Embedded Device Isolation for Trusted High-Assurance (EDITH)

Current techniques for supporting Multi-Level Security (MLS) on embedded devices rely on maintaining secure connections back to centralized servers or dedicated computers for managing authentication and access controls. To provide the embedded devices with the capability to handle content of differing security levels directly on device, the operating system (OS) must properly and securely isolate users and applications by leveraging the device’s trusted computing base (TCB). The solution must also limit overhead and address available Size Weight and Power (SWaP) constraints. To address these challenges, RAM Laboratories and Mississippi State University are proposing a solution, known as Embedded Device Isolation for Trusted High-Assurance (EDITH), that will research, develop, and integrate state of the art techniques for providing lightweight and secure Trusted Execution Environments (TEEs) for application level security on commercial off the shelf embedded devices. EDITH will provide (1) a privileged execution space for security critical applications, such as keying and monitoring functionality, that is isolated from the kernel and running in a Rich Execution Environment (REE) and (2) isolation between user “worlds� that are protected against potential zero-day kernel privilege escalation attacks that may be triggered by any subverted application. EDITH will focus on ARM based embedded processing architectures.