Ruby Lee: Hardware-enhanced approaches to cybersecurity

Thursday, Nov 12, 2015

Invention Hardware-enhanced approaches to cybersecurity

Inventor Ruby Lee, the Forrest G. Hamrick Professor in Engineering and Professor of Electrical Engineering

What it does Instead of just fixing software and patching vulnerabilities after cyberattacks occur, the technologies developed by Lee use hardware or hardware-software combinations proactively to protect against cyberthreats. These hardware-enhanced approaches can make cloud computing and smartphone usage more secure, reduce the risk of downloading unsafe apps, and enhance the reliability of banking, health care and national security.

The Lee group has developed several technologies that harness hardware to improve computer security, including:

Bastion Software is only as secure as the environment it runs in, so Bastion provides hardware-enhanced secure enclaves for trusted software programs and data whenever they are needed. This protects trusted software from the rest of an untrusted app, from other apps and even from the operating system software, which may already have been attacked and corrupted. Bastion is scalable and can support any number of enclaves from different trust domains. For example, the protection offered by Bastion would allow secure e-banking transactions within one enclave, while monitoring access to medical records in a separate enclave, and digital-rights management in a third.

Newcache Computer processors hold frequently or recently used data in on-chip memory known as hardware caches to improve performance. But these caches are shared by software processes and are subject to so-called “cache side-channel attacks,” where hackers take advantage of observable cache behavior to obtain secret cryptographic keys. The Lee group has devised a strategy for randomizing the memory-to-cache address mapping so that hackers cannot recover cryptographic keys. “We’ve designed a secure cache that will not leak such critical information, while retaining the performance properties of conventional caches,” Lee said. 

DataSafe A combination of hardware and software components, DataSafe protects a user’s confidential data by giving the user control over who can access and use the data, on any computer, over the data’s lifetime. The technology encrypts the data and attaches a security policy. During runtime, the DataSafe software first determines if the user and app are authorized to access the data, and then translates this user-understandable policy into hardware tags. These hardware tags are propagated with the data and any derived data, and checked on any output from the app or the machine. This solves the problem of protected data leaking from authorized recipients to the public, whether inadvertently or maliciously. 

Collaborators David Champagne, Ph.D. ’10; Jeffrey Dwoskin, Ph.D. ’10; Zhenghong Wang Ph.D. ’12; Yu-Yuan Chen, Ph.D. ’12; Jakub Szefer, Ph.D. ’13; Fangfei Liu and Tianwei Zhang, graduate students in electrical engineering; and Pramod Jamkhedkar, former postdoctoral research associate in electrical engineering.

Development status Patent granted for Bastion and secure caches; patent protection pending for DataSafe; other patents in hardware security from the Lee group also granted or pending.

Funding sources The National Science Foundation, the Department of Homeland Security, and the Defense Advanced Research Projects Agency.