Outpost: Creating Secure Execution Environments Without Secure Hardware

In this talk I present Outpost, a software-based primitive for attestable establishment of a root-of-trust-for-computing. Outpost creates an execution environment that guarantees untampered code execution even when the entire software stack of system (including the BIOS) is compromised, without requiring secure hardware support.

In contrast to Pioneer (our earlier work on the problem), which uses an adhoc attack-defense design strategy specific to the x86 architecture, Outpost uses a design strategy based on an architecture-portable hardware operational model. We use the insights obtained from a deep understanding of hardware architecture and operation across platforms to define the operational model. This design strategy ensures that Outpost is architecture-portable, is not vulnerable to any of the low-level attacks that Pioneer is vulnerable to, has a 15x higher attacker time overhead, and is amenable to formal reasoning about its security.

I conclude by sharing some thoughts on the important systems security problems in the era of cloud and mobile. I will also discuss how intelligently-defined hardware operational models in combination with creative retrofitting of the design and implementation of commodity systems might enable us to build commodity systems which are amenable to formal reasoning about their security properties.