A secure architecture design based on application isolation, code minimization and randomization

With fast evolving attacks, using software patches for fixing software bugs is not enough as there are often considerable delays in their application to vulnerable systems and the attackers may find other vulnerabilities to exploit. A secure architecture design that provides robust protection against malware must be guided by strong security design principles. In this work, we propose a system design based on the security principles that aim at achieving isolation, diversification and reducing attack surface. Our design leverages multi-core architecture to enforce physical isolation between application processes so that a malicious or infected application is unable to affect other parts of the system. We use randomization techniques to increase the entropy of the system and thwart various attacks such as code-reuse attacks. Further, we significantly reduce the software attack surface by executing each application on its own customized operating system image that is minimized to only contain the code required by a given application.