Trustworthy Systems

Security needs a better hardware-software contract

Authors

Gernot Heiser

CSIRO's Data61, Australia
UNSW, Australia

Published:

Invited talk at Design Automation Conference (DAC)
Las Vegas
NV
USA

Abstract

Any embedded computing device of non-trivial functionality will contain a large amount of software, tens of thousands to millions lines of code. For the foreseeable future, it is infeasible to ensure that such a large code base is free from faults. The best that can be done is minimising the trusted computing base (TCB), and protect the critical components from less critical by operating-system (OS) mediated, hardware-enforced isolation.

Spatial isolation has long been provided by OS-controlled, hardware-enforced memory protection. In the case of the formally-verified seL4 microkernel, this isolation is guaranteed by the strength of mathematical proof. In contrast, information leakage via timing channels is an unsolved problem, which results in many successful attacks on confidentiality (Spectre being one of them). Preventing such channels requires that the OS provides temporal isolation, meaning it must provide time protection to complement the established memory protection. However, we can establish that this is generally not possible on contemporary hardware, due to a mismatch between mechanisms provided by the hardware, and the needs of the OS. The fundamental problem is that the established hardware-software contract, the instruction-set architecture (ISA) abstracts away all microarchitectural features that lead to timing channels. The problem is only solvable by a new, security-oriented hardware-software contract that exposes such features, and mechanisms for their isolation, to the OS (in a suitably abstracted form).

I will explain the limitations of the existing hardware-software contract and define the requirements for a new contract that will allow the OS to provide time protection, and thus eliminate timing channels.

BibTeX Entry

  @misc{Heiser_19:dac,
    author           = {Gernot Heiser},
    howpublished     = {Invited talk at Design Automation Conference (DAC), Las Vegas, NV, USA},
    month            = jun,
    title            = {Security needs a better hardware-software contract},
    year             = {2019}
  }

Download