hdfi hardware assisted data flow isolation
play

HDFI: Hardware-Assisted Data-flow Isolation Chengyu Song 1 , - PowerPoint PPT Presentation

Nov 18, 2022 •21 likes •311 views

HDFI: Hardware-Assisted Data-flow Isolation Chengyu Song 1 , Hyungon Moon 2 , Monjur Alam 1 , Insu Yun 1 , Byoungyoung Lee 1 , Taesoo Kim 1 , Wenke Lee 1 , Yunheung Paek 2 1 Georgia Institute of Technology 2 Seoul National University Memory

  1. HDFI: Hardware-Assisted 
 Data-flow Isolation Chengyu Song 1 , Hyungon Moon 2 , Monjur Alam 1 , Insu Yun 1 , Byoungyoung Lee 1 , Taesoo Kim 1 , Wenke Lee 1 , Yunheung Paek 2 1 Georgia Institute of Technology 2 Seoul National University

  2. Memory corruption vulnerability causes, by year Uninitialized use Exploitation Trends: From Potential Risk to Actual Risk, RSA 2015 2

  3. A simple stack overflow sp ). 1 int main( int argc, const char *argv[]) { char buf[16]; 2 strcpy(buf, argv[1]); 3 return 0; 4 5 } ). 1 main: add sp,sp,-32 2 sd ra,24(sp) 3 ld a1,8(a1) ; argv[1] 4 mv a0,sp ; char buff[16] 5 - ; strcpy(buff, argv[1]) call strcpy 6 li a0,0 7 ld ra,24(sp) 8 add sp,sp,32 9 jr ra ; return 10 3

  4. A simple stack overflow ). 1 int main( int argc, const char *argv[]) { char buf[16]; 2 strcpy(buf, argv[1]); 3 return 0; 4 5 } buf ). 1 main: sp add sp,sp,-32 2 sd ra,24(sp) 3 ld a1,8(a1) ; argv[1] 4 mv a0,sp ; char buff[16] 5 - ; strcpy(buff, argv[1]) call strcpy 6 li a0,0 7 ld ra,24(sp) 8 add sp,sp,32 9 jr ra ; return 10 3

  5. A simple stack overflow ). ret addr 1 int main( int argc, const char *argv[]) { char buf[16]; 2 strcpy(buf, argv[1]); 3 return 0; 4 5 } buf ). 1 main: sp add sp,sp,-32 2 sd ra,24(sp) 3 ld a1,8(a1) ; argv[1] 4 mv a0,sp ; char buff[16] 5 - ; strcpy(buff, argv[1]) call strcpy 6 li a0,0 7 ld ra,24(sp) 8 add sp,sp,32 9 jr ra ; return 10 3

  6. A simple stack overflow ). ret addr 1 int main( int argc, const char *argv[]) { char buf[16]; 2 strcpy(buf, argv[1]); argv[1] 3 return 0; 4 5 } buf ). 1 main: sp add sp,sp,-32 2 sd ra,24(sp) 3 ld a1,8(a1) ; argv[1] 4 mv a0,sp ; char buff[16] 5 - ; strcpy(buff, argv[1]) call strcpy 6 li a0,0 7 ld ra,24(sp) 8 add sp,sp,32 9 jr ra ; return 10 3

  7. A simple stack overflow Code Injection ). ret addr 1 int main( int argc, const char *argv[]) { ROP char buf[16]; 2 strcpy(buf, argv[1]); argv[1] 3 return 0; 4 5 } buf ). 1 main: sp add sp,sp,-32 2 sd ra,24(sp) 3 ld a1,8(a1) ; argv[1] 4 mv a0,sp ; char buff[16] 5 - ; strcpy(buff, argv[1]) call strcpy 6 li a0,0 7 ld ra,24(sp) 8 add sp,sp,32 9 jr ra ; return 10 3

  8. Defense mechanisms ). ret addr 1 int main( int argc, const char *argv[]) { char buf[16]; 2 strcpy(buf, argv[1]); canary 3 return 0; 4 5 } buf ). 1 main: sp add sp,sp,-32 2 sd ra,24(sp) 3 ld a1,8(a1) ; argv[1] 4 mv a0,sp ; char buff[16] 5 - ; strcpy(buff, argv[1]) call strcpy 6 li a0,0 7 ld ra,24(sp) 8 add sp,sp,32 9 jr ra ; return 10 4

  9. Defense mechanisms ). ret addr 1 int main( int argc, const char *argv[]) { char buf[16]; 2 strcpy(buf, argv[1]); 3 return 0; 4 5 } buf ). 1 main: sp add sp,sp,-32 2 sd ra,24(sp) 3 ld a1,8(a1) ; argv[1] 4 mv a0,sp ; char buff[16] 5 - ; strcpy(buff, argv[1]) call strcpy 6 li a0,0 7 ld ra,24(sp) 8 add sp,sp,32 9 jr ra ; return 10 4

  10. Defense mechanisms ). ret addr 1 int main( int argc, const char *argv[]) { char buf[16]; 2 strcpy(buf, argv[1]); 3 return 0; 4 5 } buf shadow stack ). 1 main: sp add sp,sp,-32 2 sd ra,24(sp) 3 ld a1,8(a1) ; argv[1] 4 mv a0,sp ; char buff[16] 5 - ; strcpy(buff, argv[1]) call strcpy 6 li a0,0 7 ld ra,24(sp) 8 add sp,sp,32 9 jr ra ; return 10 4

  11. Limitations • Software: lacks good isolation mechanisms in 64-bit world • SFI and virtual address space: secure but expensive • Address randomization: efficient but insecure • Hardware: lacks flexibility • Context saving/restoring (setjmp/longjmp), deep recursion, kernel stack, etc. • Other data: code pointers, non-control data • Data shadowing: adds overheads • Breaks data locality, needs additional step to look up or reserved register(s) • Occupies additional memory 5

  12. Hardware-assisted data-flow isolation • Secure and efficient • Low performance overhead and strong security guarantees • Flexible • Capable of supporting different security model/mechanisms • Fine-grained • No more data-shadowing • Practical • Minimized hardware changes 6

  13. Data-flow Integrity [OSDI’06] Runtime data-flow should not deviate from static data-flow graph buf ). 1 main: sp add sp,sp,-32 2 sd ra,24(sp) 3 ld a1,8(a1) ; argv[1] 4 mv a0,sp ; char buff[16] 5 - ; strcpy(buff, argv[1]) call strcpy 6 li a0,0 7 ld ra,24(sp) 8 add sp,sp,32 9 jr ra ; return 10 7

  14. Data-flow Integrity [OSDI’06] 0 Runtime data-flow should not deviate 0 from static data-flow graph 0 buf 0 ). 1 main: sp add sp,sp,-32 2 0 sd ra,24(sp) 3 ld a1,8(a1) ; argv[1] 4 0 mv a0,sp ; char buff[16] 5 - ; strcpy(buff, argv[1]) call strcpy 6 0 li a0,0 7 ld ra,24(sp) 8 0 add sp,sp,32 9 jr ra ; return 10 0 7

  15. Data-flow Integrity [OSDI’06] ret addr 0 3 Runtime data-flow should not deviate 0 from static data-flow graph 0 buf 0 ). 1 main: sp add sp,sp,-32 2 0 sd ra,24(sp) 3 ld a1,8(a1) ; argv[1] 4 0 mv a0,sp ; char buff[16] 5 - ; strcpy(buff, argv[1]) call strcpy 6 0 li a0,0 7 ld ra,24(sp) 8 0 add sp,sp,32 9 jr ra ; return 10 0 7

  16. Data-flow Integrity [OSDI’06] ret addr 0 6 3 Runtime data-flow should not deviate argv[1] 6 0 from static data-flow graph 0 6 buf 6 0 ). 1 main: sp add sp,sp,-32 2 0 sd ra,24(sp) 3 ld a1,8(a1) ; argv[1] 4 0 mv a0,sp ; char buff[16] 5 - ; strcpy(buff, argv[1]) call strcpy 6 0 li a0,0 7 ld ra,24(sp) 8 0 add sp,sp,32 9 jr ra ; return 10 0 7

  17. Data-flow Integrity [OSDI’06] ret addr Exception 6 3 0 Runtime data-flow should not deviate argv[1] 6 0 from static data-flow graph 0 6 buf 6 0 ). 1 main: sp add sp,sp,-32 2 0 sd ra,24(sp) 3 ld a1,8(a1) ; argv[1] 4 0 mv a0,sp ; char buff[16] 5 - ; strcpy(buff, argv[1]) call strcpy 6 0 li a0,0 7 ld ra,24(sp) 8 0 add sp,sp,32 9 jr ra ; return 10 0 7

  18. ISA extension • Tagged memory • Machine word granularity • Fixed tag size à currently only 1 bit (sensitive or not) • Three new atomic instructions to enable DFI-style checks • sdset1, ldchk0, ldchk1 • New semantic of old instructions (backward compatible) • sd : sdset0 • ld : now tag check 8

  19. Hardware extension • Cache extension • Extra bits in the cache line for storing the tag (reusing existing cache coherence interconnect) • Memory Tagger • Emulating tagged memory without physically extending the main memory 9

  20. Optimizations • Memory Tagger introduces additional performance overhead • Naive implementation: 2x memory accesses, 1 for data, 1 for tag • Three optimization techniques • Tag cache • Tag valid bits (TVB) • Meta tag table (MTT) 10

  21. Return address protection • Policy: return address should always have tag 1 • Benefits: secure and supports context saving/restoring, deep recursion, modified return address, kernel stack ). 1 main: add sp,sp,-32 2 ? sdset1 ra,24(sp) 3 ld a1,8(a1) ; argv[1] 4 mv a0,sp ; char buff[16] 5 - call strcpy ; strcpy(buff, argv[1]) 6 li a0,0 7 ? ldchk1 ra,24(sp) 8 add sp,sp,32 9 jr ra ; return 10 11

  22. Various applications 12

  23. Implementations • Hardware • RISC-V RocketCore generator: 2198 LoC • Instantiated on Xilinx Zynq ZC706 FPGA board • Software (RISC-V toolchain) • Assembler gas: 16 LoC • Kernel modifications: 60 LoC • Security applications: 170 LoC 13

  24. Effectiveness of optimizations • Memory bandwidth and latency • SPEC CINT2000 Benchmark Tag Cache +TVB +MTT +TVB+MTT Benchmark Tag Cache +TVB +MTT +TVB+MTT 164.gzip 16.09% 2.18% 6.85% 1.87% L1 hit 0% 0% 0% 0% 175.vpr 29.51% 3.26% 7.71% 1.43% L1 miss 14.47% 5.26% 14.47% 5.26% 181.mcf 36.89% 3.08% 13.66% -0.11% Copy 13.14% 4.44% 11.84% 4.26% 16.11% 2.27% 7.61% 1.53% 10.62% 4.79% 9.45% 4.67% 197.parser Scale 254.gap 12.19% 1.04% 6.53% 0.71% Add 4.37% 1.26% 4.13% 1.2% 256.bzip2 14.52% 2.65% 3.63% 0.84% Triad 9.66% 1.96% 8.8% 1.83% 300.twolf 26.71% 2.97% 7.37% 0.36% 14

  25. Security experiments • With synthesized attacks Mechanism Attacks Result X Shadow stack RIPE Heap metadata protection Heap exploit X VTable protection VTable hijacking X X Code pointer separation (CPS) RIPE Code pointer separation (CPS) Format string exploit X Kernel protection Privilege escalation X X Private key leak prevention Heartbleed 15

  26. Impacts on security solutions • Security • Hardware-enforced isolation Application Language LoC • Simplicity Shadow Stack C++ (LLVM 3.3) 4 VTable Protection C++ (LLVM 3.3) 40 • No data shadowing CPS C++ (LLVM 3.3) 41 • Usability Kernel Protection C (Linux 3.14.41) 70 • Implementation/port is very easy Library Protection C (glibc 2.22) 10 Heartbleed Prevention C (OpenSSL 1.0.1a) 2 16

  27. Impacts on security solutions (cont.) • Efficiency Benchmark Shadow stack (GCC) SS+CPS (Clang) • GCC (-O2) 164.gzip 1.12% 2.42% 181.mcf 1.76% 3.54% • Clang (-O0) 3.34% 13.23% 254.gap 3.05% 4.61% 256.bzip2 17

  28. Security analysis • Attack surface • Inaccuracy of data-flow analysis • Deputy attacks • Best practice • CFI is necessary (e.g., CPS + shadow stack) • Recursive protection of pointers • Guarantee the trustworthiness of the written value • Use runtime memory safety technique to compensate inaccuracy of static analysis 18

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Taming Transactions: Towards Hardware-Assisted Control Flow Integrity using Transactional Memory

Taming Transactions: Towards Hardware-Assisted Control Flow Integrity using Transactional Memory

The 19th International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2016) Taming Transactions: Towards Hardware-Assisted Control Flow Integrity using Transactional Memory Marius Muench, Fabio Pagani, Yan Shoshitaishvili,

559 views • 25 slides
HW/SW Codesign Data Flow Hardware Implementation ECE 522 Mapping DFGs to Hardware As indicated

HW/SW Codesign Data Flow Hardware Implementation ECE 522 Mapping DFGs to Hardware As indicated

HW/SW Codesign Data Flow Hardware Implementation ECE 522 Mapping DFGs to Hardware As indicated in previous lectures, SDF graphs are particularly well-suited for map- ping directly into hardware For SDFs with single-rate schedules, all actors

109 views • 7 slides
HW/SW Codesign w/ FPGAs Data Flow Modeling I ECE 522 Data Flow Models As we discussed, hardware

HW/SW Codesign w/ FPGAs Data Flow Modeling I ECE 522 Data Flow Models As we discussed, hardware

HW/SW Codesign w/ FPGAs Data Flow Modeling I ECE 522 Data Flow Models As we discussed, hardware is parallel while software is sequential We need concurrent high-level models to allow designers to describe systems that are independent of

574 views • 12 slides
DATA FLOW ORIENTED HARDWARE DESIGN OF RNS-BASED POLYNOMIAL MULTIPLICATION FOR SHE ACCELERATION

DATA FLOW ORIENTED HARDWARE DESIGN OF RNS-BASED POLYNOMIAL MULTIPLICATION FOR SHE ACCELERATION

Jol Cathbras Alexandre Carbon Peter Milder Renaud Sirdey Nicolas Ventroux DATA FLOW ORIENTED HARDWARE DESIGN OF RNS-BASED POLYNOMIAL MULTIPLICATION FOR SHE ACCELERATION Conference on Cryptographic Hardware and Embedded Systems 2018 |

1.01k views • 35 slides
System-on-Chip Design Data Flow hardware Implementa8on Hao Zheng Dept. Comp Sci & Eng U of

System-on-Chip Design Data Flow hardware Implementa8on Hao Zheng Dept. Comp Sci & Eng U of

System-on-Chip Design Data Flow hardware Implementa8on Hao Zheng Dept. Comp Sci & Eng U of South Florida haozheng@usf.edu (813) 9744757 1 Single-Rate SDF to Hardware Single-rate SDF: all producJon/consumpJon rates are a fixed number

395 views • 13 slides
HOOP: Efficient Hardware-Assisted Out-of-Place Update for Non-Volatile Memory Miao Cai Chance

HOOP: Efficient Hardware-Assisted Out-of-Place Update for Non-Volatile Memory Miao Cai Chance

HOOP: Efficient Hardware-Assisted Out-of-Place Update for Non-Volatile Memory Miao Cai Chance Coats Jian Huang Systems Platform Research Group Non-Volatile Memory is a Revolutionary Technology Close-to-DRAM Performance Data

367 views • 21 slides
456 457 458 The purpose of shallow trench isolation (STI) is to provide isolation between

456 457 458 The purpose of shallow trench isolation (STI) is to provide isolation between

In this module we would review a typical gate first, poly-Si gate CMOS process flow. 456 457 458 The purpose of shallow trench isolation (STI) is to provide isolation between individual devices in a CMSO chip. Typical process details and the

381 views • 8 slides
Practical Secure Two-Party Computation and Applications Lecture 4: Hardware-Assisted

Practical Secure Two-Party Computation and Applications Lecture 4: Hardware-Assisted

Practical Secure Two-Party Computation and Applications Lecture 4: Hardware-Assisted Cryptographic Protocols Estonian Winter School in Computer Science 2016 Motivation 2 Two Areas Cryptographic Protocols Secure Hardware strong security

759 views • 52 slides
x86 ASM (1) 1 last time: VMs confjgurablity consistent environment isolation run malware in

x86 ASM (1) 1 last time: VMs confjgurablity consistent environment isolation run malware in

x86 ASM (1) 1 last time: VMs confjgurablity consistent environment isolation run malware in safe environment key mechanism: hardware support hardware gives VM monitor control when needed backup mechanism: emulation, binary translation 2

1.34k views • 118 slides
1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

Control-Flow Analysis and Loop Detection Context Last time Data-flow Speeding up data-flow analysis Flow of data values from defs to uses Could alternatively be represented as a data dependence Today Control-flow analysis

516 views • 5 slides
Two- and Multi-particle Cumulant Measurements of v n and Isolation of Flow and Nonflow in

Two- and Multi-particle Cumulant Measurements of v n and Isolation of Flow and Nonflow in

Two- and Multi-particle Cumulant Measurements of v n and Isolation of Flow and Nonflow in 200 GeV Au+Au Collisions by STAR = s NN Li Yi (for the STAR collaboration) Purdue University Aug. 15th, 2012 Outline Physics motivation

489 views • 35 slides
The Promises and Pitfalls of Hardware-Assisted Security Alexandra Dmitrienko

The Promises and Pitfalls of Hardware-Assisted Security Alexandra Dmitrienko

The Promises and Pitfalls of Hardware-Assisted Security Alexandra Dmitrienko Julius-Maximilians-Universitt Wrzburg alexandra.dmitrienko@uni-wuerzburg.de SEPTEMBER 9 13, 2019 CROSSING Summer School on Sustainable Security & Privacy

2.37k views • 187 slides
Entity declaration mode: in: flow into the circuit out: flow out of the circuit

Entity declaration mode: in: flow into the circuit out: flow out of the circuit

Outline 1. Basic VHDL program Basic Language Constructs of 2. Lexical elements and program format 3. Objects VHDL 4. Data type and operators RTL Hardware Design Chapter 3 1 RTL Hardware Design Chapter 3 2 by P. Chu by P. Chu Design

375 views • 10 slides
Efficient Hardware-assisted Logging with Asynchronous and Direct Update for Persistent Memory

Efficient Hardware-assisted Logging with Asynchronous and Direct Update for Persistent Memory

Efficient Hardware-assisted Logging with Asynchronous and Direct Update for Persistent Memory Jungi Jeong , Chang Hyun Park, Jaehyuk Huh, and Seungryoul Maeng International Symposium on Microarchitecture (MICRO) 2018 Storage-Class Memory

1.95k views • 155 slides
Flow Isolation Matt Mathis ICCRG at IETF 77 3/23/2010 Anaheim CA

Flow Isolation Matt Mathis ICCRG at IETF 77 3/23/2010 Anaheim CA

Flow Isolation Matt Mathis ICCRG at IETF 77 3/23/2010 Anaheim CA http://staff.psc.edu/mathis/papers FlowIsolation20100323.{pdf,odp} = The origin of TCP friendly Rate = RTT p MSS 0.7 [1997] Inspired TCP

649 views • 36 slides
Exceptional Control Flow: Hardware support for reacting to the rest of the world. Control Flow

Exceptional Control Flow: Hardware support for reacting to the rest of the world. Control Flow

Exceptional Control Flow: Hardware support for reacting to the rest of the world. Control Flow Processor: read instruction, execute it, go to next instruction, repeat Physical control flow Explicit changes: Jumps (conditional, unconditional)

428 views • 8 slides
Admin Halfway point on our journey!

Admin Halfway point on our journey!

Admin Halfway point on our journey! https://thefreethinkingmindblog.files.wordpress.com/2016/10/sisyphusgif.gif Share/celebrate/commiserate Be sure to get your keyboard for lab 5! Today: Steps toward C mastery C Language, advanced

1.06k views • 20 slides
Hypothesis Testing Part III: Pretest Bias James J. Heckman University of Chicago Based on T.A.

Hypothesis Testing Part III: Pretest Bias James J. Heckman University of Chicago Based on T.A.

Hypothesis Testing Part III: Pretest Bias James J. Heckman University of Chicago Based on T.A. Bancroft, The Annals of Mathematical Statistics , Vol. 15, No. 2. (June, 1944), pp. 190-204. Econ 312 Spring 2019 1 A

690 views • 20 slides
Crystallography Open Database for teaching Saulius Graulis Andrius Merkys Antanas Vaitkus

Crystallography Open Database for teaching Saulius Graulis Andrius Merkys Antanas Vaitkus

This project has received funding from the European Unions Horizon 2020 research and innovation program under grant agreement No 689868. Crystallography Open Database for teaching Saulius Graulis Andrius Merkys Antanas Vaitkus Hyderabad,

533 views • 17 slides
The Performance Analysis of Cache Architecture based on Alluxio over Virtualized Infrastructure

The Performance Analysis of Cache Architecture based on Alluxio over Virtualized Infrastructure

The Performance Analysis of Cache Architecture based on Alluxio over Virtualized Infrastructure Xu Chang, Li Zha 1 Contents Background Related Works Motivation Experiments Results Conclusion Future Work

359 views • 15 slides
Closing Kathy Leggett Future Ready Iowa Iowas Kathy.Leggett@iwd.iowa.gov SKILLS GAP

Closing Kathy Leggett Future Ready Iowa Iowas Kathy.Leggett@iwd.iowa.gov SKILLS GAP

Closing Kathy Leggett Future Ready Iowa Iowas Kathy.Leggett@iwd.iowa.gov SKILLS GAP Coronavirus Relief Registered Apprenticeship Incentive Fund Goals for today Brief summary of recent unemployment data and Future Ready Iowa.

914 views • 40 slides
Rayleigh-B enard convection: a priori estimate on the Boussinesq system that carry physical

Rayleigh-B enard convection: a priori estimate on the Boussinesq system that carry physical

Rayleigh-B enard convection: a priori estimate on the Boussinesq system that carry physical meaning C. Doering & M. Westdickenberg, & C. Seis, & C. Nobili, & A. Choffrut Max Planck Institute for Mathematics in the Sciences,

788 views • 32 slides
Whats RADB and how does it work? A simple Relational Algebra (RA) interpreter written in

Whats RADB and how does it work? A simple Relational Algebra (RA) interpreter written in

Whats RADB and how does it work? A simple Relational Algebra (RA) interpreter written in Python 3 It implements RA queries by translating them into SQL and executing them on the underlying database system through SQLAlchemy.

178 views • 13 slides
Tutorial: Building a backend in 24 hours Anton Korobeynikov anton@korobeynikov.info Outline 1.

Tutorial: Building a backend in 24 hours Anton Korobeynikov anton@korobeynikov.info Outline 1.

Tutorial: Building a backend in 24 hours Anton Korobeynikov anton@korobeynikov.info Outline 1. From IR to assembler: codegen pipeline 2. MC 3. Parts of a backend 4. Example step-by-step The Pipeline IR Passes LLVM IR DAG DAG Lower

788 views • 68 slides

More recommend