The growing use of processors where multiple applications are executed concurrently, as in cloud computing, has increased the need for security features that can protect these applications from mutual interference. Additionally, a successful external attack to a processor can compromise several applications. These threats have resulted in the addition of new features to standard processor architectures, to improve their security. This monograph discusses, in ten chapters, the issues involved in designing secure processors.
An introductory chapter summarizes security concepts, intended for those with little or no background in security. A threat model and the concept of a trusted computing base (TCB) are introduced, to be used as a reference for the later chapters. A TCB is the set of trusted hardware and software components in the architecture. The next three chapters discuss threats, trusted execution environments, and hardware root of trust. Threats are the essence of security and this is a good start. A secure processor must provide authentication of the processor itself, confidentiality, and integrity of the data sent out of the processor. Then, the focus moves to the security of the components external to the processor: memory and communication processors, as well as a discussion of covert and side attacks. Covert channels can use timing, power, and traffic to leak information and bypass isolation mechanisms. A side channel is similar but unintended. A chapter on processor verification completes this panorama.
Based on the previous analyses, the last chapter provides five design principles and their effect on the processor architecture. The emphasis on threats is a key point; while we can never be sure of having found all of them, finding the important threats is enough in most cases. As the author indicates, while we cannot reach 100 percent security, we just need to make the effort of the attacker large enough. The style is conceptual and the numerous diagrams make the concepts easy to understand; however, readers must have a strong background in security. The writing is rigorous and supported by 254 references. I consider this book required reading for serious researchers and students of processor security.
Although conceptual, relating the concepts and principles to Landwehr and Carroll’s hardware requirements for security [1] could have made the treatment even more so. The processors considered here are commodity products; however, in the past, several specialized processors, such as capability machines, had architectures intended to be inherently secure, such as the Plessey 250 and the IBM S/38 [2]. A comparison of them to the approaches discussed here would have been interesting. For example, capability machines have a smaller TCB at the cost of a more complex architecture, that is, they require very large memory systems.