当前位置:
X-MOL 学术
›
Cybersecurity
›
论文详情
Our official English website, www.x-mol.net, welcomes your feedback! (Note: you will need to create a separate account there.)
Security-first architecture: deploying physically isolated active security processors for safeguarding the future of computing
Cybersecurity Pub Date : 2018-06-05 , DOI: 10.1186/s42400-018-0001-z Dan Meng , Rui Hou , Gang Shi , Bibo Tu , Aimin Yu , Ziyuan Zhu , Xiaoqi Jia , Peng Liu
Cybersecurity Pub Date : 2018-06-05 , DOI: 10.1186/s42400-018-0001-z Dan Meng , Rui Hou , Gang Shi , Bibo Tu , Aimin Yu , Ziyuan Zhu , Xiaoqi Jia , Peng Liu
It is fundamentally challenging to build a secure system atop the current computer architecture. The complexity in software, hardware and ASIC manufacture has reached beyond the capability of existing verification methodologies. Without whole-system verification, current systems have no proven security. It is observed that current systems are exposed to a variety of attacks due to the existence of a large number of exploitable security vulnerabilities. Some vulnerabilities are difficult to remove without significant performance impact because performance and security can be conflicting with each other. Even worse, attacks are constantly evolving, and sophisticated attacks are now capable of systematically exploiting multiple vulnerabilities while remain hidden from detection. Eagering to achieve security hardening of current computer architecture, existing defenses are mostly ad hoc and passive in nature. They are normally developed in responding to specific attacks spontaneously after specific vulnerabilities were discovered. As a result, they are not yet systematic in protecting systems from existing attacks and likely defenseless in front of zero-day attacks.To confront the aforementioned challenges, this paper proposes Security-first Architecture, a concept which enforces systematic and active defenses using Active Security Processors. In systems built based on this concept, traditional processors (i.e., Computation Processors) are monitored and protected by Active Security Processors. The two types of processors execute on their own physically-isolated resources, including memory, disks, network and I/O devices. The Active Security Processors are provided with dedicated channels to access all the resources of the Computation Processors but not vice versa. This allows the Active Security Processors to actively detect and tackle malicious activities in the Computation Processors with minimum performance degradation while protecting themselves from the attacks launched from the Computation Processors thanks to the resource isolation.
中文翻译:
安全第一架构:部署物理隔离的主动安全处理器以保护计算的未来
在当前的计算机架构之上构建一个安全的系统从根本上是具有挑战性的。软件、硬件和 ASIC 制造的复杂性已经超出了现有验证方法的能力。如果没有全系统验证,当前的系统就没有经过验证的安全性。据观察,由于存在大量可利用的安全漏洞,当前系统容易受到各种攻击。某些漏洞很难在不显着影响性能的情况下移除,因为性能和安全性可能相互冲突。更糟糕的是,攻击在不断发展,复杂的攻击现在能够系统地利用多个漏洞,同时保持不被发现。渴望实现当前计算机架构的安全加固,现有的防御在本质上大多是临时的和被动的。它们通常是为了在发现特定漏洞后自发响应特定攻击而开发的。因此,它们还没有系统地保护系统免受现有攻击,并且在零日攻击面前可能毫无防御能力。为了应对上述挑战,本文提出了安全第一架构,这是一个使用 Active 强制实施系统和主动防御的概念。安全处理器。在基于此概念构建的系统中,传统处理器(即计算处理器)受到主动安全处理器的监控和保护。这两种类型的处理器在它们自己的物理隔离资源上执行,包括内存、磁盘、网络和 I/O 设备。主动安全处理器提供有专用通道来访问计算处理器的所有资源,但反之则不然。这允许主动安全处理器以最小的性能下降主动检测和处理计算处理器中的恶意活动,同时由于资源隔离而保护自己免受从计算处理器发起的攻击。
更新日期:2018-06-05
中文翻译:
安全第一架构:部署物理隔离的主动安全处理器以保护计算的未来
在当前的计算机架构之上构建一个安全的系统从根本上是具有挑战性的。软件、硬件和 ASIC 制造的复杂性已经超出了现有验证方法的能力。如果没有全系统验证,当前的系统就没有经过验证的安全性。据观察,由于存在大量可利用的安全漏洞,当前系统容易受到各种攻击。某些漏洞很难在不显着影响性能的情况下移除,因为性能和安全性可能相互冲突。更糟糕的是,攻击在不断发展,复杂的攻击现在能够系统地利用多个漏洞,同时保持不被发现。渴望实现当前计算机架构的安全加固,现有的防御在本质上大多是临时的和被动的。它们通常是为了在发现特定漏洞后自发响应特定攻击而开发的。因此,它们还没有系统地保护系统免受现有攻击,并且在零日攻击面前可能毫无防御能力。为了应对上述挑战,本文提出了安全第一架构,这是一个使用 Active 强制实施系统和主动防御的概念。安全处理器。在基于此概念构建的系统中,传统处理器(即计算处理器)受到主动安全处理器的监控和保护。这两种类型的处理器在它们自己的物理隔离资源上执行,包括内存、磁盘、网络和 I/O 设备。主动安全处理器提供有专用通道来访问计算处理器的所有资源,但反之则不然。这允许主动安全处理器以最小的性能下降主动检测和处理计算处理器中的恶意活动,同时由于资源隔离而保护自己免受从计算处理器发起的攻击。
京公网安备 11010802027423号