Security Hardening against Hardware Vulnerabilities through Hardware Separation

The recently discovered security vulnerabilities that exploit micro-architectural properties introduce new challenging attack vectors. Adapted mitigation techniques address the discovered vulnerabilities, but might not prevent other yet unknown ones. Moreover, the overheads of existing mitigation techniques are high and may deter users from enabling them. Current protection schemes against these vulnerabilities are rather complicated, and consist of an extensive operating system (OS) changes and new microcode features. Due to this scheme complexity, the protection from these vulnerabilities might be incomplete. Furthermore, it is yet unclear whether future CPU enhancements will render the current complicated protection scheme unnecessary.

In our research, we wish to explore the solution space for the mitigation against this new class of security vulnerabilities, including yet undiscovered ones, and to study the inherent trade-off between protection and performance. To protect against these vulnerabilities, we wish to take a more drastic measure, by separating the hardware resources, compute, and memory, which are allocated to the OS and its processes. This separation can be done in different levels to serve diverse purposes: weak separation to complement current protection schemes by alleviating their overheads, and strong separation to protect against unknown security threats.