Modern computer security requires bug-free code at every layer of the software stack. While both university and industry research groups continue efforts to produce secure and perfectly correct operating systems, hypervisors and other important components, we propose another layer of security so that if these systems fail, some portions of the system remain resistant to attack. We propose embedding a set of security features into the architecture to provide a form of memory protection that will enable correctly coded applications to resist attack even if underlying portions of the software stack become malicious. This would radically improve the current security capabilities of most platforms and would provide safety measures on some systems impossible to use safely today.

Our system we have begun to design and propose to conduct research on is called LockBox. The goal of the system is to allow an application to remain resistant to attack even if the underlying system management software is compromised. Instead of placing ultimate trust in every component of the software stack below it, the architecture offers applications access to memory protected from everything else on the system, including the software in charge of memory management. With this capability, the application can layer on more complex security systems as needed.

LockBox is designed as a series of hardware features embedded inside the microarchitecture and has been carefully tuned to require only a small additional amount of hardware. Since developing hardware is costly and premature at this point, we will implement LockBox using a trusted nesting hypervisor. This will allow us to run a small microhypervisor on the machine to simulate some key hardware features not yet present in the underlying architecture. The goals of this proposal are to build the system, validate our ideas, prove reasonable performance and release the microhypervisor to enable other research groups, government and industry to take advantage of LockBox's security model. Eventually, LockBox's feature set can migrate into the hardware of the machine and a even a trusted microhypervisor would no longer be required.

LockBox is designed to provide the user with the final authority to set security policy on the machine. The user has the tools to ensure the security of their data and because users are the ultimate authority, they are allowed to decide which applications may use the new security features. This means our system cannot be used to restrict the user's capabilities, specifically user fears that LockBox could be used for Digital Rights Management would be alleviated. Under this threat model it is reasonable to accept that the user will not try and subvert the security system by compromising their own hardware. This means LockBox can rely on correct operation of the hardware. This is desirable, since trying to make hardware resistant to attack is an extremely difficult problem. Of course, if research breakthroughs in the area of hardware security did occur, they would allow LockBox to be useful under an even more diverse range of threat models.