One main design goal of the PERSEUS trustworthy computing framework is the realization of a minimal and therefore manageable, stable and evaluable security kernel for conventional hardware platforms such as IBM-PC, servers, embedded systems, and mobile devices like PDA's and smartphones. This requirement is fulfilled by extracting only security-critical operations and data to the security kernel. The result is the following three-layer architecture as illustrated by the following figure:
The purposes and contents of the three layers are as follows:
- Hardware Layer: The hardware layer contains of conventional hardware like a CPU, memory, and hardware devices. Moreover, the hardware layer can optionally provide trusted computing technology like a TPM.
- Hypervisor Layer: The main task of the hypervisor layer is the provision of an abstract interface of the underlying hardware resources (interrupts, memory and hardware devices). Moreover, this layer allows to share these resources and realizes access control enforcement on the object types known to this layer. The PERSEUS framework is flexible enough to support different kinds of hypervisor layers, e.g., virtual machine monitors (VMM) like Xen, or microkernels like L4.
- Trusted Software Layer: By efficiently combining the services provided by the hardware layer and the hypervisor layer, the trusted software layer (TSL) extends the interfaces of the underlying services by security properties and ensures isolation of the applications executed on top of this layer. Examples of security-services are a secure user unterface (trusted GUI, trusted path), a secure bootloader, and mutually trusted storage.
On top of the trusted software layer, security-critical and non-critical applications are executed in parallel. Legacy operating systems can be executed as isolated applications on to provide end-users a common user interface and a backward-compatible application binary interface (ABI) to reuse standard applications. Moreover, to keep the security kernel as small as possible, the legacy operating systems can be user to realize uncritical operating system services.
Our decision to use this hybrid architecture is motivated, among others, by the fact that the development of a completely new secure operating system that provides backward-compatibility is too costly. For more information about technical details, have a look at our Technology section.