seclabel enhancing risc v platform security with labelled
play

SecLabel: Enhancing RISC-V Platform Security with Labelled - PowerPoint PPT Presentation

May 04, 2023 •258 likes •795 views

SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture Zhenyu Ning 1,2 , Yinqian Zhang 3 , and Fengwei Zhang 2 1 Wayne State University, 2 Southern University of Science and Technology, 3 The Ohio State University Outline

  1. SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture Zhenyu Ning 1,2 , Yinqian Zhang 3 , and Fengwei Zhang 2 1 Wayne State University, 2 Southern University of Science and Technology, 3 The Ohio State University

  2. Outline Introduction • Pointer Integrity • Memory Boundary Protection • Dynamic Taint Analysis • Implementation • Conclusion • SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture 2

  3. Outline Introduction • Pointer Integrity • Memory Boundary Protection • Dynamic Taint Analysis • Implementation • Conclusion • SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture 3

  4. Introduction • The RISC-V architecture is well-known for its open nature. Open Source, No License fee • Open to new design and extension • • Open to challenge. Security problems in x86 and ARM architecture remains on RISC-V platforms. • E.g., pointer integrity, memory boundary protection, and dynamic taint • analysis. SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture 4

  5. Introduction Any effective defense on RISC-V? SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture 5

  6. Outline Introduction • Pointer Integrity • Memory Boundary Protection • Dynamic Taint Analysis • Implementation • Conclusion • SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture 6

  7. Pointer Integrity • To ensure that the pointer is not corrupted. Code-pointer Integrity and Data-pointer Integrity. • if *x0 = 0 then *x0 = 0 x1 = addr1 else x1 = addr2 jmp to x1 SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture 7

  8. Pointer Integrity • To ensure that the pointer is not corrupted. Code-pointer Integrity and Data-pointer Integrity. • if *x0 = 0 then *x0 = 0 x1 = addr1 x1 = addr1 else x1 = addr2 jmp to x1 SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture 8

  9. Pointer Integrity • To ensure that the pointer is not corrupted. Code-pointer Integrity and Data-pointer Integrity. • if *x0 = 0 then *x0 = 0 x1 = addr1 x1 = addr3 Code-pointer else Attack x1 = addr2 jmp to x1 SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture 9

  10. Pointer Integrity • To ensure that the pointer is not corrupted. Code-pointer Integrity and Data-pointer Integrity. • if *x0 = 0 then *x0 = 0 x1 = addr1 else x1 = addr2 jmp to x1 SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture 10

  11. Pointer Integrity • To ensure that the pointer is not corrupted. Code-pointer Integrity and Data-pointer Integrity. • if *x0 = 0 then *x0 = 2 x1 = addr1 else x1 = addr2 jmp to x1 SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture 11

  12. Pointer Integrity • To ensure that the pointer is not corrupted. Code-pointer Integrity and Data-pointer Integrity. • if *x0 = 0 then *x0 = 2 x1 = addr1 x1 = addr2 Data-pointer else Attack x1 = addr2 jmp to x1 SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture 12

  13. Pointer Integrity: Buffer Overflow Start of the attack: In most cases, a buffer overflow vulnerability. • … Params Return Addr Frame Pointer Local Var a Local Var b Local Var c Stack Pointer … SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture 13

  14. Pointer Integrity: Buffer Overflow Start of the attack: In most cases, a buffer overflow vulnerability. • … Params Return Addr Frame Pointer Local Var a Local Var b Local Var c Stack Pointer … SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture 14

  15. Pointer Integrity: Buffer Overflow Start of the attack: In most cases, a buffer overflow vulnerability. • … … Params Params Return Addr Return Addr Buffer Overflow Frame Pointer Frame Pointer Attack Local Var a Local Var a Local Var b Local Var b Local Var c Stack Pointer Random data Stack Pointer … … SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture 15

  16. Pointer Integrity: Buffer Overflow Start of the attack: In most cases, a buffer overflow vulnerability. • … … Params Params Return Addr Return Addr Buffer Overflow Frame Pointer Frame Pointer Attack Local Var a Local Var a Local Var b Random data Local Var c Stack Pointer Random data Stack Pointer … … SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture 16

  17. Pointer Integrity: Buffer Overflow Start of the attack: In most cases, a buffer overflow vulnerability. • … … Params Params Return Addr Return Addr Buffer Overflow Frame Pointer Frame Pointer Attack Local Var a Random data Local Var b Random data Local Var c Stack Pointer Random data Stack Pointer … … SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture 17

  18. Pointer Integrity: Buffer Overflow Start of the attack: In most cases, a buffer overflow vulnerability. • … … Params Params Return Addr Return Addr Buffer Overflow Frame Pointer Random data Attack Local Var a Random data Local Var b Random data Local Var c Stack Pointer Random data Stack Pointer … … SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture 18

  19. Pointer Integrity: Buffer Overflow Start of the attack: In most cases, a buffer overflow vulnerability. • … … Params Params Return Addr Modified Addr Buffer Overflow Frame Pointer Random data Attack Local Var a Random data Local Var b Random data Local Var c Stack Pointer Random data Stack Pointer … … SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture 19

  20. Pointer Integrity: Canary Stack Canary [1] : The most widely used defense to buffer overflow attack. • … … Params Params Return Addr Modified Addr Buffer Overflow Frame Pointer Random data Attack Canary Random data Local Var a Random data Local Var b Stack Pointer Random data Stack Pointer … … SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture 20

  21. Pointer Integrity: Canary Stack Canary [1] : The most widely used defense to buffer overflow attack. • … … Params Params Return Addr Modified Addr Buffer Overflow Frame Pointer Random data Attack Canary is changed Canary Random data by overflow Local Var a Random data Local Var b Stack Pointer Random data Stack Pointer … … SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture 21

  22. Pointer Integrity: Canary Stack Canary [1] : The most widely used defense to buffer overflow attack. • Weakness: • Easy to bypass [2] • Not efficient to defend against data-pointer attack • SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture 22

  23. Pointer Integrity: PAC Pointer Authentication Code [3] is introduced in 64-bit ARMv8.3 architecture. • 0 63 A pointer in 64-bit system Is it really necessary to use a 64-bit address? SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture 23

  24. Pointer Integrity: PAC Is it really necessary to use a 64-bit address? 2 64 bit = 16384 PB = 16.8 millions TB = 17.2 billions GB • Summit : 10 PB memory • Sunway TaihuLight : 1.32 PB memory • Linux : Up to 128 TB virtual memory • Windows : Up to 16 TB virtual memory • SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture 24

  25. Pointer Integrity: PAC Pointer Authentication Code [3] is introduced in 64-bit ARMv8.3 architecture. • 0 63 A pointer in 64-bit system SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture 25

  26. Pointer Integrity: PAC Pointer Authentication Code [3] is introduced in 64-bit ARMv8.3 architecture. • 63 54 48 47 0 PAC Virtual Address Pointer Value + 64-bit Context Value + 128-bit Secret Key => PAC • Up to 48 bits for virtual address, and at least 7 bits for PAC • SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture 26

  27. Pointer Integrity: PAC PAC is good, but the deployment is painful. • The mechanism is released with ARMv8.3 architecture since 2016. • ARM does not release any processor with ARMv8.3 till now. • The only processors with PAC support are Apple A12 and A13. • Closed ecosystem. • No available to system developers. • SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture 27

  28. Pointer Integrity: RISC-V RISC-V based PAC • A group of new hardware instructions • Forge PAC, examine PAC, strip PAC • New registers for storing the 128-bit secret key • Secret keys for data pointers and code pointers • Hardware-based crypto engine • Generate PAC from pointer and 64-bit context value • SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture 28

  29. Outline Introduction • Pointer Integrity • Memory Boundary Protection • Dynamic Taint Analysis • Implementation • Conclusion • SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture 29

  30. Memory Boundary Protection • To ensure the memory access won’t go out of its expected boundary. … … a[0] a[0] a a a[1] a[1] int a[10]; … a[8] = 1 … a[8] a[8] a[8] a[9] a[9] … … SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture 30

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

HERO: Open-Source Heterogeneous Embedded Research Platform for Exploring RISC-V Manycore

HERO: Open-Source Heterogeneous Embedded Research Platform for Exploring RISC-V Manycore

HERO: Open-Source Heterogeneous Embedded Research Platform for Exploring RISC-V Manycore Architectures on FPGA First Workshop on Computer Architecture Research with RISC-V (CARRV) @ MICRO 50 2017-10-14 Andreas Kurth Pirmin Vogel Alessandro

216 views • 21 slides
ENHANCING SCIENTIFIC COMPUTATION USING A VARIABLE PRECISION FPU WITH A RISC-V PROCESSOR Y.Durand,

ENHANCING SCIENTIFIC COMPUTATION USING A VARIABLE PRECISION FPU WITH A RISC-V PROCESSOR Y.Durand,

ENHANCING SCIENTIFIC COMPUTATION USING A VARIABLE PRECISION FPU WITH A RISC-V PROCESSOR Y.Durand, C.Fabre, A. Bocco, T. Trevisan | IMPRENUM Project | Oct 2019 | 1 USE CASES FOR (LARGE) VARIABLE PRECISION Applications Techniques & Kernels

317 views • 8 slides
Why RISC-V Is Not Nearly Boring Enough Al Stone Principal Software Engineer Platform Enablement

Why RISC-V Is Not Nearly Boring Enough Al Stone Principal Software Engineer Platform Enablement

Why RISC-V Is Not Nearly Boring Enough Al Stone Principal Software Engineer Platform Enablement Red Hat When RISC-V Grows Up... The ISA is only a small part of a product What we need is to be dead boring To get there, we need:

300 views • 13 slides
Analyzing embedded software technologies on RISC-V64 using Ghidra driving your security forward

Analyzing embedded software technologies on RISC-V64 using Ghidra driving your security forward

Presented by: Joris Jonkers Both & Patrick Spaans Supervisor: Alexandru Geana Analyzing embedded software technologies on RISC-V64 using Ghidra driving your security forward 1 Introduction RISC-V64 - Like ARM but open source - One

524 views • 37 slides
RISC-V Foundation Security Standing Committee Call to action !! Helena Handschuh, Rambus, SSC

RISC-V Foundation Security Standing Committee Call to action !! Helena Handschuh, Rambus, SSC

RISC-V Foundation Security Standing Committee Call to action !! Helena Handschuh, Rambus, SSC Chair CHES 2018 Rump Session, Amsterdam, September 10 th 2018 A security standing committee for the RISC-V Foundation RISC-V Foundation; a

211 views • 4 slides
RISC V and Security: How, When and Why Helena Handschuh Rambus Security Technologies Fellow

RISC V and Security: How, When and Why Helena Handschuh Rambus Security Technologies Fellow

RISC V and Security: How, When and Why Helena Handschuh Rambus Security Technologies Fellow RISCV Security Standing Committee Chair CHES 2019 @ Atlanta 08/26/2019 Outline RISCV Foundation Security Standing Committee Creation and

350 views • 33 slides
Updates from the RISC-V TEE Group Nick Kossifidis <mick@ics.forth.gr> Security-related

Updates from the RISC-V TEE Group Nick Kossifidis <mick@ics.forth.gr> Security-related

Updates from the RISC-V TEE Group Nick Kossifidis <mick@ics.forth.gr> Security-related RISC-V Task Groups 2 About the TEE Task Group One of the most popular groups (112 registered members) Regular conference calls / mailing list

675 views • 13 slides
HPE SecureData for Big Data Platform HPE Vertica Big Data Platform HPE Security Data

HPE SecureData for Big Data Platform HPE Vertica Big Data Platform HPE Security Data

HPE SecureData for Big Data Platform HPE Vertica Big Data Platform HPE Security Data Security February 2016 Data Security Impacts Design and Delivery of Big Data Projects Data Security frequently is a leading Role Security Impacts

545 views • 23 slides
On Hypersequents and Labelled Sequents Translating Labelled Sequent Proofs to Hypersequent Proofs

On Hypersequents and Labelled Sequents Translating Labelled Sequent Proofs to Hypersequent Proofs

On Hypersequents and Labelled Sequents Translating Labelled Sequent Proofs to Hypersequent Proofs Robert Rothenberg 1 2 1 School of Computer Science University of St Andrews 2 Interactive Information, Ltd Edinburgh Workshop in Honour of Roy

393 views • 26 slides
The future of operating systems on RISC-V Alex Bradbury asb@lowrisc.org @asbradbury 4th

The future of operating systems on RISC-V Alex Bradbury asb@lowrisc.org @asbradbury 4th

The future of operating systems on RISC-V Alex Bradbury asb@lowrisc.org @asbradbury 4th March 2019 Structure of this talk Introduction to RISC-V RISC-V status Selected RISC-V topics RISC-V and open hardware: the future

733 views • 28 slides
Ho How w to o Bui Build & Secur cure a RISC-V Em Embe bedde ded System HARDWEAR.IO,

Ho How w to o Bui Build & Secur cure a RISC-V Em Embe bedde ded System HARDWEAR.IO,

Ho How w to o Bui Build & Secur cure a RISC-V Em Embe bedde ded System HARDWEAR.IO, September 2019 Cesare Garlati, Sandro Pinto RISC-V ISA Security Building Blocks Privi vilege lege Levels vels & Contro rol l and Status

120 views • 11 slides
Roadmap 1. Instruction Set Architectures (ISA) What is CISC? What is RISC? Why did RISC prevail

Roadmap 1. Instruction Set Architectures (ISA) What is CISC? What is RISC? Why did RISC prevail

Roadmap 1. Instruction Set Architectures (ISA) What is CISC? What is RISC? Why did RISC prevail in the instruction set wars? Describe a simple RISC ISA called DLX 2. Designing a simple DLX processor: Single Cycle Implementation Multiple

1.01k views • 21 slides
Roadmap 1. Instruction Set Architectures (ISA) What is CISC? What is RISC? Why did RISC prevail

Roadmap 1. Instruction Set Architectures (ISA) What is CISC? What is RISC? Why did RISC prevail

Roadmap 1. Instruction Set Architectures (ISA) What is CISC? What is RISC? Why did RISC prevail in the instruction set wars? Describe a simple RISC ISA called DLX 2. Designing a simple DLX processor: Single Cycle Implementation Multiple

753 views • 11 slides
Security enhancing CAN transceivers Bernd Elend Principal Engineer March 8 th , 2017

Security enhancing CAN transceivers Bernd Elend Principal Engineer March 8 th , 2017

Security enhancing CAN transceivers Bernd Elend Principal Engineer March 8 th , 2017 Introduction: SECURITY REQUIRES A LAYERED APPROACH NXPs 4 + 1 Layer approach for vehicle cyber security: Multiple security techniques, at different

485 views • 19 slides
Enhancing Openness and Transparency in NRC Security Inspection Programs NRC Headquarters

Enhancing Openness and Transparency in NRC Security Inspection Programs NRC Headquarters

Enhancing Openness and Transparency in NRC Security Inspection Programs NRC Headquarters Rockville, MD Sept 4, 2008; 9:30 a.m. 12 noon 1 AGENDA Welcome Patricia Trish Holahan, Director Division of Security Operations (DSO)

479 views • 14 slides
Mobile Device and Platform Security Part II John Mitchell Two lectures on mobile security

Mobile Device and Platform Security Part II John Mitchell Two lectures on mobile security

CS 155 Spring 2018 Mobile Device and Platform Security Part II John Mitchell Two lectures on mobile security Introduction: platforms and trends Threat categories Physical, platform malware, malicious apps Defense

1.17k views • 93 slides
Protocol for Carrying Authentication for Network Access (PANA) (draft-ietf-pana-pana-00.txt)

Protocol for Carrying Authentication for Network Access (PANA) (draft-ietf-pana-pana-00.txt)

Protocol for Carrying Authentication for Network Access (PANA) (draft-ietf-pana-pana-00.txt) Authors: Dan Forsberg Yoshihiro Ohba Basavaraj Patil Hannes Tschofenig Alper Yegin IETF56 Contents Introduction PAA Discovery

612 views • 34 slides
Albany Medical Center Hospital PPS PAC Meeting July 18, 2016 Meeting Attendance Please email

Albany Medical Center Hospital PPS PAC Meeting July 18, 2016 Meeting Attendance Please email

Albany Medical Center Hospital PPS PAC Meeting July 18, 2016 Meeting Attendance Please email confirmation of your participation in todays meeting to DSRIP@mail.amc.edu Name and Organization is required within 24 hours 2 Agenda

583 views • 19 slides
and How De te r mining Whe the r the GDPR Will Apply to You Visit www.a dvise nltd.c o

and How De te r mining Whe the r the GDPR Will Apply to You Visit www.a dvise nltd.c o

mining Whe the r and How the De te r GDPR Will Apply to You Spo nso re d By: and How De te r mining Whe the r the GDPR Will Apply to You Visit www.a dvise nltd.c o m a t the e nd o f this we b ina r to do wnlo a d: Co

463 views • 13 slides
CHARACTERS AND STRINGS CSSE 120Rose Hulman Institute of Technology Characters and Strings g

CHARACTERS AND STRINGS CSSE 120Rose Hulman Institute of Technology Characters and Strings g

CHARACTERS AND STRINGS CSSE 120Rose Hulman Institute of Technology Characters and Strings g Characters in Python y Just a one-character string Just a one character string >>> myChar = 'C' >>> print myChar p y C

370 views • 15 slides
L ECTURE 15: Regrade requests: L EARNING T HEORY Send us email, and come and see me next

L ECTURE 15: Regrade requests: L EARNING T HEORY Send us email, and come and see me next

CS446 Introduction to Machine Learning (Fall 2013) Announcements University of Illinois at Urbana-Champaign http://courses.engr.illinois.edu/cs446 Midterm grades are available on Compass. L ECTURE 15: Regrade requests: L EARNING T HEORY Send

612 views • 5 slides
PAC Statistical Model Checking for Markov Decision Processes and Stochastic Games 1 Pranav Ashok,

PAC Statistical Model Checking for Markov Decision Processes and Stochastic Games 1 Pranav Ashok,

PAC Statistical Model Checking for Markov Decision Processes and Stochastic Games 1 Pranav Ashok, Jan K ret nsk y, Maximilian Weininger Technical University of Munich Highlights of Logic, Automata and Games Warsaw, Poland September

503 views • 14 slides
Meeting January 10, 2018 2 Agenda Networking 1. CCB Update: Where Weve Been and Where

Meeting January 10, 2018 2 Agenda Networking 1. CCB Update: Where Weve Been and Where

Project Advisory Committee Meeting January 10, 2018 2 Agenda Networking 1. CCB Update: Where Weve Been and Where Were Headed 2. (Dr. David Cohen, CCB Executive Committee Chair) Keynote Address: Jason Helgerson, New York State

483 views • 15 slides
Computational Learning Theory Based on Machine Learning, T. Mitchell, McGRAW Hill, 1997, ch.

Computational Learning Theory Based on Machine Learning, T. Mitchell, McGRAW Hill, 1997, ch.

0. Computational Learning Theory Based on Machine Learning, T. Mitchell, McGRAW Hill, 1997, ch. 7 Acknowledgement: The present slides are an adaptation of slides drawn by T. Mitchell 1. Main Questions in Computational Learning Theory

682 views • 42 slides

More recommend