Blog

We studied hardware support that is provided by modern proce…

We studied hardware support that is provided by modern processor architectures to protect TCB data and code from untrusted user code. More specifically, we examined in detail the hardware support provided by successive generations of Intel processors. Answer the following questions for these processors. Provide a brief explanation that justifies your answer. In the protected mode, what segment protection level (SPL) and page protection level (PPL) is used for kernel code that must execute with highest privilege? (4  pts.) Kernel code in a segment with DPL = 0 will always execute with current privilege level (CPL) = 0. True or false. Explain your answer. (4  pts.) With the VT-x virtualization extensions, at what hardware privilege level (or ring) does the guest operating system  run when the hypervisor is Type I? Assume that ring is defined by the CPL value.  (4 pts.) With the SGX extensions, secure code can run in an enclave. In what execution ring does code in an enclave run? (4  pts.) In VT-x, hardware support for virtualization utilizes four-level extended page tables (EPTs) to translate guest-physical addresses to actual physical addresses. When page size is 4KB, such a paging structure can translate 48-bit addresses. If we add another level to EPTs, we have a page map level 5 table or PML5 which has pointers to PML4 tables in EPTs. What size addresses can be translated after this addition of PML5? Assume page size remains the same and explain your answer. (6  pts.)

These questions are related to the design principles for sec…

These questions are related to the design principles for secure systems. Many people use the same password across many websites. Give an example of a design principle for secure systems that is violated by the use of the same password across different websites. Provide a brief explanation. (4 pts.) The “Reflections on Trusting Trust” paper described a trojan in a compiler binary that could not be detected even if we had access to the source of the compiler. We discussed how the defense in depth principle can help us detect if the trojan exists in a compiler by using two independently developed compilers when at least one of them is correct. We could determine if one of the compilers has the trojan but could not ascertain which one is malicious. To answer this question, the following idea is proposed. Instead of two, we will get three independently developed compilers such that no more than one could be malicious. Can we use these three compilers (at least two of them are good) to detect the bad one when one exists? Explain your answer. (6 pts.)