Towards availability and real-time guarantees for protected module architectures

Protected Module Architectures are a new brand of security architectures whose main objective is to support the secure isolated execution of software modules with a minimal Trusted Computing Base (TCB) -- several prototypes for embedded systems (and also the Intel Software Guard eXtensions for higher-end systems) ensure isolation with a hardware-only TCB. However, while these architectures offer strong confidentiality and integrity guarantees for software modules, they offer no availability (let alone real-time) guarantees. This paper reports on our work-in-progress towards extending a protected module architecture for small microprocessors with availability and real-time guarantees. Our objective is to maintain the existing security guarantees with a hardware-only TCB, but to also guarantee availability (and even real-time properties) if one can also trust the scheduler. The scheduler, as any software on the platform, remains untrusted for confidentiality and integrity -- but it is sufficient to trust the scheduler module to get availability guarantees even on a partially compromised platform.