Design and Implementatjon of a Dynamic Informatjon Flow Tracking - - PowerPoint PPT Presentation

design and implementatjon of a dynamic informatjon flow
SMART_READER_LITE
LIVE PREVIEW

Design and Implementatjon of a Dynamic Informatjon Flow Tracking - - PowerPoint PPT Presentation

Oct 23, 2023 38 likes •221 views

Design and Implementatjon of a Dynamic Informatjon Flow Tracking Architecture to Secure a RISC-V Core for IoT Applicatjons Christjan Palmiero , Giuseppe Di Guglielmo , Luciano Lavagno , Luca P. Carloni Politecnico Di Torino

slide-1
SLIDE 1

Design and Implementatjon of a Dynamic Informatjon Flow Tracking Architecture to Secure a RISC-V Core for IoT Applicatjons

Christjan Palmiero†, Giuseppe Di Guglielmo•, Luciano Lavagno†, Luca P. Carloni•

† Politecnico Di Torino

  • Columbia University

2018 IEEE High Performance Extreme Computjng Conference

slide-2
SLIDE 2

Trend #1: Open Source Hardware

  • RISC-V is an open Instructjon Set Architecture
  • It is not a company or a processor implementatjon
  • RISC-V Foundatjon (2015)
  • Non profjt – To guide future development of the architecture
  • 100 members: Google, NVIDIA, Qualcomm, and Samsung …
  • RISC-V Workshop, RISC-V Meetup, RISC-V Day, RISC-V Summit
  • RISC-V creators formed a startup (SiFive) to design custom RISC-V chips for customers
  • Processors (embedded, OS-capable), IP, SoC, tools,…
  • Raised $64.1 Million
  • Western Digital had signed a multj-year license and had pledged to produce a billion RISC-V cores
  • Partner with NVIDIA for Deep Learning SoC
  • PULP project of ETH Zurich and University of Bologna
  • Focus on parallel, ultra-low-power, and embedded
  • 27 prototype chips from 180nm to 22nm

Giuseppe Di Guglielmo HPEC 2018 2

slide-3
SLIDE 3

Trend #2: Importance of Sofuware Security

  • From the US Natjonal Vulnerability Database

Giuseppe Di Guglielmo HPEC 2018 3

1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2000 4000 6000 8000 10000 12000 14000 16000

# of Vulnerabilitjes Memory Corruptjon

slide-4
SLIDE 4

Research Questjon

  • How can we protect sofuware running on a RISC-V core against the most

common sofuware vulnerabilitjes?

  • The protectjon scheme has to be
  • Able to detect and stop memory-corruptjon atuacks
  • Flexible and extendable
  • Sofuware-programmable security policies to target future kinds of atuacks
  • Transparent and fjne-grain
  • No latency and reduced area overhead

Giuseppe Di Guglielmo HPEC 2018 4

slide-5
SLIDE 5

A Vulnerable Applicatjon

Giuseppe Di Guglielmo HPEC 2018 5

args

Higher addresses Lower addresses

Functjon Arguments Functjon Local Variables *input Return Address buffer Base Pointer

Main Memory Vulnerable functjon

void vfunc(char *input) { char buffer[64]; ... strcpy(buffer, input); ... }

Privileged Applicatjon “…non- malicious- string…”

Non-secure Channel

  • Sofuware-based atuacks

exploit security vulnerabilitjes in the sofuware applicatjon

  • Preventjng vulnerabilitjes
  • r bugs is unfeasible

vfunc Stack Frame

slide-6
SLIDE 6

Bufger Overfmow

Giuseppe Di Guglielmo HPEC 2018 6

Vulnerable functjon

void vfunc(char *input) { char buffer[64]; ... strcpy(buffer, input); ... }

Privileged Applicatjon

Non-secure Channel

args Functjon Arguments Functjon Local Variables *input Return Address buffer Base Pointer

Main Memory

“…malicious- string…”

Malevolent transfer of control

  • Hijacking a privileged

program is a security risk for the entjre system

  • Preventjng vulnerabilitjes
  • r bugs is unfeasible

Higher addresses Lower addresses

vfunc Stack Frame

slide-7
SLIDE 7

Dynamic Informatjon Flow Tracking

Giuseppe Di Guglielmo HPEC 2018 7

Vulnerable functjon

void vfunc(char *input) { char buffer[64]; ... strcpy(buffer, input); ... }

Privileged Applicatjon

Non-secure Channel

args Functjon Arguments Functjon Local Variables *input Return Address buffer Base Pointer

Main Memory

“…malicious- string…”

Malevolent transfer of control

  • DIFT is a combinatjon of

mechanisms and policies to protect vulnerable programs against sofuware atuacks

Tag Initjalizatjon

1

Tag Propagatjon

2

Tag Check

3

Higher addresses Lower addresses

Tag Memory

  • G. Edward Suh et al., Secure Program Executjon via Dynamic Flow Tracking, 2004

vfunc Stack Frame

slide-8
SLIDE 8

Securing RISC-V with DIFT

Giuseppe Di Guglielmo HPEC 2018 8

IF ID ID EX EX WB Data Memory Decoder ALU Load Store Unit MULT DIV FPU PC Register File Instructjon Memory Instructjon Cache

CSR

Tag Propagatjon Logic Tag Check Logic Tag Update Logic Tag Check Logic T T T TPR TCR

  • fg-chip
  • fg-chip
slide-9
SLIDE 9

Tag-extended Memories (Mechanism)

  • Each data element is stored in memory with its tag
  • To access both data and tag, we use the same index (memory address or register id)
  • Coupled approach
  • The data and tag are always transmitued atomically
  • Extension of the data-memory bus from 32 bits to 36 bits

Giuseppe Di Guglielmo HPEC 2018 9

Word 32 1 Tag Register File

x0 x1 x2 x29 x31 x30

Data Memory Word

Higher addresses Lower addresses

32 4 Tag

0x000000A5 0x000000A6 0x000000A7 0x000000A4 0x000000A3

slide-10
SLIDE 10

Tag-Propagatjon and Check (Mechanism)

  • We organize the instructjon in classes to increase the fmexibility of the protectjon scheme
  • We added tag-propagatjon and check registers (TPR, TCR) to the control status register

(CSR)

  • TPR and TCR store the propagatjon and detectjon rules

Giuseppe Di Guglielmo HPEC 2018 10

Tag Propagatjon Register

16 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0

Load/Store Enable Load/Store Mode Logical Mode Comparison Mode Shifu Mode Jump Mode Branch Mode Arith Mode Load/Store Mode Comparison Mode

Tag Check Register

21 20 17 16 14 13 11 10 8 7 5 4 3 2 0

Execute Mode Logical Mode Shifu Mode Jump Mode Branch Mode Arith Mode

slide-11
SLIDE 11

Programming the DIFT-protected RISC-V (Mechanism)

  • Programmable hardware scheme
  • To tag non-secure channels as spurious

we introduce new instructjons

  • mark as spurious a register or a byte/half-

word/word in memory

  • To confjgure TPR and TCR we use a startup

routjne before the main() functjon

  • Because we run without OS protectjon,

we assume that all of the I/O channels are untrusted

  • For example memory-mapped peripherals

Giuseppe Di Guglielmo HPEC 2018 11

#define SIZE 32 void tag_words(u32 *data_ptr, u32 size) { for (u32 i = 0; i < size; i++) { /* p.spsw set a tag for each byte in a * memory word */ asm volatile (“p.spsw x0, 0(%[offset]);” : :[offset] “r” (data_ptr); data_ptr++; } } void vfunc(u32 input_1[SIZE], /* non-secure */ u32 input_2[SIZE], /* non-secure */ u32 input_3[SIZE]) { /* secure */ /* Tag initialization phase*/ tag_words(SIZE, input_1); tag_words(SIZE, input_2); /* Function body */ /* ... */ }

slide-12
SLIDE 12

Tag-Propagatjon Policies

  • Defjne how tag values must be

propagated from input operands to

  • utput operand of an instructjon
  • TPR modes
  • 00: keep the old tag value
  • 01: the output tag is 1 if both the input tags

are set

  • 10: the output tag is 1 if at least one input

tags is set

  • 11: discard the tag (set tag to zero)
  • An example:

“For an arithmetjc instructjon, if at least one input operand is tagged then the output is tagged”

Giuseppe Di Guglielmo HPEC 2018 12

Tag Propagatjon Register

1 0

Load/Store Enable Load/Store Mode Logical Mode Comparison Mode Shifu Mode Jump Mode Branch Mode Arith Mode

0 0 1 1 0 1 0 0 0 1 0 1 0 0 0

rs1 rs2

ALU

From ID Stage To MEM/WB Stage

tag-rs1 tag-rs2

  • p

tag-rd

rd

EX Stage

arith-policy

slide-13
SLIDE 13

Tag-Check Policies

  • Tag-check rules restrict the
  • peratjons that may be

performed on tagged data

  • Some examples
  • “If the program counter is

tagged, rise a security exceptjon”

  • “If a register is tagged it

cannot be used to address the data memory”

Giuseppe Di Guglielmo HPEC 2018 13 Load/Store Mode Comparison Mode

Tag Check Register

1 1

Execute Mode Logical Mode Shifu Mode Jump Mode Branch Mode Arith Mode

Source address Source data Destjnatjon data Destjnatjon address

0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 1 0

PC +1

from MEM/WB Stage

IF Stage

tag-jump-addr

jump-addr

security-exception

instr-mem-addr

slide-14
SLIDE 14

Experimental Setup

  • We extended the RI5CY/PULPino

implementatjon

  • Target FPGA
  • ZedBoard (Xilinx XC7Z020)
  • The overall data memory was extended

from 32KB to 36KB (12.5%)

  • DIFT propagatjon on the interconnect

uses the USER channels of the AXI4 standard

  • The overall increase in logic
  • 6% of the LUT w.r.t. RI5CY
  • < 1% of the LUT w.r.t. SoC

Giuseppe Di Guglielmo HPEC 2018 14

UART SPI Master ...

APB AXI

RI5CY

SPI Slave Debug Unit

instr RAM data RAM DIFT DIFT

D-

slide-15
SLIDE 15

Methodology Validatjon

  • J. Wilander and M. Kamkar’s suite of bufger-overfmow atuacks (2003)
  • C language
  • Atuacks were ported from x86 to RISC-V architecture
  • TESO Hacker group – Paper on format-string atuacks (2001)

Giuseppe Di Guglielmo HPEC 2018 15

ATTACK # LOCATION TARGET TECHNIQUE RESULT 1 Stack Return Address Direct Detected 2 Stack Base Pointer Direct No False Positjve 3 Stack Functjon Pointer (local variable) Direct Detected 4 Stack Functjon Pointer (functjon parameter) Direct Detected 5 Heap/BSS/Data Functjon pointer Direct Detected 6 Stack Return Address Indirect Detected 7 Stack Base Pointer Indirect No False Positjve 8 Stack Functjon Pointer (variable) Indirect Detected 9 Stack Functjon Pointer (functjon parameter) Indirect Detected 10 Heap/BSS/Data Return Address Indirect Detected 11 Heap/BSS/Data Base Pointer Indirect No False Positjve 12 Heap/BSS/Data Functjon Pointer (variable) Indirect Detected 13 Heap/BSS/Data Functjon Pointer (functjon parameter) Indirect Detected ATTACK # SOFTWARE RESULT 1 QPOP 2.53/bfupd Detected 2 wu-fupd 2.6.0 Detected

slide-16
SLIDE 16

False-Positjves Analysis

  • We chose the PULPino regression suite
  • 2d Convolutjon, AES, Discrete Cosine Transform, Fast Fourier Transform, Finite Impulse

Response, Infmectjon Point Method, Matrix Multjplicatjon, Keccak/SHA-3

  • For example, we marked as spurious the two input matrices of Matrix

Multjplicatjon

  • The result will be spurious as well
  • But it does not rise security exceptjon because those values are never used in an unsafe

manner

  • E.g. as program counter value or load/store source/destjnatjon addresses

Giuseppe Di Guglielmo HPEC 2018 16

slide-17
SLIDE 17

Conclusions

  • D-RI5CY: DIFT-secure RISC-V core
  • Sofuware programmable policy
  • Fast and transparent
  • No run-tjme overhead
  • 1% area overhead, 12.5% data-memory overhead
  • Easily extended to target new set of atuacks
  • Validated on security suites that we adopted and extended from the literature
  • This work is part of a broader research actjvity on securing Heterogeneous SoC
  • PAGURUS: Low-Overhead Dynamic Informatjon Flow Tracking on Loosely Coupled Accelerators
  • IEEE Transactjons on Computer-Aided Design of Integrated Circuits and Systems
  • Will be presented at CODES+ISSS 2018

Giuseppe Di Guglielmo HPEC 2018 17

slide-18
SLIDE 18

From the Press Room

Giuseppe Di Guglielmo HPEC 2018 18

September 17, 2018 (one week ago…)