SecLabel: Enhancing RISC-V Platform Security with Labelled - - PowerPoint PPT Presentation

seclabel enhancing risc v platform security with labelled
SMART_READER_LITE
LIVE PREVIEW

SecLabel: Enhancing RISC-V Platform Security with Labelled - - PowerPoint PPT Presentation

May 04, 2023 258 likes •799 views

SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture Zhenyu Ning 1,2 , Yinqian Zhang 3 , and Fengwei Zhang 2 1 Wayne State University, 2 Southern University of Science and Technology, 3 The Ohio State University Outline

slide-1
SLIDE 1

SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture

Zhenyu Ning1,2, Yinqian Zhang3, and Fengwei Zhang2

1Wayne State University, 2Southern University of Science and Technology, 3The Ohio State University

slide-2
SLIDE 2

Outline

  • Introduction
  • Pointer Integrity
  • Memory Boundary Protection
  • Dynamic Taint Analysis
  • Implementation
  • Conclusion

SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture 2

slide-3
SLIDE 3

Outline

  • Introduction
  • Pointer Integrity
  • Memory Boundary Protection
  • Dynamic Taint Analysis
  • Implementation
  • Conclusion

SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture 3

slide-4
SLIDE 4

Introduction

  • The RISC-V architecture is well-known for its open nature.
  • Open Source, No License fee
  • Open to new design and extension
  • Open to challenge.
  • Security problems in x86 and ARM architecture remains on RISC-V platforms.
  • E.g., pointer integrity, memory boundary protection, and dynamic taint

analysis.

4 SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture

slide-5
SLIDE 5

Introduction

Any effective defense on RISC-V?

5 SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture

slide-6
SLIDE 6

Outline

  • Introduction
  • Pointer Integrity
  • Memory Boundary Protection
  • Dynamic Taint Analysis
  • Implementation
  • Conclusion

SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture 6

slide-7
SLIDE 7

Pointer Integrity

  • To ensure that the pointer is not corrupted.
  • Code-pointer Integrity and Data-pointer Integrity.

7 SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture

if *x0 = 0 then x1 = addr1 else x1 = addr2 jmp to x1 *x0 = 0

slide-8
SLIDE 8

Pointer Integrity

  • To ensure that the pointer is not corrupted.
  • Code-pointer Integrity and Data-pointer Integrity.

8 SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture

if *x0 = 0 then x1 = addr1 else x1 = addr2 jmp to x1 *x0 = 0 x1 = addr1

slide-9
SLIDE 9

Pointer Integrity

  • To ensure that the pointer is not corrupted.
  • Code-pointer Integrity and Data-pointer Integrity.

9 SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture

if *x0 = 0 then x1 = addr1 else x1 = addr2 jmp to x1 *x0 = 0 x1 = addr3

Code-pointer Attack

slide-10
SLIDE 10

Pointer Integrity

  • To ensure that the pointer is not corrupted.
  • Code-pointer Integrity and Data-pointer Integrity.

10 SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture

if *x0 = 0 then x1 = addr1 else x1 = addr2 jmp to x1 *x0 = 0

slide-11
SLIDE 11

Pointer Integrity

  • To ensure that the pointer is not corrupted.
  • Code-pointer Integrity and Data-pointer Integrity.

11 SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture

if *x0 = 0 then x1 = addr1 else x1 = addr2 jmp to x1 *x0 = 2

slide-12
SLIDE 12

Pointer Integrity

  • To ensure that the pointer is not corrupted.
  • Code-pointer Integrity and Data-pointer Integrity.

12 SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture

if *x0 = 0 then x1 = addr1 else x1 = addr2 jmp to x1 *x0 = 2 x1 = addr2

Data-pointer Attack

slide-13
SLIDE 13

Pointer Integrity: Buffer Overflow

  • Start of the attack: In most cases, a buffer overflow vulnerability.

13 SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture

Params Return Addr Frame Pointer Local Var a … Local Var b Local Var c … Stack Pointer

slide-14
SLIDE 14

Pointer Integrity: Buffer Overflow

  • Start of the attack: In most cases, a buffer overflow vulnerability.

14 SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture

Params Return Addr Frame Pointer Local Var a … Local Var b Local Var c … Stack Pointer

slide-15
SLIDE 15

Pointer Integrity: Buffer Overflow

  • Start of the attack: In most cases, a buffer overflow vulnerability.

15 SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture

Params Return Addr Frame Pointer Local Var a … Local Var b Local Var c … Stack Pointer Params Return Addr Frame Pointer Local Var a … Local Var b Random data … Stack Pointer

Buffer Overflow Attack

slide-16
SLIDE 16

Pointer Integrity: Buffer Overflow

  • Start of the attack: In most cases, a buffer overflow vulnerability.

16 SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture

Params Return Addr Frame Pointer Local Var a … Local Var b Local Var c … Stack Pointer Params Return Addr Frame Pointer Local Var a … Random data Random data … Stack Pointer

Buffer Overflow Attack

slide-17
SLIDE 17

Pointer Integrity: Buffer Overflow

  • Start of the attack: In most cases, a buffer overflow vulnerability.

17 SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture

Params Return Addr Frame Pointer Local Var a … Local Var b Local Var c … Stack Pointer Params Return Addr Frame Pointer Random data … Random data Random data … Stack Pointer

Buffer Overflow Attack

slide-18
SLIDE 18

Pointer Integrity: Buffer Overflow

  • Start of the attack: In most cases, a buffer overflow vulnerability.

18 SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture

Params Return Addr Frame Pointer Local Var a … Local Var b Local Var c … Stack Pointer Params Return Addr Random data Random data … Random data Random data … Stack Pointer

Buffer Overflow Attack

slide-19
SLIDE 19

Pointer Integrity: Buffer Overflow

  • Start of the attack: In most cases, a buffer overflow vulnerability.

19 SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture

Params Return Addr Frame Pointer Local Var a … Local Var b Local Var c … Stack Pointer Params Modified Addr Random data Random data … Random data Random data … Stack Pointer

Buffer Overflow Attack

slide-20
SLIDE 20

Pointer Integrity: Canary

  • Stack Canary[1]: The most widely used defense to buffer overflow attack.

20 SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture

Params Return Addr Frame Pointer Canary … Local Var a Local Var b … Stack Pointer Params Modified Addr Random data Random data … Random data Random data … Stack Pointer

Buffer Overflow Attack

slide-21
SLIDE 21

Pointer Integrity: Canary

  • Stack Canary[1]: The most widely used defense to buffer overflow attack.

21 SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture

Params Return Addr Frame Pointer Canary … Local Var a Local Var b … Stack Pointer Params Modified Addr Random data Random data … Random data Random data … Stack Pointer

Buffer Overflow Attack

Canary is changed by overflow

slide-22
SLIDE 22

Pointer Integrity: Canary

  • Stack Canary[1]: The most widely used defense to buffer overflow attack.
  • Weakness:
  • Easy to bypass[2]
  • Not efficient to defend against data-pointer attack

22 SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture

slide-23
SLIDE 23

Pointer Integrity: PAC

  • Pointer Authentication Code[3] is introduced in 64-bit ARMv8.3 architecture.

23 SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture

A pointer in 64-bit system

63

Is it really necessary to use a 64-bit address?

slide-24
SLIDE 24

Pointer Integrity: PAC

Is it really necessary to use a 64-bit address?

  • 264 bit = 16384 PB = 16.8 millions TB = 17.2 billions GB
  • Summit: 10 PB memory
  • Sunway TaihuLight: 1.32 PB memory
  • Linux: Up to 128 TB virtual memory
  • Windows: Up to 16 TB virtual memory

24 SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture

slide-25
SLIDE 25

Pointer Integrity: PAC

  • Pointer Authentication Code[3] is introduced in 64-bit ARMv8.3 architecture.

25 SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture

A pointer in 64-bit system

63

slide-26
SLIDE 26

Pointer Integrity: PAC

  • Pointer Authentication Code[3] is introduced in 64-bit ARMv8.3 architecture.

26 SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture

63

Virtual Address

47

PAC

48 54

  • Pointer Value + 64-bit Context Value + 128-bit Secret Key => PAC
  • Up to 48 bits for virtual address, and at least 7 bits for PAC
slide-27
SLIDE 27

Pointer Integrity: PAC

  • PAC is good, but the deployment is painful.
  • The mechanism is released with ARMv8.3 architecture since 2016.
  • ARM does not release any processor with ARMv8.3 till now.
  • The only processors with PAC support are Apple A12 and A13.
  • Closed ecosystem.
  • No available to system developers.

27 SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture

slide-28
SLIDE 28

Pointer Integrity: RISC-V

  • RISC-V based PAC
  • A group of new hardware instructions
  • Forge PAC, examine PAC, strip PAC
  • New registers for storing the 128-bit secret key
  • Secret keys for data pointers and code pointers
  • Hardware-based crypto engine
  • Generate PAC from pointer and 64-bit context value

28 SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture

slide-29
SLIDE 29

Outline

  • Introduction
  • Pointer Integrity
  • Memory Boundary Protection
  • Dynamic Taint Analysis
  • Implementation
  • Conclusion

SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture 29

slide-30
SLIDE 30

Memory Boundary Protection

  • To ensure the memory access won’t go out of its expected boundary.

30 SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture

a[0] a[1] … a[8] a[9] int a[10]; … …

a

a[0] a[1] … a[8] a[9] a[8] = 1 … …

a a[8]

slide-31
SLIDE 31

Memory Boundary Protection

  • To ensure the memory access won’t go out of its expected boundary.

31 SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture

a[0] a[1] … a[8] a[9] int a[10]; … …

a

a[0] a[1] … a[8] a[9] a[10] = 1 … …

a

Memory Out of Boundary

a[10]

slide-32
SLIDE 32

Memory Boundary Protection: Address Sanitizer

  • Address Sanitizer[4]: Use redzones to detect out-of-bound access.

32 SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture

a[0] a[1] … a[8] a[9] int a[10]; … …

a

Redzone a[0] … a[9] Redzone int a[10]; Redzone Redzone

a

slide-33
SLIDE 33

Memory Boundary Protection: Address Sanitizer

  • Address Sanitizer[4]: Use redzones to detect out-of-bound access.

33 SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture

Redzone a[0] … a[9] Redzone int a[10]; Redzone Redzone

a

Redzone a[0] … a[9] Redzone a[10] = 1 Redzone Redzone

a a[10]

Out-of-bound access

slide-34
SLIDE 34

Memory Boundary Protection: Address Sanitizer

  • Address Sanitizer[4]: Use redzones to detect out-of-bound access.
  • Weakness:
  • Large memory overhead
  • Large performance overhead
  • False negative is possible

34 SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture

slide-35
SLIDE 35

Memory Boundary Protection: Intel MPX

  • Intel MPX[5]: An architecture extension dedicated for memory bound

protection.

35 SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture

Pointer Address Base Address of Bounds Directory Table 0 Table 1 Table 2 Table 3 Table 4 Bound Directory Entry 0 Entry 1 Entry 2 Entry 3 Entry 4 Bound Table 3 Pointer Address Upper Bound Lower Bound

slide-36
SLIDE 36

Memory Boundary Protection: Intel MPX

  • Intel MPX[5]: An architecture extension dedicated for memory bound

protection.

  • Weakness:
  • Performance overhead for two-layer translation
  • Multithread not support
  • Not production ready, support will be removed from GCC 9

36 SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture

slide-37
SLIDE 37

Memory Boundary Protection : RISC-V

  • RISC-V based Memory Boundary Protection

37 SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture

63

Virtual Address

47

PAC

48 54

???

  • Use the head bits for memory bounds
  • 9 bits if PAC is implemented
  • 16 bits if PAC is not implemented
  • More bits in 128-bit RISC-V architecture[6]
slide-38
SLIDE 38

Outline

  • Introduction
  • Pointer Integrity
  • Memory Boundary Protection
  • Dynamic Taint Analysis
  • Implementation
  • Conclusion

SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture 38

slide-39
SLIDE 39

Dynamic Taint Analysis

  • Analysis the information flow of specific objects.
  • Example scenario: Privacy leakage detection

39 SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture

…… char* password = getInput(); char* copied = copy(password); printf(“copied: %s\n”, copied); …… getInput Taint Source printf Taint Sink

slide-40
SLIDE 40

Dynamic Taint Analysis

  • Analysis the information flow of specific objects.
  • Example scenario: Privacy leakage detection

40 SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture

…… char* password = getInput(); char* copied = copy(password); printf(“copied: %s\n”, copied); …… getInput Taint Source printf Taint Sink password Tainted Variable

slide-41
SLIDE 41

Dynamic Taint Analysis

  • Analysis the information flow of specific objects.
  • Example scenario: Privacy leakage detection

41 SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture

…… char* password = getInput(); char* copied = copy(password); printf(“copied: %s\n”, copied); …… getInput Taint Source printf Taint Sink password Tainted Variable copied

slide-42
SLIDE 42

Dynamic Taint Analysis

  • Analysis the information flow of specific objects.
  • Example scenario: Privacy leakage detection

42 SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture

…… char* password = getInput(); char* copied = copy(password); printf(“copied: %s\n”, copied); …… getInput Taint Source printf Taint Sink password Tainted Variable copied

Taint Path Founded!

slide-43
SLIDE 43

Dynamic Taint Analysis

43 SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture

…… char* password = getInput(); char* copied = copy(password); printf(“copied: %s\n”, copied); …… getInput Taint Source printf Taint Sink password Tainted Variable copied

  • How to learn the taint propagation from “password” to“copied” ?
  • Heavy instrumentation
  • Add tons of instructions to monitor the data flow
slide-44
SLIDE 44

Dynamic Taint Analysis

  • Labelled RISC-V Architecture[7]: Every hardware request is attached

with a label.

44 SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture

Core 0 Core 1 Core N … Shared Last Level Cache I/O Chipset Memory Controller Disk Disk Disk NIC

DS-id DS-id DS-id DS-id DS-id DS-id DS-id CL CL CL

slide-45
SLIDE 45

Dynamic Taint Analysis

  • Labelled RISC-V Architecture[7]: Every hardware request is attached

with a label.

  • Use the label to represent taint flag
  • Automatically propagation via hardware support
  • No instrumentation required
  • Use the Control Logic (CL) to achieve detection

45 SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture

What about the propagation outside of hardware request?

slide-46
SLIDE 46

Dynamic Taint Analysis

What about the propagation outside of hardware request?

  • Allocate a few bits from the unused bits in 64-bit pointer
  • In coarse-gained analysis, 1 bit is sufficient
  • This bit automatically transfers during the execution of data operation

instructions.

  • Feed to the DS-id register during hardware request

46 SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture

slide-47
SLIDE 47

Outline

  • Introduction
  • Pointer Integrity
  • Memory Boundary Protection
  • Dynamic Taint Analysis
  • Implementation
  • Conclusion

SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture 47

slide-48
SLIDE 48

Implementation

  • SecLabel: Enchancing RISC-V Platform Security

48 SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture

Source Code Compiler IR Modified IR Binary SecLabel-Enabled RISC-V Platform

Compiler

Compiler Frontend Compiler Backend

SecLabel

Instruction-level Instrumentation

slide-49
SLIDE 49

Outline

  • Introduction
  • Pointer Integrity
  • Memory Boundary Protection
  • Dynamic Taint Analysis
  • Implementation
  • Conclusion

SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture 49

slide-50
SLIDE 50

Conclusion

  • In light of the PAC in ARMv8.3, we can leverage the open feature of

RISC-V and implement similar mechanism for pointer integrity.

  • With addition bits in the head of a pointer address in 64-bit or 128-bit

RISC-V architecture, an enhanced memory boundary protection can be deployed.

  • Combining the labelled RISC-V architecture and unused bits in an

address, we are able to facilitate the existing dynamic taint analysis.

50 SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture

slide-51
SLIDE 51

Reference

[1] Cowan, Crispan, et al. "Stackguard: Automatic adaptive detection and prevention of buffer-overflow attacks." USENIX Security Symposium. Vol.

  • 98. 1998.

[2] Richarte, Gerardo. "Four different tricks to bypass stackshield and stackguard protection." World Wide Web 1. 2002. [3] Liljestrand, Hans, et al. "PAC it up: Towards pointer integrity using ARM pointer authentication." 28th USENIX Security. 2019. [4] Serebryany, Konstantin, et al. "AddressSanitizer: A fast address sanity checker." Presented as part of the 2012 USENIX Annual Technical

  • Conference. 2012.

[5] Oleksenko, Oleksii, et al. "Intel MPX explained: An empirical study of intel MPX and software-based bounds checking approaches." arXiv preprint arXiv:1702.00719. 2017. [6] Wallach, Steve. “128-bit addressing in RISC-V and security.“ 5th RISC-V Workshop. 2016. [7] Yu, Zihao, et al. "Labeled RISC-V: A new perspective on software-defined architecture." CARVV. 2017. 51 SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture

slide-52
SLIDE 52

52 SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture

Thanks!

ningzy2019@mail.sustech.edu.cn