A Tamper-Detecting Implementation of Lisp

An important and recurring security scenario involves the need to carry out trusted computations in the context of untrusted environments. It is shown how a tamper-detecting interpreter for a programming language – specifically Lisp 1.5 – combined with the use of a secure co-processor can address this problem. The term “tamper-detecting” means that any attempt to corrupt a computation carried out by a program in the language will be detected on-line and the computation aborted. This approach executes the interpreter on the secure coprocessor while the code and data of the program reside in the larger memory of an associated untrusted host. This allows the co-processor to utilize the host’s memory without fear of tampering even by a hostile host. This approach has several advantages including ease of use and the ability to provide tamper-detection for any program that can be constructed using the language. 1. Computing in a Hostile Environment An important and recurring security scenario involves the need to carry out trusted computations in the context of untrusted environments. One approach is to combine a secure co-processor [6][15] with an untrusted host computer. The secure co-processor provides the environment in which to perform trusted computations, and the insecure host provides additional resources that may be used by the trusted processor. Unfortunately, there is no guarantee that the host will not tamper with the resources used by the secure co-processor in an attempt to corrupt the operation of the secure co-processor. This paper demonstrates a solution where a programming language system – specifically Lisp 1.5 – is used to provide a convenient and general mechanism for tamper-detecting utilization of a specific resource, namely the memory of an untrusted host. An interpreter for the language system resides on the secure co-processor, but the programs and data executed by the interpreter reside in the memory of the untrusted host. In this context, the term “tamper-detecting” means that any attempt to corrupt a computation carried out by a program in the language will be detected on-line (before the computation is complete), and the computation will be aborted. In order to limit the scope of the problem, only the issue of integrity is addressed in this paper; the issue of confidentiality is deferred. It seems reasonable, however, to assume that adding confidentiality is a straightforward application of encryption to the values stored in the host memory.