US007716720B1
`
`US 7,716,720 B1
`(10) Patent No.:
`a2) United States Patent
`Mareketal.
`(45) Date of Patent:
`May 11, 2010
`
`
`(54) SYSTEM FOR PROVIDING SECURE AND
`TRUSTED COMPUTING ENVIRONMENTS
`
`2002/0162021 Al* 10/2002 Audebert etal.
`............ 713/201
`2006/0026417 Al*
`2/2006 Furusawaetal. «0.0.0.0... 713/2
`
`4/2006 Mareketal.0... TAB/L71
`2006/0075236 Al*
`
`(75)
`
`Inventors: James A. Marek, Anamosa, IA (US);
`David S. Hardin, Cedar Rapids, IA
`(US); RaymondA. Kamin,IIT, Robins,
`IA (US); Steven E. Koenck, Cedar
`Rapids, IA (US); Allen P. Mass, Cedar
`Rapids, IA (US)
`
`(73) Assignee: Rockwell Collins, Inc., Cedar Rapids,
`JA (US)
`
`(*) Notice:
`
`Subject to any disclaimer, the term ofthis
`patent is extended or adjusted under 35
`US.C. 154(b) by 1182 days.
`
`(21) Appl. No.: 11/155,874
`4.
`(22)
`Filed:
`Jun. 17, 2005
`(51)
`Int.Cl
`(2006.01)
`GO6F 7)4
`(2006.01)
`G06F 1730
`(2006.01)
`HOAL 9/32
`76/2: 713/151: 713/162:
`(52) US.CL
`“oe 713/167:713/179: 796NT: 380128. 709/213.
`709/232:711/129: 714/147
`?
`S
`Field of Classification
`h
`,
`,
`76/2
`asst en nol verebhiue
`Sox
`° i
`ee application
`file
`tor complete search
`history.
`References Cited
`U.S. PATENT DOCUMENTS
`
`58)
`(58)
`(56)
`
`OTHER PUBLICATIONS
`
`Alves-Fossct al., “A Multi-Layered Approach to Security in High
`Assurance Systems” IEEE, 2004, pp. 1-10.*
`* cited by examiner
`
`Primary Examiner—Emmanuel L Moise
`Assistant Examiner—Shewaye Gelagay
`(74) Attorney, Agent, or Firm Matthew J. Evans; Daniel M.
`Berbieri
`
`(57)
`
`ABSTRACT
`
`The present invention is directed to a system for providing a
`trusted environment for untrusted computing systems. The
`system may include a HAC subsystem managing shared
`resources and a trusted bus switch for controlling a COTS
`processor
`to access the shared resources. The shared
`resources such as memory andseveral I/O resourcesreside on
`the trusted side of the trusted bus switch. Alternatively, the
`system may include a SCM as an add-on module to an
`untrusted host environment. Only authenticated applications
`including COTS OS execute on the SCM while untrusted
`applications execute on the untrusted host environment. The
`SCM maycontrol secure resource access from the untrusted
`host through a plug-in module interface. All secure resources
`may be maintained onthe trusted side of the plug-in module
`interface.
`
`7,194,623 B1*
`
`3/2007 Proudleretal.
`
`............. 713/164
`
`18 Claims, 18 Drawing Sheets
`
`ais
`
`112
`
`VO
`VO
`Resource Resource
`
`440
`
`102
`Memory
`Resource
`
`Resource Resource Resource
`
`7104
`Memory
`
`(106
`VO
`
`7108
`0
`
`
`
`APPLE 1004
`
`APPLE 1004
`
`1
`
`

`

`U.S. Patent
`
`May11, 2010
`
`Sheet 1 of 18
`
`US 7,716,720 B1
`
`O/l
`
`eoinosey
`
`goJNosey
`
`CLLKioway
`
`rol
`
`zo
`
`Nowa
`
`SsoJNOSeY:
`
`(LUVWOTd)IDOW
`
`2
`
`
`
`
`

`

`U.S. Patent
`
`May11, 2010
`
`Sheet 2 of 18
`
`US 7,716,720 B1
`
`002
`
`sol
`
`ol
`
`9017
`
`ort
`
`rol
`
`Nowe
`
`
`
`
`
`QDINOSBYBsdINOSsYsd1INOSOY
`
`zo
`
`Aiowsy\
`
`soInosey
`
`
`
`eoinoseysounosey
`
`Obl
`
`O/|
`
`O/l
`
`c
`Lb
`
`$)JOSS8901g
`
`3
`
`
`
`
`
`

`

`U.S. Patent
`
`May11, 2010
`
`Sheet 3 of 18
`
`
`
`seounosaypauonmed
`
`puepaeus
`
`|e007
`
`806Aiowayy
`
`
`eoueinssyYBipH
`
`JOSS300Jg
`
`90€
`
`CLE
`
`OVH
`
`US 7,716,720 B1
`
`cce™Buissa00ld
`ae
`ueDIA
`Bulssso01g|
`PEOUJOAOSt
`Buissa00id—
`
`Oce
`
`OLE
`
`
`
`4
`
`
`
`
`

`

`U.S. Patent
`
`May11, 2010
`
`Sheet 4 of 18
`
`US 7,716,720 B1
`
`oop
`
`
`
`SOoINOSOYPaUONiwed
`
`puepaleys
`
`souesnssyubiy
`
`JOSS890/d
`
`derUMS
`
`yunjuswebeueyy
`
`UdlWed
`
`5
`
`
`
`
`
`

`

`U.S. Patent
`
`May11, 2010
`
`Sheet 5 of 18
`
`US 7,716,720 B1
`
`Sly
`
`|
`
`Peel
`
`aIPl'?|HO
`
`
`SIPI8
`
`qvDIA
`
`_44PESUJIAOPRSUIOAO
`——SOOF
`
`
`_Bulsse00ld:2Buuedaig::_bulsse00ld
`__SunedeidBuisseo0ldBuuedald
`
`
`HOS1PI'8|HO
`
`320)|JomoL#MdSLOO
`
`6
`
`
`
`
`

`

`U.S. Patent
`
`May11, 2010
`
`Sheet 6 of 18
`
`US 7,716,720 B1
`
`00sa
`
`{2007
`
`seounosey
`
`Sis
`
`CC
`
`-0}dAID
`
`JOSS8001g
`
`O/l9Aiowey\y
`
`saoJnosey
`
`|04}U0Z)
`
`yoouJS
`
`jeuondo
`
`reeeennnendeeen— f n-e p n nne,
`JOSS890/dJOSSE00Jd|Of
`
`SLOOSLOD|18907
`
`aisois|vs
`
`sng|e907]
`
`sng|e007
`
`=
`
`a.
`
`weajsAsqns
`
`O/l1dO
`
`Naayeaq
`UOWMS
`
`7
`
`
`
`
`
`
`
`
`
`
`

`

`U.S. Patent
`
`May11, 2010
`
`Sheet 7 of 18
`
`US 7,716,720 B1
`
`009“
`
`Japeo7
`
`
`“‘Byuog|sa1neqe0epa}U]OVWH
`SISALIQyOoudSq
`
`919vl9
`
`SO39smopul(SLOD)
`
`aIEMPIEH(SLOD)
`
`uonesiddyS109
`
`9DIA
`
`029
`
`pueog
`
`yoddns
`
`abeyoed
`
`(dSq@)
`
`8
`
`

`

`U.S. Patent
`
`May11, 2010
`
`Sheet 8 of 18
`
`US 7,716,720 B1
`
`AjUSWUOJIAUZ
`
`001LZ
`
`Buyndwoydpeysnjun
`
`ateak
`
`peydAneqIpardAusua
`
`cOL
`
`e]ep/apo9
`
`
`
`
`
`—_—_——»JOMJONanodes
`
`
`
`O/l“SSI
`
`
`——__WVU
`
`402yog-jeng
`
`SLOO
`
`LOUSNOILVOMddv
`
`9
`
`
`
`
`
`

`

`U.S. Patent
`
`May11, 2010
`
`Sheet 9 of 18
`
`US 7,716,720 B1
`
`
`
`pseogheyjenyiA
`
`8Old
`
`008“
`
`Jeni
`
`
`
`YIOMJONainda{|
`
` Ae\dsig
`
`NV
`
`10
`
`10
`
`
`
`
`

`

`U.S. Patent
`
`May11, 2010
`
`Sheet10 of 18
`
`US 7,716,720 B1
`
`908
`
`
`
`
`902
`
`
`
`Janus
`
` Villy|MG,
`
`
`
`tf
`oe
`
`y
`y
`yl
`Y
`
`
`Secure
`y
`TSM
`y
`
`
`Network|*4 918 |aamP7|
`
`y.
`y
` 906
`
`
`ase untrusted
`VATSSELLERRROD
`YY
`
`
`trusted
`
`
`SS
`
`ost Interface
`912
`
`Untrusted Host
`Computer
`
`914
`
`FIG. 9
`
`11
`
`

`

`U.S. Patent
`
`May11, 2010
`
`Sheet11 of 18
`
`US 7,716,720 B1
`
`1000
`
`908
`Moduletieel1]4|emus Ey
`
`
`
`SSJcJss
`
`
`ase untrusted
`
`
`1014
`
`trusted
`WASSLSELELEESEERREESDI
`
`
`
`)yy4yyyyy7I
`
`ost Interface
`
`1012
`
`
`Untrusted PDA
`
`FIG. 10
`
`
`
`——
`
`Yy4
`
`yy
`
`
`
`Secure
`Network
`
`906
`
`12
`
`

`

`U.S. Patent
`
`May11, 2010
`
`Sheet 12 of 18
`
`US 7,716,720 B1
`
`1100“
`
`Secure
`Network
`
`
`
`black
`
`Wireless
`
`
`
`
`
`
`
`VIZILLLLLLALLALAILLLIIMALLAULTLILLILILLTIAATALITLLLLLLLALLAALALELAL
`
`
`
`
`
`
`
`
`red
`
` F Interface
`
`red/black
`
`untrusted
`
`
`
`13
`
`13
`
`

`

`U.S. Patent
`
`May11, 2010
`
`Sheet13 of 18
`
`US 7,716,720 B1
`
`1200“
`
`
`
`908
`
`
`Secure
`
`UY)PLPLILLLALLLPLLhasa
`
`y- -
`7
`:=//
`
`
`)we
`EN—ST
`
`
`Network
`
`
`7p7/
`
`
`1214
`
`
`
`
`jjjyjyjyyyyyyy
`
`PCMCIA Interface
`
`Untrusted Laptop PC
`
`FIG. 12
`
`14
`
`

`

`U.S. Patent
`
`May11, 2010
`
`Sheet14 of 18
`
`US 7,716,720 B1
`
`1300“
`
`
`
`black
`
`Wireless
`
`
`
`
`
`
`
`VLILLISILLLLILILILTILTLILLNIITITLETLLITTILL LILLTTaiiTT).
`
`
`
`
`Secure
`Network
`
`red
`
`
`
`
`
`LLLLILLIELLIDLTILELTTT TTTTTTTTTITTTitiiiiit
`
`PCMCIA
`
`
`
`Ookehod
`
`red/black
`
`untrusted
`
`Lehehrrhhrthgahnatlgnthnatleheyheedaf
`Chen”
`Cnhhnthrclpenhihnhhheuhhe
`
`FIG. 13
`
`15
`
`15
`
`

`

`U.S. Patent
`
`May11, 2010
`
`Sheet 15 of 18
`
`US 7,716,720 B1
`
`1400“
`
`-
`
`908
`
`MLLa
` Wireless
`
`=VMLLLHILL
`
`
`
`Ma—
`untrusted Ldnrc
`
`
`
`trusted
`
`PASAAVERDEAEELERRELEEO
`
`
`
`
`Secure
`Network
`
`16
`
`

`

`U.S. Patent
`
`May11, 2010
`
`Sheet16 of 18
`
`US 7,716,720 B1
`
`()
`
`LAN
`
`VY
`
`1500“
`
`
`
` Wired or
`Wireless
`=SSblack
`
`
`LLLLLLILITILLTLiiilihTeDILLLILLILLILLLLLALALLTTB
`
`
`Secure []|| trusted
`fr] C75 L] |
`ZALESTTI/——_a(LLLLLLLLILLLE.
`red/b|aCc
`
`Network
`
`untrusted
`
`ATAEa
`
`SELES
`LEEEEEESISS
`ern
`
`Pp
`(
`System
`Unit
`
`FIG. 15
`
`17
`
`17
`
`

`

`ZOOLOL9L
`
`1091pBeqpeydAuouy
`
`WSL|a1emog|JOUJE}U|Aemeyes
`
`9091
`
`
`
`Bunndwospajsnjun
`
`BEA
`
`U.S. Patent
`
`May11
`
`’
`
`2010
`
`Sheet 17 of 18
`
`US 7,716,720 B1
`
`91‘OIA
`
`WOS
`
`JOVJUBWUOJIAUZ
`
`
`pajsnijuaindas
`
`
`8091
`
`peisniy
`
`Buyndwo5
`
`JUSWUOJIAUZ
`
`18
`
`18
`
`
`
`
`
`

`

`U.S. Patent
`
`May11, 2010
`
`Sheet18 of 18
`
`US 7,716,720 B1
`
`1700
`
`“
`
`OO00 OOO 0OOFfOF OOO eee
`
`
`Seeaat
`
`FIG. 17
`
`19
`
`19
`
`

`

`US 7,716,720 Bl
`
`1
`SYSTEM FOR PROVIDING SECURE AND
`TRUSTED COMPUTING ENVIRONMENTS
`
`FIELD OF THE INVENTION
`
`This invention relates generally to computing environ-
`ments and more particularly to a system for providing a
`secure and trusted commercial-off-the-shelf COTS comput-
`ing environment.
`A secure communication system for military applications
`is required to have high bandwidth and support users who
`operate at different security levels. The levels of security
`dependon the type of information being communicated and
`upon the parties involved in the communication. For example,
`a network connecting real time embedded military multi-
`level applications must support communications between
`diverse groups with different clearance levels. In order to
`support such a network at a reasonablecost, it is desirable to
`utilize commercial-off-the-shelf (COTS) network technolo-
`gies and standards as much aspossible. However, most COTS
`network components do not meetthe level of security to meet
`information assurance requirements for the secure commu-
`nication system including military multi-level applications.
`Governmentand military applications often require more
`stringent standards for components. For example, security
`standards for computer and communication equipment for
`military applications are typically more stringent than secu-
`rity standards of comparable commercial computer and com-
`munication equipment. In the past, specialized components
`were employed which could meetthe stringent standards of
`military applications. A drawback associated with the spe-
`cialized components is the high cost associated with the
`design and manufacture of a specialized component with
`limited market potential outside of military applications.
`Consequently, a systemsuitable for highly assured military
`applications employing widely available and cost effective
`commercial off-the-shelf (COTS) components is necessary.
`
`SUMMARYOF THE INVENTION
`
`Accordingly, the present invention is directed to a system
`for providing a trusted COTS computing environment.
`In an exemplary aspect of the present invention, a system
`provides a secure COTS computing environment through
`controlling COTS processor resource access. The system
`may implementan inter-partition separation without needing
`to modify COTSprocessors or COTSoperating systems.
`The system includes a trusted bus switch and a High Assur-
`ance Controller (HAC) subsystem. The trusted bus switch
`may control the COTSprocessors to access shared resources.
`The shared resources such as memory and several I/O
`resources reside onthe trustedside of the trusted bus switch.
`
`The memory andseveral I/O resources may be managed by
`the HAC subsystem.
`The HAC subsystem maybe configured to ensure that each
`COTSprocessor based application has access only to a cor-
`responding memory partition. The HAC subsystem may
`enforce timesharing among COTSprocessor based applica-
`tions. The HAC subsystem may include a local memory, a
`partition management unit (PMU), and a High Assurance
`Microprocessor. The High Assurance Microprocessor may
`implementintrinsic partitioning. The PMU maybe config-
`ured to enforce access to shared resources so that the COTS
`
`CPU only accesses its predeterminedpartitions for a certain
`computing function.
`In an additional exemplary aspect of the present invention,
`a system including a Secure Computing Module (SCM)pro-
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`2
`vides a trusted environment for COTShost platforms. Only
`authenticated trusted applications execute on the SCM while
`untrusted applications execute on the untrusted host environ-
`ment. The SCM maycontrol secure resource access from an
`untrusted host through a plug-in module interface. All secure
`resources may be maintainedon thetrusted side ofthe plug-in
`module interface. Untrusted host access to the SCM is subject
`to a stringent authentication protocol.
`The SCM may include two subsystems: an authenticated
`subsystem (ACE) and a trusted manager subsystem (TSM)
`residing onthe trusted environment. The ACE maybe secured
`by authenticating all code and data used for rmmning COTS
`applications. The ACE mayinclude an embedded COTS OS
`and various COTSapplications. The ACE may be cleansed
`and encrypted and then stored on a local encrypted storage.
`The stored ACE on the local encrypted storage may be
`decrypted and loaded with the TSM during the SCM instal-
`lation.
`
`The TSM maybesuitable for providing partitioning for
`both memory and I/O resources on the trusted environment.
`All I/O paths of the SCM are configured to go through the
`TSM.Each I/O path is managed by a dedicated secure TSM
`partition and subject to authentication protocols. The TSM
`may include a trusted processor for providing a brick-wall
`partitioning environment and a cryptographic enginefor pro-
`viding a robust security interface in a secure communication
`network.
`
`Advantageously, the system including the SCM maypro-
`vide trusted and portable COTS computing environments
`against malware. Use of the ACE in conjunction with the
`TSM may ensure COTSapplications running on the SCM to
`be free from malware and manufacturer-supplicd software to
`be trusted. Only authenticated applications including COTS
`OS execute on the SCM while untrusted applications execute
`on the untrusted host environment. The SCM may control
`secure resource access from the untrusted host through a
`plug-in module interface. All secure resources may be main-
`tained on the trusted side of the plug-in module interface.
`In another additional aspect of the present invention, the
`SCM may utilize input and output devices of the untrusted
`host as virtual Input and output devices for the secure COTS
`environment. The SCM mayinclude a Trusted Agent config-
`ured to be loaded onto the untrusted host from the SCM in
`
`“Plug-and-Play” fashion when the SCM is added on to the
`untrusted host. The Trusted Agent mayreside on the untrusted
`host environment while the SCM is implemented. The
`Trusted Agent in conjunction with the TSM creates a secure
`/O path from/to input and output devices of the untrusted
`host. In this manner, the input and output devices of the
`untrusted host may be implementedas virtual Input and out-
`put devices for the SCM.
`In a further aspect of the present invention, the SCM may
`provide secure COTS environments for various host COTS
`platforms. The SCM may use a Compact Flash (CF) interface
`for a PDA host. The SCM maybe connected as a USB, CF, or
`PCMCIAdevice for a laptop host. The SCM mayuse a USB
`connection for a desktop PC host.
`It is to be understood that both the foregoing general
`description and the following detailed description are exem-
`plary and explanatory only andare notrestrictive ofthe inven-
`tion claimed. The accompanying drawings, which are incor-
`porated in and constitute a part of the specification, illustrate
`
`20
`
`20
`
`

`

`US 7,716,720 Bl
`
`3
`an embodimentofthe invention and together with the general
`description, serve to explain the principles of the invention.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`4
`FIG. 17 illustrates memory patterns utilized to test the
`SCM in accordance with an exemplary embodimentof the
`present invention.
`
`DETAILED DESCRIPTION OF THE INVENTION
`
`Those numerous objects and advantages of the present
`invention maybebetter understoodby those skilled in theart
`by reference to the accompanying figures in which:
`FIG. 1 illustrates a block diagram of a prior art secure
`computing environment;
`FIG. 2 illustrates a block diagram of a secure computing
`environmentutilizing a trusted bus switch in accordance with
`an exemplary embodimentof the present invention;
`FIG. 3A illustrates a block diagram of a secure COTS
`computing environment with a single processor in accor-
`dance with an exemplary embodiment of the present inven-
`tion;
`FIG.3B illustrates a processing timing ofthe secure COTS
`computing environment shownin FIG. 3A;
`FIG. 4A illustrates a block diagram of a secure COTS
`computing environment with two processors in accordance
`with an exemplary embodimentofthe present invention;
`FIG. 4B illustrates a dual processing timing of the secure
`COTS computing environment shown in FIG.4A;
`FIG. 5 illustrates a block diagram of a High Assurance
`Controller in accordance with an exemplary embodimentof
`the present invention;
`FIG. 6 illustrates a block diagram of a COTS operating
`system interface to the High Assurance Controller in accor-
`dance with an exemplary embodiment of the present inven-
`tion;
`FIG.7 illustrates a block diagram of a computing environ-
`ment implementing SCMarchitecture in accordance with an
`exemplary embodimentof the present invention;
`FIG.8 illustrates a block diagram ofa virtual input/output
`system in conjunction with the SCM in accordance with an
`exemplary embodimentof the present invention;
`FIG. 9 illustrates a block diagram of a SCM in accordance
`with an exemplary embodimentofthe present invention;
`FIG.10 illustrates a block diagram of the SCM interfacing
`with an untrusted PDA in accordance with an exemplary
`embodimentof the present invention;
`FIG. 11 illustrates a block diagram of a PDA computing
`environmentutilizing the SCM shown in FIG. 10 in accor-
`dance with an exemplary embodiment of the present inven-
`tion;
`FIG.12 illustrates a block diagram of the SCM interfacing
`with an untrusted Laptop PC in accordance with an exem-
`plary embodimentof the present invention;
`FIG. 13 illustrates a block diagram of a Laptop PC com-
`puting environmentutilizing the SCM shownin FIG. 12 in
`accordance with an exemplary embodiment of the present
`invention;
`FIG.14 illustrates a block diagram of the SCM interfacing
`with a desktop PC in accordance with an exemplary embodi-
`mentof the present invention;
`FIG. 15 illustrates a block diagram of a desktop PC com-
`puting environmentutilizing the SCM shown in FIG. 14 in
`accordance with an exemplary embodiment of the present
`invention;
`FIG. 16 illustrates a block diagram of a computing envi-
`ronmentutilizing the SCM for a remote trusted host in accor-
`dance with an exemplary embodiment of the present inven-
`tion; and
`
`10
`
`15
`
`20
`
`25
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`Reference will now be madein detail to presently preferred
`embodiments of the invention, examples of whichareillus-
`trated in the accompanying drawings.
`The present invention discloses a system for providing a
`secure COTS computing environment based on embedded
`security architecture.
`
`1. Secure COTS Computing Environment Through HAC
`A secure COTS computing environmentis provided by a
`system including a High Assurance Controller (HAC) sub-
`system to control execution of COTS functions and enforce
`security partitioning for applications running on the untrusted
`COTSprocessor. A COTS processor resource access may be
`controlled through a trusted bus switch with all memory and
`shared I/O resources residing on a trustedside of the trusted
`bus switch. The HAC subsystem is suitable for controlling the
`trusted bus switch and executing multiple partitions with
`guaranteed separation. The HAC subsystem may maintain
`high Evaluation ofAssurance Level (EAL) certifications such
`as EAL-6 and EAL-7 according to NSA commoncriteria of
`security characterizations. The system may support an inter-
`partition separation without needing to modify the COTS
`processor or COTSoperating system. The intrinsic partition-
`ing separation is independentof the security pedigree of both
`the COTSoperating system andthe host applications.
`
`1.1 Secure Computing Environment
`Referring now to FIG.1, a block diagram of a conventional
`secure computing environment 100 is shown. In a conven-
`tional computing environment, COTSprocessors 114 com-
`municate directly with memory 102,104 and I/O resources
`106, 108, 110, 112 using data, address, and control bus struc-
`tures. In order to maintain a secure computing environment,
`access to certain shared resources such as memory 102, 104
`and the like, or parts of the shared resources such as shared
`1/O devices 106, 108 are controlled in a structured mannerto
`prevent compromising classified data. There have been
`efforts to control shared resources without compromising
`classified data. For example, a separation kernel in a Multiple
`Independent Level of Security (MILS)-compliant real time
`OShasbeenutilized to prevent compromisingclassified data.
`Ilowever, the operation level separation may result in a com-
`plicated separation mechanism requiring the myriad imple-
`mentation details to be verified to ensure security of the
`system.
`As shown in FIG. 2, in an embodiment of the present
`invention, resource access by COTSprocessors 114 is con-
`trolled through a trusted bus switch 212, where all memory
`102, 104 and several shared I/O resources 106, 108 are moved
`to the trusted side of the trusted bus switch 212. The COTS
`
`I/O
`processors 114 may be capable of accessing local
`resources 110, 112 without requiring any access control by
`the trusted bus switch. The local I/O resources 110, 112 not
`requiring access controls reside on the untrusted side of the
`trusted bus switch. The trusted bus switch may be managed by
`a HAC subsystem to enforce an arbitrary security policy.
`
`1.2 HAC Subsystem
`Referring now to FIG. 3A, a block diagram of a secure
`COTScomputing environment 300 havinga single processor
`is shown. In an embodiment of the present invention, the
`secure computing environment 300 may include a HAC sub-
`
`21
`
`21
`
`

`

`US 7,716,720 Bl
`
`6
`save its current state, zeroize its internal state, load the pre-
`viously saved state for the impending timeslice, and re-
`establish the PMU state.
`
`5
`system 312, a COTS Central Processing Unit (CPU) 302, and
`various shared and/or partitioned resources 313. The HAC
`subsystem 312 is responsible for control of COTS CPU
`As a result, the COTS CPU is ready to execute a next
`execution as well as enforcing access to shared resources 313
`scheduled computing function. For example, a first comput-
`such as memory and I/O. The HAC subsystem 312 may
`
`monitor and managepartitions for the COTS CPU. The HAC ing function at TS security level may be executedinafirst
`subsystem 312 is responsible for zeroizing, loading, config-
`time slice 316. Before a second computing function at secu-
`uring, and controlling the COTS CPU for time-sliced real
`rity level being executed in a second time slice 320, a pro-
`time execution of Multiple Independent Level of Security
`cessing partition for the first computing function may be
`(MILS) computing functions. Zeroizing the COTS CPU may
`“scrubbed”by the HAC subsystem 312. The HAC subsystem
`312 causes the COTS CPUto zeroize its internal states and
`include approved zeroization procedures configured to erase
`sensitive information (e.g. keys for a cryptographic module)
`reestablish the PMU state. Then, the COTS CPU 302is ready
`or decrypted secure data to prevent its disclosure. The HAC
`for executing the second computing function in the second
`timeslice 320.
`subsystem 312 is also responsible for user authentication. The
`HAC subsystem 312 is a complete computing environment
`including local memory 308 coupled to a local I/O 310, a
`partition managementunit (PMU) 304, and a high assurance
`processor 306.
`The PMU 304 may enforce access to shared and parti-
`tioned resources 313 so that the COTS CPU 302is prevented
`from accessing outside its predetermined resourcepartitions.
`The COTSCPU302is interfaced to the PMU throughits local
`memory bus 303 and accesses its corresponding memory
`partitions through the PMU.The corresponding memorypar-
`titions are predetermined by the HAC subsystem 312. In a
`particular
`embodiment,
`a ROCKWELL COLLINS
`AAMP7™microprocessor maybe used as the high assurance
`processor. The AAMP7™microprocessor provides brick-
`wall partitioning and has been formally verified as part of an
`NSAcertification effort.
`
`10
`
`15
`
`25
`
`30
`
`In a preferred embodiment of the present invention, the
`HACsubsystem 312 maybe suitable for implementingintrin-
`sic partitioning with brick-wall separation. Partitionsare pro-
`cessing contexts where communication betweenpartitionsis
`limited to what is allowed by an information flow policy.
`Generally, a system has intrinsic partitioning when the
`underlying processing platform of the system is designed to
`enforce brick-wall separation. Such intrinsic partitioning
`may provide concrete assurance of the spatial and temporal
`separation between partitions. The underlying processing
`platform enforces a policy of information flow betweenpar-
`titions with mechanismsthat are designed into the machine
`itself, not addedlater at the operating system or application
`levels. To ensure that highly sensitive data is securely mixed
`with data and programs at
`lower or unclassified levels
`requires a separation mechanism that is best implemented and
`certified at a low level of the design.
`Utilizing the Intrinsic partitioning approach, the HAC sub-
`system 312 may provide a separation mechanism that is inde-
`pendentof the security pedigree ofboth the operating system
`and the hosted applications. The relative simplicity of the
`approach allows for high levels of assurance and allows the
`system developer to choose an operating system, such as
`Portable Operating System Interface (POSIX,) VxWorks, and
`the like, best suited for personality modules such as Global
`Positioning System (GPS)user devices, Joint Tactical Radio
`Systems (JTRS), PDAs, cell phones, and thelike.
`As shownin FIG. 3B, the HAC subsystem 312 may enforce
`timesharing among applications running on the COTS CPU
`302. The COTS CPU 302 executes a single computing func-
`tion at a selected security level (e.g. Top Secret (TS), Secret
`(S), Unclassified (U) andthelike) in each predetermined time
`slice 316, 320, 322. Access to shared resources for each time
`slice 316, 320, 322 is enforced by the PMU 304. Between
`computing timeslices, there is an overhead time 318 caused
`by inter-timeslice scrubbing. The HAC subsystem scrubs the
`previous processing partition by causing the COTS CPUto
`
`
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`In an embodiment of the present invention, at least two
`COTSprocessors maybe utilized to minimizeinter-timeslice
`scrubbing. Each inter-time slice scrubbing may be an over-
`head for the COTS processors. Referring now to FIG. 4A, a
`block diagram of a secure COTS computing environment 400
`witha dual COTS CPUarchitecture is shown. The dual COTS
`CPU architecture is similarto the single processor version as
`shown in FIG. 3 except that a first COTS CPU 401 may be
`zeroized and preparedfor the next time slice while the current
`time slice is executing on a second COTS CPU 402. Each
`COTSCPU 401, 402 is suitable for executing a computing
`function at a different security level. Each COTS CPU 401,
`402 is coupled to a corresponding local bus 403, 405. The
`local buses 403, 405 are coupled to a switch 430 included in
`the HAC subsystem. The switch 430 may perform a source
`selection function so that access to shared memory is blocked
`for the non-selected COTS CPU,andis passed through with
`zero overhead to the selected COTS CPU.
`FIG. 4B illustrates a dual processing timing 415 of the
`secure COTS computing environment with the dual COTS
`CPU architecture shown in FIG. 4A. The first COTS CPU
`
`executes a computing function in a time slice 416 while the
`second COTS CPUis being zeroized and prepared to execute
`anext scheduled computing function in a next time slice 420.
`After the second COTS CPUis zeroized, the second COTS
`CPUis loaded with the state that was saved from the previous
`execution of the scheduled timeslice and then placed into an
`idle mode to conserve power. For example, the first COTS
`CPU executes a computing function at TS security level ina
`first time slice 416. During thefirst timeslice 416, the second
`COTSCPU1s zeroized and prepared to execute a computing
`function at U security level in a second time slice 420. Then,
`the second COTS CPUis placed into idle mode 426. In an
`embodiment, the second COTS CPU may be placed into
`power-off mode 424 for being zeroized. In this manner, the
`system may minimize overhead and maximize computing
`capacity with minimal power consumptionpenalty. (Thereis
`minimal time when the two processors are running simulta-
`neously.)
`Referring now to FIG. 5, a block diagram of a trusted
`environment 500 employing a HAC subsystem is shown.In
`an embodimentof the present invention, the HAC subsystem
`512 maybe suitable for being a trusted subsystem between
`the COTS world 501 and shared resources 502. In a particular
`embodiment, a High Assurance processor 506 such as
`AAMP7maybesuitable for providing Partition Management
`functions. In the particular embodiment, the HAC subsystem
`512 mayinclude auxiliary PMU logic for COTS processor
`and resource control.
`
`A shared resource data path 530 maybe included between
`the auxiliary PMU logic and shared resources 502. The
`shared resource (SR) data path 530 maybeutilized for shared
`resource control and configuration related to COTSpartition
`
`22
`
`22
`
`

`

`US 7,716,720 Bl
`
`7
`management. Additionally, the SR data path 530 may be
`utilized as part of a trusted I/O delivery subsystem operating
`on behalf of a COTSclient. The I/O delivery system may be
`a buffered conduit between the COTSprocessor(s) and shared
`resources. Whenthe SR data path 530 is utilized as described,
`the HAC subsystem 512 may besuitable for pre- or post-
`process data flowing to and from the COTSprocessor(s). The
`SRdata path 530 maybe utilized as the local bus fora trusted
`computing environment consisting solely of the HAC sub-
`system 512 and both its local and shared resources. In an
`embodiment of the present invention, the HAC subsystem
`512 with the SR data path 530 maybesuitable for supporting
`an autonomous secure computing environment. In another
`embodiment of the present invention, the HAC subsystem
`512 may allow convenient implementation ofcritical security
`policies such as key management and biometrics support. A
`decode path 532 may be included betweenthe auxiliary PMU
`logic and shared resources recognizing special separation
`requirements that may be imposed by smart I/O devices.
`(such as biometrics devices). Further, a Red/Black security
`separation for a secure communication network maybe pro-
`vided by adding an optional cryptographic engine 507.
`In the secure communication network, users are not able to
`access sensitive information for which they are not autho-
`rized. In order to maintain such confidentiality, the network
`may be divided into a domain for processing possibly sensi-
`tive plain-text data, called the Red Domain, and a domain for
`processing non-sensitive and encrypted sensitive data, called
`the Black Domain. There may be multiple Red Domains in
`the network since each domain can be accredited to a different
`
`security (sensitivity) level. Users residing in the Red Domain
`are trusted to protect the information they process to a degree
`appropriate for the security classification of the data. Users
`residing in the Black Domain interface to the Red Domain
`through a cryptographic engine. In this manner, the Red/
`Black security separation may be provided by the crypto-
`graphic engine.
`In a particular embodiment, the PMU,the high assurance
`processor, andthe optional cryptographic engine 507 may be
`implemented with one component. For example, a ROCK-
`WELL COLLINS Janus crypto-processor 522 includes
`AAMP7™microprocessor, a cryptographic engine, and a
`base PMU. In addition, the switch, the I/O delivery sub-
`system, and the auxiliary PMU logic mayinitially be imple-
`mented in a Field-Programmable Gate Array (FPGA).
`Aboard support package (BSP)is typically provided by the
`board designer/manufacturer for the COTS CPUstointerface
`with hardware. A small code segment (BSP hook) 520 resid-
`ing in the BSP embedded within COTS OS maybeinterfaced
`between the HAC subsystem 512 and COTS CPUs516, 518
`to control COTS CPUs 516, 518.
`As shownin FIG.6, in an embedmentofthe present inven-
`tions, Windows CE operating system may beutilized as an
`embedded COTS OS on the untrusted host platform. For
`instance, ruggedized PDAs may employ WindowsCEoper-
`ating system for COTS OS 604. The board designer/manu-
`facturer of the COTS CPU for the ruggedized PDAs may
`provide the board support package (BSP) 620 including a
`boot loader 610, device drivers 616, configurationfiles 618,
`OEM Adaptation Layer (OAL) 612, anda HACinterface 614.
`A small, trusted fraction of the BSP code (BSP hook) may be
`used as part of the HAC interface 614. As such, modification
`of existing COTS environment may be minimal when the
`HACsubsystem is utilized to provide a secure COTSenvi-
`ronment. The BSP hook 614 may be used asan interface to the
`HACsubsystem, being suitable for serving as the HAC sub-
`
`10
`
`15
`
`20
`
`25
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`8
`system’s inside COTSproxy.Itis to be noted that the BSP 620
`may be provided for any custom hardwareplatform 608.
`The present invention may provide numerous advantages.
`The system including the HAC subsystem may support mul-
`tiple safety-critical embedded applicationscertified to differ-
`ent safety levels in a hard real-time environment. In this
`manner,certification costs for integrated applications of dif-
`fering levels of criticality may be reduced and applications in
`different partitions maybe certified to a level proportional to
`their criticality.
`In addition, the present invention may allow the partition-
`ing kernel model to run on the High Assurance processor’s
`micro-architecture. Assertions concerning the kernelrelative
`to the state ofthe underlying hardware maybe provedto high
`levels of assurance. As such, building the separation kernel
`into a High Assurance processor’s micro-architecture pro-
`vides an extra level of assurance. Since the separation kernel
`is in hardware and microcode, the HAC subsystem may
`handle partition managementduties at a relatively slow clock
`rate. The HAC subsystem, along with its local resources and
`those shared by the COTS processor(s), may serve as an
`independent, trusted su