pagurus low overhead dynamic information flow tracking on
play

PAGURUS: Low-Overhead Dynamic Information Flow Tracking on Loosely - PowerPoint PPT Presentation

Dec 01, 2023 •334 likes •851 views

ACM/IEEE CODES+ISSS 2018, Turin, Italy PAGURUS: Low-Overhead Dynamic Information Flow Tracking on Loosely Coupled Accelerators Luca Piccolboni, Giuseppe Di Guglielmo and Luca P. Carloni Columbia University, NY, USA Systems-on-Chip (SoCs) Are

  1. ACM/IEEE CODES+ISSS 2018, Turin, Italy PAGURUS: Low-Overhead Dynamic Information Flow Tracking on Loosely Coupled Accelerators Luca Piccolboni, Giuseppe Di Guglielmo and Luca P. Carloni Columbia University, NY, USA

  2. Systems-on-Chip (SoCs) Are Vulnerable to Software Attacks PULPino Processor Data Instr. Boot. Core ( RI5CY) RAM RAM RAM AXI UART SPI M. APB [M. Gautschi et al., IEEE VLSI ’17] ACM/IEEE CODES + ISSS 2018, Turin, Italy 2 / 16

  3. Attacking PULPino Buffer-Overflow Attack memory location: 0xAA val = 7 num = 10 int nt buff[10], k; fun = 0xAA int (*fun)(int) = foo; int int num = atoi (argv[1]); buff[9] = sw (7) int val = atoi (argv[2]); int ... /* this is a bad idea */ buff[1] = sw (7) for for (k = 0; k < num; ++k) buff[0] = sw (7) buff[k] = sw(val) ; fun(1); // call foo? main memory ACM/IEEE CODES + ISSS 2018, Turin, Italy 3 / 16

  4. Attacking PULPino can be used to call a malicious function Buffer-Overflow Attack memory location: 0xAA val = 7 num = 11 int nt buff[10], k; fun = sw (7) int (*fun)(int) = foo; int num = atoi (argv[1]); int buff[9] = sw (7) int val = atoi (argv[2]); int ... /* this is a bad idea */ buff[1] = sw (7) for for (k = 0; k < num; ++k) buff[0] = sw (7) buff[k] = sw(val) ; fun(1); // call foo? main memory ACM/IEEE CODES + ISSS 2018, Turin, Italy 3 / 16

  5. Attacking PULPino Dynamic Information Flow Tracking (DIFT) memory location: 0xAA val = 0xA val = 11 1 num = 0x7 num = 7 0 int nt buff[10], k; func = 0xAA fun = sw (7) 1 int (*fun)(int) = foo; int num = atoi (argv[1]); int buff[9] = sw (0x7) buff[9] = sw (7) 1 int val = atoi (argv[2]); int ... ... /* this is a bad idea */ buff[1] = sw (0x7) buff[1] = sw (7) 1 for for (k = 0; k < num; ++k) buff[0] = sw (0x7) buff[0] = sw (7) buff[k] = sw(val) ; 1 fun(1); // call fun main memory main memory tags [G. E. Suh et al., ACM ASPLOS ’04] ACM/IEEE CODES + ISSS 2018, Turin, Italy 3 / 16

  6. Homogenous SoCs Now Secured with DIFT PULPino Processor Data Instr. Boot. Core ( RI5CY) RAM RAM RAM AXI UART SPI M. APB [M. Gautschi et al., IEEE VLSI ’17] DIFT Extensions [C. Palmiero et al., IEEE HPEC ’18] ACM/IEEE CODES + ISSS 2018, Turin, Italy 4 / 16

  7. Heterogeneous SoCs No-More-Secured with DIFT PULPino Processor Data Instr. Boot. Core ( RI5CY) RAM RAM RAM AXI UART Loosely Coupled Loosely Coupled Accelerator #1 Accelerator #2 SPI M. APB [M. Gautschi et al., IEEE VLSI ’17] DIFT Extensions [C. Palmiero et al., IEEE HPEC ’18] ACM/IEEE CODES + ISSS 2018, Turin, Italy 5 / 16

  8. Attacking PULPino (Again) Buffer-Overflow Attack val = 0xA val = 7 1 int nt buff[10] = {0}; num = 0x7 num = 11 0 int (*f)(int) = foo ; func = 0xAA fun = 0xAA 1 int num = atoi (argv[1]); int int val = atoi (argv[2]); int buff[9] = sw (0x7) buff[9] = 0 1 /* this is a bad idea */ ... ... hw(num, val, buff) ; buff[1] = sw (0x7) buff[1] = 0 1 buff[0] = sw (0x7) buff[0] = 0 1 main memory main memory tags ACM/IEEE CODES + ISSS 2018, Turin, Italy 6 / 16

  9. Attacking PULPino (Again) can be used to call a malicious function Buffer-Overflow Attack val = 0xA val = 7 1 int nt buff[10] = {0}; num = 0x7 num = 11 0 int (*f)(int) = foo ; func = 0xAA fun = hw (7) 0 int num = atoi (argv[1]); int int val = atoi (argv[2]); int buff[9] = sw (0x7) buff[9] = hw (7) 0 /* this is a bad idea */ ... ... hw(num, val, buff) ; buff[1] = sw (0x7) buff[1] = hw (7) 0 buff[0] = sw (0x7) buff[0] = hw (7) 0 the accelerator is not able to propagate the tags main memory main memory tags ACM/IEEE CODES + ISSS 2018, Turin, Italy 6 / 16

  10. Contributions 1. We propose PAGURUS, a methodology to design a circuit shell that adds DIFT support to accelerators ACM/IEEE CODES + ISSS 2018, Turin, Italy 7 / 16

  11. Contributions PULPino System-on-Chip Processor Data Instr. Boot. Core ( RI5CY) RAM RAM RAM AXI DIFT Shell UART DIFT Shell Loosely Coupled Loosely Coupled Accelerator #1 Accelerator #2 SPI M. APB ACM/IEEE CODES + ISSS 2018, Turin, Italy 7 / 16

  12. Contributions 1. We propose PAGURUS, a methodology to design a circuit shell that adds DIFT support to accelerators a) The shell design is independent from the design of the accelerators and vice versa b) The shell has low overheads on both the performance and cost of accelerators 2. We propose a metric to quantitatively measure the security guarantees provided by the shell ACM/IEEE CODES + ISSS 2018, Turin, Italy 7 / 16

  13. Preliminaries Assumptions and Attack Model 1. The hardware is safe: no hardware Trojans 2. The software is not safe: it contains bugs and vulnerabilities useful for the attackers The attackers exploit these vulnerabilities through common I/O interfaces with the goal of affecting the integrity and/or the confidentiality of the hardware-accelerated software applications ACM/IEEE CODES + ISSS 2018, Turin, Italy 8 / 16

  14. Preliminaries Tagging Scheme 1. Coupled Scheme value #1 tag #1 value #2 tag #2 value #3 tag #3 main memory tags [J. Porquet et al., ACM/IEEE CODES’13] ACM/IEEE CODES + ISSS 2018, Turin, Italy 8 / 16

  15. Preliminaries Tagging Scheme 1. Coupled Scheme 2. Decoupled Scheme value #1 value #2 value #3 tag #1 protected region in tag #2 memory tag #3 main memory [J. Porquet et al., ACM/IEEE CODES’13] ACM/IEEE CODES + ISSS 2018, Turin, Italy 8 / 16

  16. Preliminaries Tagging Scheme 1. Coupled Scheme 2. Decoupled Scheme 2.1. Interleaved Scheme value #1 tag #1 value #2 tag offset = # words in memory between two tag #2 consecutive values value #3 (tag offset = 1) tag #3 main memory [J. Porquet et al., ACM/IEEE CODES’13] ACM/IEEE CODES + ISSS 2018, Turin, Italy 8 / 16

  17. Contributions 1. We propose PAGURUS, a methodology to design a circuit shell that adds DIFT support to accelerators a) The shell design is independent from the design of the accelerators and vice versa b) The shell has low overheads on both the performance and cost of accelerators ACM/IEEE CODES + ISSS 2018, Turin, Italy 9 / 16

  18. Accelerators Loosely Coupled Architecture Accelerator … configuration reg #1 reg #K register #1 register #2 ... register #K bank bank bank bank private local memory / scratchpad main memory ACM/IEEE CODES + ISSS 2018, Turin, Italy 9 / 16

  19. Accelerators Loosely Coupled Architecture Accelerator … … configuration configuration reg #1 reg #K load input compute burst length val val val input bank bank bank bank private local memory / scratchpad main memory ACM/IEEE CODES + ISSS 2018, Turin, Italy 9 / 16

  20. Accelerators Loosely Coupled Architecture Accelerator … configuration configuration reg #1 reg #K load input compute load load input val val val val val val bank bank bank bank private local memory / scratchpad main memory ACM/IEEE CODES + ISSS 2018, Turin, Italy 9 / 16

  21. Accelerators Loosely Coupled Architecture Accelerator … configuration reg #1 reg #K load input compute load load load input val val val val val val burst length store store output val val val output bank bank bank bank private local memory / scratchpad main memory ACM/IEEE CODES + ISSS 2018, Turin, Italy 9 / 16

  22. DIFT Shell DIFT Shell Loosely Coupled Architecture Accelerator Accelerator ACM/IEEE CODES + ISSS 2018, Turin, Italy 10 / 16

  23. DIFT Shell DIFT Shell Loosely Coupled Architecture Accelerator shell configuration register #1 src_tag dst_tag register #2 ... register #K reg. #K+1: src_tag reg. #K+2: dst_tag Accelerator main memory ACM/IEEE CODES + ISSS 2018, Turin, Italy 10 / 16

  24. DIFT Shell DIFT Shell Loosely Coupled Architecture Accelerator shell configuration src_tag dst_tag burst length val val src_tag shell load logic src_tag val tag val tag input if tag != src_tag DIFT_exception! Accelerator main memory ACM/IEEE CODES + ISSS 2018, Turin, Italy 10 / 16

  25. DIFT Shell DIFT Shell Loosely Coupled Architecture Accelerator shell configuration src_tag dst_tag burst length shell load logic dst_tag val val val tag val tag dst_tag output shell store logic val tag val tag Accelerator main memory ACM/IEEE CODES + ISSS 2018, Turin, Italy 10 / 16

  26. Contributions 1. We propose PAGURUS, a methodology to design a circuit shell that adds DIFT support to accelerators a) The shell design is independent from the design of the accelerators and vice versa b) The shell has low overheads on both the performance and cost of accelerators 2. We propose a metric to quantitatively measure the security guarantees provided by the shell ACM/IEEE CODES + ISSS 2018, Turin, Italy 11 / 16

  27. A Security Metric Definition value #1 value #2 src_tag value #3 input main memory ACM/IEEE CODES + ISSS 2018, Turin, Italy 11 / 16

  28. A Security Metric Definition value #1 [overwritten] DIFT Shell Loosely Coupled value #2 [overwritten] Accelerator val val val tag src_tag [overwritten] value #3 [overwritten] input value #1 output main memory ACM/IEEE CODES + ISSS 2018, Turin, Italy 11 / 16

  29. A Security Metric Definition value #1 [overwritten] DIFT Shell Loosely Coupled value #2 [overwritten] Accelerator val val val tag src_tag [overwritten] DIFT_exception! value #3 [overwritten] input Information Leakage value #1 • Quantitative metric for security output main memory ACM/IEEE CODES + ISSS 2018, Turin, Italy 11 / 16

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Decoupling Dynamic Information Flow Tracking with a Dedicated Coprocessor Hari Kannan , Michael

Decoupling Dynamic Information Flow Tracking with a Dedicated Coprocessor Hari Kannan , Michael

Decoupling Dynamic Information Flow Tracking with a Dedicated Coprocessor Hari Kannan , Michael Dalton, Christos Kozyrakis Computer Systems Laboratory Stanford University Motivation Dynamic analysis help better understand SW behavior

350 views • 24 slides
Secure Program Execution via Secure Program Execution via Dynamic Information Flow Dynamic

Secure Program Execution via Secure Program Execution via Dynamic Information Flow Dynamic

Secure Program Execution via Secure Program Execution via Dynamic Information Flow Dynamic Information Flow Tracking Tracking G. Edward Suh Suh, , Jae Jae W. Lee, David W. Lee, David G. Edward Zhang, Srinivas Srinivas Devadas Devadas

547 views • 26 slides
Design and Implementatjon of a Dynamic Informatjon Flow Tracking Architecture to Secure a RISC-V

Design and Implementatjon of a Dynamic Informatjon Flow Tracking Architecture to Secure a RISC-V

Design and Implementatjon of a Dynamic Informatjon Flow Tracking Architecture to Secure a RISC-V Core for IoT Applicatjons Christjan Palmiero , Giuseppe Di Guglielmo , Luciano Lavagno , Luca P. Carloni Politecnico Di Torino

218 views • 18 slides
libdft Practical Dynamic Data Flow Tracking for Commodity Systems Vasileios P. Kemerlis Georgios

libdft Practical Dynamic Data Flow Tracking for Commodity Systems Vasileios P. Kemerlis Georgios

Overview Design &amp; Implementation Results &amp; Discussion libdft Practical Dynamic Data Flow Tracking for Commodity Systems Vasileios P. Kemerlis Georgios Portokalidis Kangkook Jee Angelos D. Keromytis Network Security Lab Department of

649 views • 35 slides
Course outline 1. Language-Based Security: motivation 2. Language-Based Information-Flow Security:

Course outline 1. Language-Based Security: motivation 2. Language-Based Information-Flow Security:

Course outline 1. Language-Based Security: motivation 2. Language-Based Information-Flow Security: the big picture 3. Dimensions and principles of declassification 4. Dynamic vs. static security enforcement 5. Tracking information flow in web

641 views • 30 slides
A Hybrid, Dynamic Logic for Hybrid-Dynamic Information Flow Brandon Bohrer and Andr e Platzer

A Hybrid, Dynamic Logic for Hybrid-Dynamic Information Flow Brandon Bohrer and Andr e Platzer

A Hybrid, Dynamic Logic for Hybrid-Dynamic Information Flow Brandon Bohrer and Andr e Platzer Logical Systems Lab Computer Science Department Carnegie Mellon University LICS18 1 / 21 Outline: Hybrid { Dynamics, Logic, Power } Hybrid

353 views • 34 slides
Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-Site

Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-Site

Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-Site Scripting Attacks Matthew Van Gundy and Hao Chen University of California, Davis 16th Annual Network &amp; Distributed System Security Symposium

1.08k views • 80 slides
TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones

TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones

TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones William Enck Peter Gilbert Byung-Gon Chun Landon P. Cox Jaeyeon Jung Patrick McDaniel Anmol N. Sheth Presentation by Krzysztof Pawlowski

447 views • 30 slides
RAIN: Refinable Attack Investigation with On-demand Inter-Process Information Flow Tracking Y.

RAIN: Refinable Attack Investigation with On-demand Inter-Process Information Flow Tracking Y.

RAIN: Refinable Attack Investigation with On-demand Inter-Process Information Flow Tracking Y. Ji, S. Lee, E. Downing, et.al. CCS17 Presented by: Mohammad A. Noureddine CS563 Fall 2018 No Shortage of Recent Breaches! 1 Investigating

804 views • 28 slides
Complete Information Flow Tracking from Gates Up Mohit Tiwari, Xun Li, Hassan M G Wassel,

Complete Information Flow Tracking from Gates Up Mohit Tiwari, Xun Li, Hassan M G Wassel,

Complete Information Flow Tracking from Gates Up Mohit Tiwari, Xun Li, Hassan M G Wassel, Frederic T Chong, Timothy Sherwood Presented by Mengjia Yan Based on slides from Mohit Tiwari Goal: Non-Interference High Low Low system Sink

1.43k views • 105 slides
Computer Security environment, without compromising functionality or security? Three parts

Computer Security environment, without compromising functionality or security? Three parts

9/7/2013 Some topics Im working on Computing on encrypted data Information flow: Dynamic IFC in Haskell, web Sandboxing Untrusted JavaScript Third party web tracking and other web security stories Practical web security

572 views • 21 slides
Fast dynamic and partial reconfiguration Data Path with low Hardware overhead on Xilinx FPGAs

Fast dynamic and partial reconfiguration Data Path with low Hardware overhead on Xilinx FPGAs

Fast dynamic and partial reconfiguration Data Path with low Hardware overhead on Xilinx FPGAs with low Hardware overhead on Xilinx FPGAs Michael Hbner 1 , Diana Ghringer 2 , Juanjo Noguera 3 , Jrgen Becker 1 1 Karlsruhe Institute of

370 views • 16 slides
Information Flow Tracking Andrei Sabelfeld Chalmers https://www.cse.chalmers.se/~andrei EWSCS

Information Flow Tracking Andrei Sabelfeld Chalmers https://www.cse.chalmers.se/~andrei EWSCS

Information Flow Tracking Andrei Sabelfeld Chalmers https://www.cse.chalmers.se/~andrei EWSCS 2019 Language c ::= skip | x:=exp | c;c | if exp then c else c | while exp do c 2 Explicit flows high (secret) l:=h insecure low (public)

555 views • 27 slides
FAROS: Illuminating In-Memory Injection Attacks via Provenance-based Whole System Dynamic

FAROS: Illuminating In-Memory Injection Attacks via Provenance-based Whole System Dynamic

FAROS: Illuminating In-Memory Injection Attacks via Provenance-based Whole System Dynamic Information Flow Tracking Meisam Navaki Arefi , Geoffrey Alexander, Hooman Rokham, Aokun Chen, Michalis Faloutsos, Xuetao Wei, Daniela Seabra Oliveira and

588 views • 32 slides
Flexible Dynamic Information Flow Control in Haskell Deian Stefan 1 Alejandro Russo 2 John C.

Flexible Dynamic Information Flow Control in Haskell Deian Stefan 1 Alejandro Russo 2 John C.

Flexible Dynamic Information Flow Control in Haskell Flexible Dynamic Information Flow Control in Haskell Deian Stefan 1 Alejandro Russo 2 John C. Mitchell 1 David Mazires 1 1 2 Haskell11 www.scs.stanford.edu/ deian/lio Flexible

820 views • 55 slides
Complete Information Flow Tracking from Gates Up Mohit Tiwari, Xun Li, Hassan M G Wassel,

Complete Information Flow Tracking from Gates Up Mohit Tiwari, Xun Li, Hassan M G Wassel,

Complete Information Flow Tracking from Gates Up Mohit Tiwari, Xun Li, Hassan M G Wassel, Frederic T Chong, Timothy Sherwood Presented by Mengjia Yan Based on slides from Mohit Tiwari Goal: Non-Interference Non-Interference: a change in a

604 views • 32 slides
Native American Agriculture Fund (NAAF) Agricultural Census Webinar States of Interest States

Native American Agriculture Fund (NAAF) Agricultural Census Webinar States of Interest States

Native American Agriculture Fund (NAAF) Agricultural Census Webinar States of Interest States with AI/AN populations over 1% of overall AI/AN population Alabama New Mexico Arizona North Carolina Arkansas Oklahoma

749 views • 46 slides
Road Improvements Making it easier and safer to drive through downtown Roseburg Washington at

Road Improvements Making it easier and safer to drive through downtown Roseburg Washington at

OR 138E Corridor Solutions Road Improvements Making it easier and safer to drive through downtown Roseburg Washington at Pine and Stephens One of the biggest changes this project will bring about is realigning the two block section of Pine

696 views • 50 slides
Light- -weight Contour Tracking in weight Contour Tracking in Light Wireless Sensor Networks

Light- -weight Contour Tracking in weight Contour Tracking in Light Wireless Sensor Networks

Light- -weight Contour Tracking in weight Contour Tracking in Light Wireless Sensor Networks Wireless Sensor Networks Xianjin Zhu Rik Sarkar Jie Gao Joseph S. B. Mitchell INFOCOM 08 1 Motivation Motivation Sensor network: sense

417 views • 38 slides
Cr Croes eso Welcome #E #Emsireg egiona nal Agenda 12. 12.15 15 9.00 Lunch

Cr Croes eso Welcome #E #Emsireg egiona nal Agenda 12. 12.15 15 9.00 Lunch

Cr Croes eso Welcome #E #Emsireg egiona nal Agenda 12. 12.15 15 9.00 Lunch Breakfast networking 1.00 1. 00 10.00 Th The State of of the Welsh Econ conom omy: y: Grand Welcome Sl Slam or Wooden en Sp Spoon?

171 views • 15 slides
How to write slides (an incomplete guide) Nov. 30, 2000 These are the notes for the title page

How to write slides (an incomplete guide) Nov. 30, 2000 These are the notes for the title page

How to write slides (an incomplete guide) Nov. 30, 2000 These are the notes for the title page Explain how to orient the slides on the projector: the speaker should be able to read them, as he faces the public. It is not recommended for

243 views • 7 slides
The model category of algebraically cofibrant 2-categories Alasdair Caimbeul Centre of

The model category of algebraically cofibrant 2-categories Alasdair Caimbeul Centre of

The model category of algebraically cofibrant 2-categories Alasdair Caimbeul Centre of Australian Category Theory Macquarie University Category Theory 2019 un ` Oilthigh Dh` Eideann 10 Iuchar 2019 un ` Alasdair Caimbeul (CoACT) The model

934 views • 31 slides
Working w ith 2 D arra y s IN TR OD U C TION TO DATA VISU AL IZATION IN P YTH ON Br y an Van de

Working w ith 2 D arra y s IN TR OD U C TION TO DATA VISU AL IZATION IN P YTH ON Br y an Van de

Working w ith 2 D arra y s IN TR OD U C TION TO DATA VISU AL IZATION IN P YTH ON Br y an Van de Ven Core De v eloper of Bokeh Reminder : N u mP y arra y s Homogeneo u s in t y pe Calc u lations all at once Inde x ing w ith brackets : A[index]

671 views • 41 slides
HEALTH RISKS of USING GRAY SOIL COLORS to DETERMINE ONSITE SUITABILITY Jay F. Conta -

HEALTH RISKS of USING GRAY SOIL COLORS to DETERMINE ONSITE SUITABILITY Jay F. Conta -

HEALTH RISKS of USING GRAY SOIL COLORS to DETERMINE ONSITE SUITABILITY Jay F. Conta - Virginia Tech Interpretive Soil Scientist Department of Crop &amp; Soil Environmental Sciences WATER TABLE RESEARCH SITE MATERIALS

447 views • 20 slides

More recommend