This invention addresses the need to provide security (confidentiality and integrity) to an application running on a computer that is controlled by an untrusted owner with an untrusted operating system and even hypervisor or virtual machine monitor. Only the CPU chip is trusted. Moreover, we wish to support the existing flow of the system (OS permissions, interrupts, context switches, etc.), and thus be able to securely execute existing user programs. Our solution employs an on-CPU-chip Secure Memory Unit (SMU): when memory blocks (instructions/data) are fetched from memory into the cache, the SMU validates the blocks and tags them with a validation bit and owner indication. An instruction that tries to read or modify a validated block will only succeed if it was validated and with the same owner indication as the addressed block. The result is that data of mutually-adversarial programs can co-reside in the cache, just like the normal case with non-adversarial programs, thereby saving evictions and thus performance loss and power. The hardware monitors verification status so no software modifications are needed, and the flow of the system remains unchanged. Also included is an automatic context guard, which saves critical context including owner indication in hardware upon context switch for later smooth, secure resumption.
- Architecture extension to nearly every CPU
- Simple and cost effective support for security
Applications and Opportunities
- Provide security (confidentiality and integrity) to an application running on a computer that is controlled by an untrusted owner with an untrusted operating system