A Federation Of Sentries: Secure And Efficient Trusted Hardware Element Communication

Ward, Blake A

01 June 2024

Previous work introduced TrustGuard, a design for a containment architecture that allows only the result of the correct execution of approved software to be outputted. A containment architecture prevents results from malicious hardware or software from being communicated externally. At the core of TrustGuard is a trusted, pluggable device that sits on the path between an untrusted processor and the outside world. This device, called the Sentry, is responsible for validating the correctness of all communication before it leaves the system. This thesis seeks to leverage the correctness guarantees that the Sentry provides to enable efficient secure communication between two systems each protected by their own Sentry. This thesis reviews the literature for methods of enabling secure communication between two computer-Sentry pairs. It categorizes the pieces of the solution into three sections: attestation, establishing a tunnel, and communicating securely. Attestation in this context provides evidence of identity. It proposes a new configurable design for a secure network architecture, which includes a new version of the Sentry with a hardware accelerator for secure symmetric encryption, ring oscillator-based physically unclonable functions, and random number generators for attestation and key generation. These design elements are then evaluated based on how they might affect the overall system in terms of resource constraints, performance impacts, and scalability.

TrustGuard

Hardware Security

Network Security

PUF

Computer Architecture

Computer and Systems Architecture