Most security mechanisms proposed to date unquestioningly place trust in microprocessor hardware. This trust, however, is misplaced and dangerous because microprocessors are vulnerable to insider attacks that can catastrophically compromise security, integrity and privacy of computer systems. In this paper, we describe several methods to strengthen the fundamental assumption about trust in microprocessors. By employing practical, lightweight attack detectors within a microprocessor, we show that it is possible to protect against malicious logic embedded in microprocessor hardware. We propose and evaluate two area-efficient hardware methods - TrustNet and DataWatch - that detect attacks on microprocessor hardware by knowledgeable, malicious insiders. Our mechanisms leverage the fact that multiple components within a microprocessor (e.g., fetch, decode pipeline stage etc.) must necessarily coordinate and communicate to execute even simple instructions, and that any attack on a microprocessor must cause erroneous communications between micro architectural subcomponents used to build a processor. A key aspect of our solution is that TrustNet and DataWatch are themselves highly resilient to corruption. We demonstrate that under realistic assumptions, our solutions can protect pipelines and on-chip cache hierarchies at negligible area cost and with no performance impact. Combining TrustNet and DataWatch with prior work on fault detection has the potential to provide complete coverage against a large class of microprocessor attacks.
The different versions of the original document can be found in:
Published on 01/01/2010
Volume 2010, 2010
DOI: 10.1109/sp.2010.19
Licence: CC BY-NC-SA license
Are you one of the authors of this document?