Security is a critical component of modern computer systems. Computer security systems and techniques ensure that valuable information and systems are not compromised by hackers or malicious software. To that end, many organizations publish security standards that vendors can use as guidelines for security of hardware and/or software. The Common Criteria for Information Technology Security Evaluation (“Common Criteria” or “CC”) is a prominent standard currently used as a guide for the development, evaluation and/or procurement of IT products with security functionality.
The CC provides a common set of requirements for the security functionality of IT products and for assurance measures applied to these IT products during a security evaluation. The IT products may be implemented in hardware, firmware, or software. The evaluation process under the CC establishes a level of confidence that the security functionality of an IT product and the assurance measures applied to the IT product meet the defined set of requirements. Compliance with CC can be demonstrated to a national approval authority, such as the National Institute of Standards and Technology (NIST) National Voluntary Laboratory Accreditation Program (NVLAP) in the United States.
One common security requirement demanded by users is that only certified (or trusted) code be executed in the security domain of the system (e.g., secure processor). Previous approaches to achieve this requirement used a hardware mechanism to allow a single processor to operate logically as two processors. However, from a security perspective, this architecture requires that the security portion of the device cannot operate simultaneously with the application processor. For high security applications, this architecture further does not allow the certified processor to respond to attempts to tamper with the system.
Furthermore, the difficulty in achieving this requirement is increased in multi-application environments. For example, secure (certified) applications (such as a certified financial application) must co-exist with customer written applets. Thus, any certification claim may become invalid once the customer written (untrusted) applet is added to the environment.
What is therefore needed are systems and methods that retain certification of security components of the system while allowing for the simultaneous execution in the system of untrusted code.
Features and advantages of the present invention will become more apparent from the detailed description set forth below when taken in conjunction with the drawings, in which like reference characters identify corresponding elements throughout. In the drawings, like reference numbers generally indicate identical, functionally similar, and/or structurally similar elements. The drawing in which an element first appears is indicated by the leftmost digit(s) in the corresponding reference number.