Beyond full disk encryption: Protection on security-enhanced commodity processors

Abstract

Modern computer systems exhibit a major weakness in that code and data are stored in the clear, unencrypted, within random access memory. As a result, numerous vulnerabilities exist at every level of the software stack. These vulnerabilities have been exploited to gather confidential information (e.g. encryption keys) and inject malicious code to overcome access controls and other protections. Full memory encryption (FME) would mitigate the vulnerabilities but the CPU-memory bottleneck presents a significant challenge to designing a usable system with acceptable overheads. Recently, security hardware, including encryption engines, has been integrated on-chip within commodity processors such as the Intel i7, AMD bulldozer, and multiple ARM variants. This paper describes on-going work to develop and measure a clean-slate operating system - Bear - that leverages on-chip encryption to provide confidentiality of code and data. While Bear operates on multiple platforms, memory encryption work is focused on the Freescale i.MX535 (ARM Cortex A8) using its integrated encryption engine. © 2013 Springer-Verlag.