We need a new hardware-software contract
Authors
School of Computer Science and Engineering
UNSW,
Sydney 2052, Australia
Published:
Invited Talk at the Lorentz Center SHARD WorkshopAbstract
Security enforcement is a core duty of the operating system (OS), and with the seL4 microkernel we have achieved unprecedented levels of trustworthiness, including proof of the effectiveness and correct implementation of its security enforcement. However, this assurance only covers spacial isolation, i.e. traditional memory protection. Recent high-profile exploits, especially the Spectre attacks, have demonstrated that information leakage through timing channels has become a mainstream security threat. To counter it, OS-enforced isolation must be extended to timing effects: we must complement memory protection by time protection. However, I will demonstrate that the present hardware-software contract, the ISA, by being a purely operational contract abstracts too much of the hardware to allow the OS to provide time protection. This situation can only be remedied by extending the contract to give the OS the right tools for enforcing security. I will discuss the properties the new contract must define, and how we can hope to use it to achieve provable time protection.
BibTeX Entry
@misc{Heiser_19:shard, author = {Gernot Heiser}, howpublished = {Invited Talk at the {Lorentz Center} {SHARD} Workshop}, location = {Leiden, NL}, month = sep, title = {We Need a New Hardware-Software Contract}, year = {2019} }