},
    location         = {Leiden, NL},
    month            = sep,
    title            = {We Need a New Hardware-Software Contract},
    year             = {2019}