About IA at NSA
Partners
Rowlett Awards
Award Recipients
Background
Nomination Procedures
Links
IA News
IA Events
Open for Registration
Closed for Registration
Scheduled
IA Guidance
Media Destruction Guidance
Security Configuration Guides
Applications
Archived Guides
Cisco Router Guides
Current Guides
Database Servers
Fact Sheets
IPv6
Operating Systems
Apple Mac Operating Systems
Linux
Microsoft Windows
Sun Solaris
Supporting Documents
Switches
VoIP and IP Telephony
Vulnerability Technical Reports
Web Server and Browser Guides
Wireless
Standards Profiles
System Level IA Guidance
TEMPEST Overview
TEMPEST Products: Level I
Certified
Confirmed Deficiencies
Suspended
Terminated
No Longer Produced
TEMPEST Products: Level II
Certified
Confirmed Deficiencies
Suspended
Terminated
No Longer Produced
TEMPEST Company POCs
Certified
Suspended
Terminated
TEMPEST Zoned Equipment
IA Academic Outreach
National Centers of Academic Excellence in IA Education
CAE/IAE Program Criteria
CAE-R Program Criteria
Colloquium
Institutions
SEAL Program
Applying
FAQs
IA Courseware Evaluation Program
Institutions
FAQs
Student Opportunities
IA Business and Research
IA Business Affairs Office
Certified Product Sales and Support
Commercial COMSEC Evaluation Program
Commercial Satellite Protection Program
Independent Research and Development Program
User Partnership Program
National IA Research Laboratory
Partnerships with Industry
NIAP and COTS Product Evaluations
IA Programs
Global Information Grid
High Assurance Platform
Releases
Computing Platform Architecture and Security Criteria
IA Training and Rating Program
Inline Media Encryptor
Suite B Cryptography
IA Careers
Contact Information
|
HAP Program Release 2 (HAPR2) - NSA/CSSThe HAP Program Release 2 (HAPR2) builds on and targets the same operational environment as HAPR1, with enhanced manageability and usability of the platform capabilities. From the user perspective, HAPR2 will be more flexible, easier to use, and easier to manage. HAPR2 includes all HAPR1 capabilities and adds remote monitoring and provisioning of the platform, management of virtual machines, configuration options for setting up security domains, and autonomous response to failures detected by the remote attestation process. HAPR2 maximizes the use of hardware-assisted security mechanisms provided by the processor and chipset by incorporating device driver isolation, supporting multi-core processor architectures, and providing the ability to measure user applications. HAPR2 Assurable Computing Platform CapabilitiesThis section describes the hardware-based computing platform technologies that are demonstrated in HAPR2. Since HAPR2 builds on HAPR1, this section describes the additional capabilities that are not included in HAPR1. For the capabilities that are similar, this section will reference HAPR1. Hardware-Assisted Virtualization TechnologySame as HAPR1 Hardware-Assisted AttestationIn addition to measuring the critical software that is required for the platform to boot securely (as in HAPR1)1, HAPR2 has the ability to measure VMs and applications running in VMs. Additionally, HAPR2 adds the ability for the platform to verify its integrity (via attestation) periodically, at the request of an administrator or while performing a software update. Late LaunchThe HAPR2 implementation will take advantage of the Intel TXT Dynamic Root of Trust for Measurement (DRTM), which allows the platform to do a "late launch" of a measured environment at any time. With this “late launch” capability, one or more secure collaboration environments can execute concurrently with non-measured environments on the same platform without a system reboot. Direct Memory Access (DMA) ProtectionMemory paging mechanisms can provide sufficient protections from any software process attempting to access a physical page, but do not control the ability for DMA-capable devices to directly access a physical memory page. DMA remapping hardware logic in the chipset sits in between the DMA-capable peripheral devices and the physical memory. This enables system software (the VMM, or in the case of non-virtualized environments, the operating system) to create one or more DMA protection domains, which are isolated subsets of allocated physical memory. In HAPR2, DMA protection is used to protect the system software that manages the hardware from DMA-capable devices. HAPR2 Operational DescriptionAt a high-level HAPR2 will support a threat environment similar to the one described for HAPR1 plus the additional threats that exist when adding the functionality and flexibility to perform remote monitoring and provisioning on the platform. HAPR2 considerably increases the manageability and usability of the platform and adds capabilities that increase the functionality of the platform. In addition to the HAPR1 capabilities, HAPR2 provides the following security and functional capabilities:
HAPR2 Operational DescriptionSame as HAPR1 Operational EnvironmentSame as HAPR1 1. Please refer to HAPR1 Hardware-Assisted Attestation for an overview description on attestation and what is implemented in HAPR1. |
|
Date Posted: Nov 14, 2008 | Last Modified: Nov 14, 2008 | Last Reviewed: Nov 14, 2008 |