design and implementatjon of a dynamic informatjon flow
play

Design and Implementatjon of a Dynamic Informatjon Flow Tracking - PowerPoint PPT Presentation

Oct 23, 2023 •38 likes •218 views

Design and Implementatjon of a Dynamic Informatjon Flow Tracking Architecture to Secure a RISC-V Core for IoT Applicatjons Christjan Palmiero , Giuseppe Di Guglielmo , Luciano Lavagno , Luca P. Carloni Politecnico Di Torino

  1. Design and Implementatjon of a Dynamic Informatjon Flow Tracking Architecture to Secure a RISC-V Core for IoT Applicatjons Christjan Palmiero † , Giuseppe Di Guglielmo • , Luciano Lavagno † , Luca P. Carloni • † Politecnico Di Torino • Columbia University 2018 IEEE High Performance Extreme Computjng Conference

  2. Trend #1: Open Source Hardware • RISC-V is an open Instructjon Set Architecture • It is not a company or a processor implementatjon • RISC-V Foundatjon (2015) • Non profjt – To guide future development of the architecture • 100 members: Google, NVIDIA, Qualcomm, and Samsung … • RISC-V Workshop, RISC-V Meetup, RISC-V Day, RISC-V Summit • RISC-V creators formed a startup (SiFive) to design custom RISC-V chips for customers • Processors (embedded, OS-capable), IP, SoC, tools,… • Raised $64.1 Million • Western Digital had signed a multj-year license and had pledged to produce a billion RISC-V cores • Partner with NVIDIA for Deep Learning SoC • PULP project of ETH Zurich and University of Bologna • Focus on parallel, ultra-low-power, and embedded • 27 prototype chips from 180nm to 22nm Giuseppe Di Guglielmo HPEC 2018 2

  3. Trend #2: Importance of Sofuware Security • From the US Natjonal Vulnerability Database 16000 14000 12000 10000 8000 6000 4000 2000 0 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 # of Vulnerabilitjes Memory Corruptjon Giuseppe Di Guglielmo HPEC 2018 3

  4. Research Questjon • How can we protect sofuware running on a RISC-V core against the most common sofuware vulnerabilitjes? • The protectjon scheme has to be • Able to detect and stop memory-corruptjon atuacks • Flexible and extendable • Sofuware-programmable security policies to target future kinds of atuacks • Transparent and fjne-grain • No latency and reduced area overhead Giuseppe Di Guglielmo HPEC 2018 4

  5. A Vulnerable Applicatjon Higher Main Memory addresses Vulnerable functjon Privileged void vfunc(char *input) Applicatjon { char buffer[64]; Non-secure ... Channel “…non- strcpy(buffer, input); malicious- ... string…” } • Sofuware-based atuacks exploit security *input args Functjon Arguments vulnerabilitjes in the Return Address sofuware applicatjon vfunc Base Pointer Stack Frame • Preventjng vulnerabilitjes Functjon Local Variables buffer or bugs is unfeasible Lower Giuseppe Di Guglielmo HPEC 2018 5 addresses

  6. Bufger Overfmow Higher Main Memory addresses Vulnerable functjon Privileged void vfunc(char *input) Applicatjon { char buffer[64]; Non-secure “…malicious- ... Channel string…” strcpy(buffer, input); ... } • Hijacking a privileged program is a security risk *input args Functjon Arguments for the entjre system Return Address • Preventjng vulnerabilitjes vfunc Base Pointer Malevolent Stack Frame transfer of or bugs is unfeasible control Functjon Local Variables buffer Lower Giuseppe Di Guglielmo HPEC 2018 6 addresses

  7. Dynamic Informatjon Flow Tracking G. Edward Suh et al., Secure Program Executjon via Dynamic Flow Tracking , 2004 Higher Main Memory Tag Memory addresses Vulnerable functjon Privileged void vfunc(char *input) Applicatjon { 2 Tag char buffer[64]; Propagatjon Non-secure “…malicious- ... Channel string…” strcpy(buffer, input); 1 Tag ... } Initjalizatjon • DIFT is a combinatjon of mechanisms and policies to 3 Tag protect vulnerable programs *input args Functjon Arguments Check against sofuware atuacks Return Address vfunc Base Pointer Malevolent Stack Frame transfer of control Functjon Local Variables buffer Lower Giuseppe Di Guglielmo HPEC 2018 7 addresses

  8. Securing RISC-V with DIFT PC T ALU Load Decoder Tag Store Check TPR CSR Unit Logic TCR IF ID EX ofg-chip Tag Register File T MULT Instructjon ID EX WB Check DIV Memory Logic FPU Tag Tag Instructjon Data Update Propagatjon T Cache Memory Logic Logic ofg-chip Giuseppe Di Guglielmo HPEC 2018 8

  9. Tag-extended Memories (Mechanism) • Each data element is stored in memory with its tag • To access both data and tag, we use the same index (memory address or register id) • Coupled approach • The data and tag are always transmitued atomically • Extension of the data-memory bus from 32 bits to 36 bits Register File Data Memory Tag Word Word Tag Higher addresses x0 x1 0x000000A7 x2 0x000000A6 0x000000A5 x29 0x000000A4 x30 0x000000A3 x31 Lower addresses 32 1 32 4 Giuseppe Di Guglielmo HPEC 2018 9

  10. Tag-Propagatjon and Check (Mechanism) • We organize the instructjon in classes to increase the fmexibility of the protectjon scheme • We added tag-propagatjon and check registers (TPR, TCR) to the control status register (CSR) • TPR and TCR store the propagatjon and detectjon rules Comparison Load/Store Load/Store Branch Logical Shifu Jump Arith Mode Mode Mode Mode Mode Mode Mode Enable Tag Propagatjon Register 16 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 Load/Store Comparison Execute Branch Logical Shifu Jump Arith Mode Mode Mode Mode Mode Mode Mode Mode Tag Check Register 21 20 17 16 14 13 11 10 8 7 5 4 3 2 0 Giuseppe Di Guglielmo HPEC 2018 10

  11. Programming the DIFT-protected RISC-V (Mechanism) • Programmable hardware scheme #define SIZE 32 void tag_words(u32 *data_ptr, u32 size) { • To tag non-secure channels as spurious for (u32 i = 0; i < size; i++) { /* p.spsw set a tag for each byte in a we introduce new instructjons * memory word */ asm volatile (“p.spsw x0, 0(%[offset]);” • mark as spurious a register or a byte/half- : word/word in memory :[offset] “r” (data_ptr); data_ptr++; • To confjgure TPR and TCR we use a startup } } routjne before the main() functjon void vfunc(u32 input_1[SIZE], /* non-secure */ u32 input_2[SIZE], /* non-secure */ • Because we run without OS protectjon, u32 input_3[SIZE]) { /* secure */ we assume that all of the I/O channels /* Tag initialization phase*/ tag_words(SIZE, input_1); are untrusted tag_words(SIZE, input_2); • For example memory-mapped peripherals /* Function body */ /* ... */ } Giuseppe Di Guglielmo HPEC 2018 11

  12. Tag-Propagatjon Policies Comparison Load/Store Load/Store Branch Logical • Defjne how tag values must be Shifu Jump Arith Mode Mode Mode Mode Mode Mode Mode Enable propagated from input operands to Tag Propagatjon 0 0 1 1 0 1 0 0 0 1 0 1 0 0 0 1 0 output operand of an instructjon Register • TPR modes arith-policy • 00: keep the old tag value EX Stage From ID Stage To MEM/WB Stage • 01: the output tag is 1 if both the input tags are set rs1 • 10: the output tag is 1 if at least one input tags is set tag-rs1 rd ALU • 11: discard the tag (set tag to zero) • An example: rs2 tag-rd “For an arithmetjc instructjon, if at least one input operand is tagged then the output is tag-rs2 tagged” op Giuseppe Di Guglielmo HPEC 2018 12

  13. Tag-Check Policies Destjnatjon data • Tag-check rules restrict the Source data Destjnatjon address Source address Load/Store operatjons that may be Comparison Execute Branch Logical Mode Shifu Jump Arith Mode Mode performed on tagged data Mode Mode Mode Mode Mode • Some examples Tag Check 1 1 0 1 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 Register • “If the program counter is tagged, rise a security IF Stage exceptjon” +1 • “If a register is tagged it instr-mem-addr cannot be used to address PC the data memory” security-exception from MEM/WB Stage jump-addr tag-jump-addr Giuseppe Di Guglielmo HPEC 2018 13

  14. Experimental Setup • We extended the RI5CY/PULPino implementatjon • Target FPGA instr data D- RI5CY • ZedBoard (Xilinx XC7Z020) RAM RAM • The overall data memory was extended DIFT from 32KB to 36KB (12.5%) AXI DIFT • DIFT propagatjon on the interconnect uses the USER channels of the AXI4 APB SPI Debug Slave Unit standard SPI UART ... • The overall increase in logic Master • 6% of the LUT w.r.t. RI5CY • < 1% of the LUT w.r.t. SoC Giuseppe Di Guglielmo HPEC 2018 14

  15. Methodology Validatjon • J. Wilander and M. Kamkar’s suite of bufger-overfmow atuacks (2003) • C language • Atuacks were ported from x86 to RISC-V architecture ATTACK # LOCATION TARGET TECHNIQUE RESULT 1 Stack Return Address Direct Detected 2 Stack Base Pointer Direct No False Positjve 3 Stack Functjon Pointer (local variable) Direct Detected 4 Stack Functjon Pointer (functjon parameter) Direct Detected 5 Heap/BSS/Data Functjon pointer Direct Detected 6 Stack Return Address Indirect Detected 7 Stack Base Pointer Indirect No False Positjve 8 Stack Functjon Pointer (variable) Indirect Detected 9 Stack Functjon Pointer (functjon parameter) Indirect Detected 10 Heap/BSS/Data Return Address Indirect Detected 11 Heap/BSS/Data Base Pointer Indirect No False Positjve 12 Heap/BSS/Data Functjon Pointer (variable) Indirect Detected 13 Heap/BSS/Data Functjon Pointer (functjon parameter) Indirect Detected ATTACK # SOFTWARE RESULT • TESO Hacker group – Paper on format-string atuacks (2001) 1 QPOP 2.53/bfupd Detected 2 wu-fupd 2.6.0 Detected Giuseppe Di Guglielmo HPEC 2018 15

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

ADD ADDIE O IE Over ervi view The Analysis, Design, Development, Implementatjon, and Evaluatjon

ADD ADDIE O IE Over ervi view The Analysis, Design, Development, Implementatjon, and Evaluatjon

ADD ADDIE O IE Over ervi view The Analysis, Design, Development, Implementatjon, and Evaluatjon (ADDIE) Model was created at Florida State University as an instructjonal resource and can be utjlized to build adaptjve volunteer trainings. The

570 views • 25 slides
TDDE18 &amp; 726G77 Course Introductjon Christofger Holm Department of Computer and informatjon

TDDE18 &amp; 726G77 Course Introductjon Christofger Holm Department of Computer and informatjon

TDDE18 &amp; 726G77 Course Introductjon Christofger Holm Department of Computer and informatjon science 1 Course Informatjon 2 C++ basics 3 IO 4 Variables 5 More IO 6 Streams 7 Basic constructs 8 Files 2 / 76 Course Informatjon

1.78k views • 153 slides
ASIC Computer-Aided Design Flow ELEC 5250/6250 ASIC Design Flow ASIC Design Flow Behavioral

ASIC Computer-Aided Design Flow ELEC 5250/6250 ASIC Design Flow ASIC Design Flow Behavioral

ASIC Computer-Aided Design Flow ELEC 5250/6250 ASIC Design Flow ASIC Design Flow Behavioral Verify Model Function VHDL/Verilog Front-End Synthesis Design DFT/BIST Gate-Level Verify &amp; ATPG Netlist Function Full-custom IC Test

874 views • 18 slides
LMAP Informatjon Model Issues Tim Carey (Nokia) June 12, 2016 LMAP Informatjon Model Issues

LMAP Informatjon Model Issues Tim Carey (Nokia) June 12, 2016 LMAP Informatjon Model Issues

LMAP Informatjon Model Issues Tim Carey (Nokia) June 12, 2016 LMAP Informatjon Model Issues Summary In review of drafu-ietg-lmap-informatjon-model-09, we realized that this drafu: Modifjed the ma-schedule-obj to include new

330 views • 12 slides
On the value of a GNS in Informatjon-Centric Network Architectures V. Arun University of

On the value of a GNS in Informatjon-Centric Network Architectures V. Arun University of

On the value of a GNS in Informatjon-Centric Network Architectures V. Arun University of Massachusetus Amherst 1 What is ICN? ICN Named informatjon is a central architectural principle [ICNRG] Ofuen contrasted against TCP/IPs

1.27k views • 34 slides
Network Flow Algorithm Design Divide and Dynamic Greedy Conquer Programming Formulate

Network Flow Algorithm Design Divide and Dynamic Greedy Conquer Programming Formulate

Network Flow Algorithm Design Divide and Dynamic Greedy Conquer Programming Formulate problem ? ? ? Design algorithm less work more work more work Prove correctness more work less work less work Analyze running time less work

520 views • 18 slides
VHDL Design flow General design flow steps Design entry Register Transfer Level (RTL)

VHDL Design flow General design flow steps Design entry Register Transfer Level (RTL)

VHDL Design flow General design flow steps Design entry Register Transfer Level (RTL) description of design (schematic or HDL) Design Entry Synthesis Checks code syntax, converts abstract form of desired circuit behavior

240 views • 4 slides
libdft Practical Dynamic Data Flow Tracking for Commodity Systems Vasileios P. Kemerlis Georgios

libdft Practical Dynamic Data Flow Tracking for Commodity Systems Vasileios P. Kemerlis Georgios

Overview Design &amp; Implementation Results &amp; Discussion libdft Practical Dynamic Data Flow Tracking for Commodity Systems Vasileios P. Kemerlis Georgios Portokalidis Kangkook Jee Angelos D. Keromytis Network Security Lab Department of

649 views • 35 slides
Control Flow CS105 : Saelee dynamic flow of execution single path sequential decisions

Control Flow CS105 : Saelee dynamic flow of execution single path sequential decisions

Control Flow CS105 : Saelee dynamic flow of execution single path sequential decisions questions conditional operators Math Notation Ruby Operator &lt; &lt; &gt; &gt; &gt;= &lt;= = == != Boolean values true

465 views • 17 slides
Fundamentals of (Static ic and Dynamic ic) ) Software Verif ific icatio ion Control-flow

Fundamentals of (Static ic and Dynamic ic) ) Software Verif ific icatio ion Control-flow

Fundamentals of (Static ic and Dynamic ic) ) Software Verif ific icatio ion Control-flow Analysis Data-flow Analysis Static VS Dynamic Analysis Software Testing Control Con ol Flow ow Gr Graph entry S1 Procedure AVG S1 count =

1.08k views • 104 slides
A Hybrid, Dynamic Logic for Hybrid-Dynamic Information Flow Brandon Bohrer and Andr e Platzer

A Hybrid, Dynamic Logic for Hybrid-Dynamic Information Flow Brandon Bohrer and Andr e Platzer

A Hybrid, Dynamic Logic for Hybrid-Dynamic Information Flow Brandon Bohrer and Andr e Platzer Logical Systems Lab Computer Science Department Carnegie Mellon University LICS18 1 / 21 Outline: Hybrid { Dynamics, Logic, Power } Hybrid

353 views • 34 slides
IntroducIng: Flow crasters new Modular dIsplay systeM Flow is a dynamic system of display

IntroducIng: Flow crasters new Modular dIsplay systeM Flow is a dynamic system of display

IntroducIng: Flow crasters new Modular dIsplay systeM Flow is a dynamic system of display units, organised around a modular gastronorm footprint. the system gives you the fmexibility to showcase your creativity in a multitude of contexts.

770 views • 15 slides
FLOW CONDITIONING FLOW CONDITIONING DESIGN IN TURBULENT DESIGN IN TURBULENT LIQUID SHEETS

FLOW CONDITIONING FLOW CONDITIONING DESIGN IN TURBULENT DESIGN IN TURBULENT LIQUID SHEETS

FLOW CONDITIONING FLOW CONDITIONING DESIGN IN TURBULENT DESIGN IN TURBULENT LIQUID SHEETS LIQUID SHEETS S.G. DURBIN, M. YODA, and S.I. ABDEL-KHALIK G. W. Woodruff School of Mechanical Engineering Atlanta, GA 30332-0405 USA Thick Liquid

376 views • 24 slides
Optimizing Dynamic Power Flow Anders Rantzer Automatic Control LTH Lund Universty Anders

Optimizing Dynamic Power Flow Anders Rantzer Automatic Control LTH Lund Universty Anders

Optimizing Dynamic Power Flow Anders Rantzer Automatic Control LTH Lund Universty Anders Rantzer Optimizing Dynamic Power Flow Combine with water power reservoirs in northern Sweden Use wind farms to stabilize network AEOLUS project:

873 views • 27 slides
Decoupling Dynamic Information Flow Tracking with a Dedicated Coprocessor Hari Kannan , Michael

Decoupling Dynamic Information Flow Tracking with a Dedicated Coprocessor Hari Kannan , Michael

Decoupling Dynamic Information Flow Tracking with a Dedicated Coprocessor Hari Kannan , Michael Dalton, Christos Kozyrakis Computer Systems Laboratory Stanford University Motivation Dynamic analysis help better understand SW behavior

350 views • 24 slides
Hedera - An Analysis of Dynamic Flow Scheduling for Data Center Networks Based on the paper

Hedera - An Analysis of Dynamic Flow Scheduling for Data Center Networks Based on the paper

Hedera - An Analysis of Dynamic Flow Scheduling for Data Center Networks Based on the paper Hedera: Dynamic Flow Scheduling for Data Centers Presented by Richard Kramer Oregon State University 1 What is Hedera? What is Hedera?

380 views • 25 slides
Lisa Randall, Harvard University Entering LHC Era Entering LHC Era Many challenges as LHC

Lisa Randall, Harvard University Entering LHC Era Entering LHC Era Many challenges as LHC

Lisa Randall, Harvard University Entering LHC Era Entering LHC Era Many challenges as LHC approaches Many challenges as LHC approaches Critical questions: Critical questions: Are we optimizing existing searches? Are we

560 views • 44 slides
Scalability Visibility Windows Update Certification [&amp; Client] Intent: when

Scalability Visibility Windows Update Certification [&amp; Client] Intent: when

Reliability WaaS Scalability Visibility Windows Update Certification [&amp; Client] Intent: when Targeting should the driver Classification Signing and Ranking be offered? Who validations should receive it?

687 views • 31 slides
Decision Properties of Regular Languages General Discussion of Properties The Pumping

Decision Properties of Regular Languages General Discussion of Properties The Pumping

Decision Properties of Regular Languages General Discussion of Properties The Pumping Lemma Membership, Emptiness, Etc. 1 Properties of Language Classes A language class is a set of languages. We have one example: the regular

883 views • 56 slides
Transient Side Channels Mengjia Yan Fall 2020 Based on slides from Christopher W. Fletcher

Transient Side Channels Mengjia Yan Fall 2020 Based on slides from Christopher W. Fletcher

Transient Side Channels Mengjia Yan Fall 2020 Based on slides from Christopher W. Fletcher Reminder 1 st paper review due midnight on 09/27 (before the next lecture) You will receive an invitation from HotCRP

1.46k views • 78 slides
Functional Pearl: Four slot asynchronous communication mechanism Matthew Danish September 17,

Functional Pearl: Four slot asynchronous communication mechanism Matthew Danish September 17,

Functional Pearl: Four slot asynchronous communication mechanism Matthew Danish September 17, 2013 Introduction Low-level systems programming with dependent types Simpson, 1989. Four slot fully asynchronous communication mechanism .

703 views • 24 slides
Implications of early LHC Results Fermilab CMS limits CMS E XOTICA LQ1, =0.5 LQ1, =1.0

Implications of early LHC Results Fermilab CMS limits CMS E XOTICA LQ1, =0.5 LQ1, =1.0

Toward an Energy Frontier Muon Collider Fermilab Estia Eichten Fermilab The Long View Return to the Energy Frontier Staging Physics Milestones Summary 2013 Community Summer Study Snowmass on the Mississippi University of

282 views • 24 slides
Win32k Dark Composition Attacking the Shadow Part of Graphic Subsystem Peng Qiu (@pgboy) SheFang

Win32k Dark Composition Attacking the Shadow Part of Graphic Subsystem Peng Qiu (@pgboy) SheFang

Win32k Dark Composition Attacking the Shadow Part of Graphic Subsystem Peng Qiu (@pgboy) SheFang Zhong (@zhong_sf) @360Vulcan Team About US Member of 360 vulcan team. Windows kernel security researcher Pwn2Own winners 2015 .pwned IE pwn2own

1.29k views • 54 slides
Runtime Monitoring of Object Invariants with Guarantees Sriram Rajamani, MSR India (joint work

Runtime Monitoring of Object Invariants with Guarantees Sriram Rajamani, MSR India (joint work

Runtime Monitoring of Object Invariants with Guarantees Sriram Rajamani, MSR India (joint work with Madhu Gopinathan, Indian Institute of Science) Object invariants interface Key{ //this &lt; k? boolean Less(Key k); } class Node { Key

637 views • 31 slides

More recommend