Although there have been attempts to develop code transformations that yield tamper-resistant software, no reliable software-only methods are known. This paper studies the hardware implementation of a form of execute-only memory (XOM) that allows instructions stored in memory to be executed but not otherwise manipulated. To support XOM code we use a machine that supports internal compartments---a process in one compartment cannot read data from another compartment. All data that leaves the machine is encrypted, since we assume external memory is not secure. The design of this machine poses some interesting trade-offs between security, efficiency, and flexibility. We explore some of the potential security issues as one pushes the machine to become more efficient and flexible. Although security carries a performance penalty, our analysis indicates that it is possible to create a normal multi-tasking machine where nearly all applications can be run in XOM mode. While a virtual XOM machine is possible, the underlying hardware needs to support a unique private key, private memory, and traps on cache misses. For efficient operation, hardware assist to provide fast symmetric ciphers is also required.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Business Software Alliance, 2000. h t t p ://~m , bsa. org.
	2	The Trusted Computing Platform Allicance, 2000. h t t p ://~, trustedpc, com.
	3	It. Anderson, E. Biham, and L. Knudsen. Serpent: A proposal for the advanced encryption standard. Technical report, National Institute of Standards and Technology (NIST), March 2000. Available at h t t p ://c s r c , n i s t . gov/encryption/aes/round2/r2algs, htm.
	4	Dan Boneh , David Lie , Pat Lincoln , John Mitchell , Mark Mitchell, Hardware Support for Tamper-Resistant and Copy-Resistant Software, Stanford University, Stanford, CA, 2000
	5	Jerome Burke , John McDonald , Todd Austin, Architectural support for fast symmetric-key cryptography, Proceedings of the ninth international conference on Architectural support for programming languages and operating systems, p.178-189, November 2000, Cambridge, Massachusetts, United States
	6	Suresh Chari , Charanjit S. Jutla , Josyula R. Rao , Pankaj Rohatgi, Towards Sound Approaches to Counteract Power-Analysis Attacks, Proceedings of the 19th Annual International Cryptology Conference on Advances in Cryptology, p.398-412, August 15-19, 1999
	7	J. Daemen and V. Rijmen. AES proposal: Rijndael. Technical report, National Institute of Standards and Technology (NIST), March 2000. Available at http://csrc, n i s t . gov/encryption/aes/round2/r2algs, h~m.
	8	H. Eberle and C. Thacker. A 1Gbit/second GaAs DES chip. In Proceedings of the IEEE Custom Integrated Circuits Conference, pages 19.7.1-19.7.4, May 1992.
	9	Wave Corporation Embassy Technology, 2000. h t t p ://m , wave. com.
	10	T. Gilmont, J.-D. Legat, and J.-J. Quisquater. An architecture of security management unit for safe hosting of multiple agents. In Proceedings of the International Workshop on Intelligent Communications and Multimedia Terminals, pages 79-82, November 1998.
	11	T. Gilmont, J.-D. Legat, and J.-J. Quisquater. Hardware security for software privacy support. Electronics Letters, 35(24):2096--2097, November 1999.
	12	R.P. Goldberg. Survey of virtual machine research. /BEE Computer Magazine, 7(6):35-45, June 1974.
	13	B. Kaliski Jr. and M. Robshaw. Message authentication with MD5. CryptoBytes, 1(1):5-8, 1995.
	14	Paul C. Kocher , Joshua Jaffe , Benjamin Jun, Differential Power Analysis, Proceedings of the 19th Annual International Cryptology Conference on Advances in Cryptology, p.388-397, August 15-19, 1999
	15	H. Krawczyk, M. Bellare, and It. Canetti. HMAC: Keyed-hashing for message authentication. http://w~u~, i e t f . o r g /r f c /r f c 2 1 0 4 , t x t , February 1997.
	16	K. Krewell. Quicktake: Willamette revealed. Technical report, Calmers Microprocessor, February 2000. Available at w~m. MPRonline. com.
	17	B. Lampson, M. Abadi, M. Burrows, and E. Wobber. Authenticaton in distributed systems: Theory and practice. In Proccedings of the 13th ACM Symposium on Operating Systems, volume 10, pages 265-310, 1992.
	18	Ann Marie Grizzaffi Maynard , Colette M. Donnelly , Bret R. Olszewski, Contrasting characteristics and cache performance of technical and multi-user commercial workloads, Proceedings of the sixth international conference on Architectural support for programming languages and operating systems, p.145-156, October 05-07, 1994, San Jose, California, United States
	19	A.J. Menzies, P.C. van Oorschot, and S.A. Vanstone. Handbook of Applied Cryptography. CRC Press, 1997.
	20	National Bureau of Standards. NBS FIPS PUB 46, "Data Encryption Standard". National Bureau of Standards, U.S. Department of Commerce, January 1977.
	21	S. Polonsky , M. McManus , D. Knebel , S. Steen , P. Sanda, Non-invasive timing analysis of IBM G6 microprocessor L1 cache using picosecond imaging circuit analysis, Proceedings of the 9th Asian Test Symposium, p.125, December 04-06, 2000
	22	ANSI X9.17 (Revised). American national standard for financial institution key management (wholesale). American Bankers Association, 1985.
	23	J. Saltzer and M. Schroeder. The protection of information in computer systems. IEEE, 63(9):1278-1308, September 1975.
	24	B. Sehneier. Applied Cryptography. John Wiley & Sons, 2nd edition, 1996.
	25	W. Tuchman. Hellman presents no shortcut solutions to DES. IEEE Spectrum, 16(7):40-41, July 1979.
	26	J. Tygar and B. Yee. Dyad: A system for using physically secure coprocessors. Technical l~eport CMU-CS-91-140R, Carnegie Mellon University, May 1991.
	27	B. Weeks, M. Bean, T. Rozylowicz, and C. Ficke. Hardware performance simulations of round 2 advanced encryption standard algorithms. Technical report, National Security Agency, August 2000. Available at h t t p ://c s r c .n i s t .gov/encryption/aes/round2/r2anlsys, htm.