the ascend secure processor
play

The Ascend Secure Processor Christopher Fletcher MIT 1 Joint work - PowerPoint PPT Presentation

Mar 03, 2023 •543 likes •923 views

The Ascend Secure Processor Christopher Fletcher MIT 1 Joint work with Srini Devadas, Marten van Dijk Ling Ren, Albert Kwon, Xiangyao Yu Elaine Shi & Emil Stefanov David Wentzlaff & Princeton Team (Mike, Tri, Jonathan,

  1. The Ascend Secure Processor Christopher Fletcher MIT 1

  2. Joint work with • Srini Devadas, Marten van Dijk • Ling Ren, Albert Kwon, Xiangyao Yu • Elaine Shi & Emil Stefanov • David Wentzlaff & Princeton Team (Mike, Tri, Jonathan, Alexey, Yaosheng) • Omer Khan 2

  3. Last talk: Intel SGX Data Integrity MEE Address Timing 3

  4. Ascend Processor This talk Data Integrity Memory controller Address Timing 4

  5. Outline • Motivation + Oblivious RAM (ORAM) primer • ORAM in Hardware • Demo  5

  6. If ( secret variable ) { Op Address Time R 0 1 … scan memory … W 1 10 } R 5 15 R 6 16 R 7 17 Binary search • SGX broken through page faults [Xu et al.’15] • Shared library usage [Zhuang et al.’04] • Search queries [Islam et al.’12] 6

  7. Oblivious RAM (ORAM) [Goldreich- Ostrovsky’96] Chip pins On-chip Cache miss ORAM Shuffled Controller Provably removes all access pattern leakage 7

  8. ORAM security definition • Access is 3 tuple: ( op = Read/write, address , data ) • Consider access sequences A and A’ A = [ (op 1 , address 1 , data 1 ), (op 2 , address 2 , data 2 ), … ] A’ = [ (op 1 ’, address 1 ’, data 1 ’), (op 2 ’, address 2 ’, data 2 ’), … ] • If |A| == |A’| then ORAM(A) ≈ ORAM(A’) 8

  9. Path ORAM [CCS’13] “The ORAM” Chip pins ORAM Controller (on-chip) Read/writes 9

  10. Block assigned to random path. Block lives on that path . A, 2 Off-chip B, 3 PosMap A, 2 B, 3 Path 1 2 3 4 10

  11. Chip pins Empty space = dummy encryptions Not Encrypted Encrypted Off-chip B, 3 PosMap A, 2 A, 2 dummy B, 3 dummy dummy dummy dummy Path 1 2 3 4 11

  12. Path ORAM Access: Read+write the path the block is assigned to. 12

  13. Path ORAM Access: Read+write the path the block is assigned to. Off-chip B, 3 PosMap dummy A, 2 4 A, 2 dummy dummy B, 3 A, 4 B, 3 dummy dummy dummy dummy Stash Path 1 2 3 4 13

  14. Typically, 4 slots per bucket “Z=4” Off-chip B, 3 Z=1 …for simplicity dummy dummy dummy dummy dummy Path 1 2 3 4 14

  15. Too big! Off-chip B, 3 A, 4 A, 4 B, 3 15

  16. Map recursion [Shi et al., 11] PosMap ORAM PosMap ORAM 2 Block On-chip On-chip Map’ Map’ Map A, 4 B, 3 Small enough Smaller 16

  17. Map recursion [Shi et al., 11] On-chip PosMap PosMap PosMap Data ORAM ORAM 1 ORAM 2 17

  18. Path ORAM summary Blocks assigned to paths. B Access block: Read+write path. Adversary sees: random paths. 4 2 3 1 18

  19. ORAM in Hardware 19

  20. First ORAM Ascend in silicon in silicon • Collaboration with David Wentzlaff’s group @ Princeton MIT Team 20

  21. First silicon fully functional @ 500 MHz & .9 V Design (Verilog) Open Source 21

  22. Blocks must live on assigned path or in stash . Can overflow Off-chip PosMap A, 4 B, 2 A, 4 B, 2 Stash Path 1 2 3 4 22

  23. Blocks must live on assigned path or in stash . Off-chip Bottleneck in prior work [Maas et al. ‘13] PosMap Causes 3 X avg. slowdown on SPEC. A, 4 B, 2 A, 4 B, 2 Stash Path 1 2 3 4 23

  24. Bit blasted stash eviction [FCCM’15] Bit vectors Path block , Path evict , occ Can be pipelined def evict( Path block , Path evict , occ ): t 1 = Path block ⊕ Path evict evict() t 2 = bit_reverse( ( (t 1 Ʌ – t 1 ) – 1) Ʌ occ ) ~ circuit ret bit_reverse( t 2 Ʌ – t 2 ) occ ’ ≈ greatest common prefix 24

  25. Simple design, no performance bottleneck. 25

  26. Integrity protection for ORAM ORAM Cache miss Shuffled Overlay Hash tree 26

  27. ORAM logic Test harness SHA-3 One SHA-3 unit FPGA Prototype 27

  28. Cheap Integrity Scheme [ASPLOS’15] • Per-block MAC { Block data , Hash(Block data , Block addr, counter ) } • Good: Hash 1 block, NOT path • Bad: Need to store counters on-chip • Replace entries in map with counters! 28

  29. Block A’’ MAC K ( Counter || A’’ || data) Want: Path P = PosMap[A] Counter for A’’’ + 1 A’’’+1 Counter for A’’’ A ’’’ Algorithm: Given A: derive A’, A’’, A’’’ Data PosMap P’ = PRF (A’ || PosMap [A’] = Counter ) ORAM PosMap ORAM 1 P’’ = PRF (A’’ || ORAMAccess (A’’, P’)) ORAM 2 P = PRF (A’’’ || ORAMAccess (A’’’, P’’)) Data = ORAMAccess (A, P) Block A’’’ P Block P’ P’’ Counter A’ Block A’’ (A, D) On-chip PosMap (root of trust) Problem: |C| > |P| More schemes … to get |C| < |P| Integrity checks

  30. Cheap Integrity Scheme [ASPLOS’15] Result: Hashing decreased by 68 X , simple design 30

  31. ORAM randomizes data layout. Computer architecture assumes data locality. Subtree size = row size ISCA’13 31

  32. # Row misses: tree height ~ tree height ~ subtree height 32

  33. Row misses: 60% overhead 13% overhead 33

  34. 460M transistors AES rounds Stash evict() PLL ORAM .5 mm Tile 0 Tile 1 Tile 2 Tile 3 Tile 4 Encryption Stash Recursion, PLB, Tile 5 Tile 6 Tile 7 Tile 8 Tile 9 Integrity 6 mm Tile Tile Tile Tile Tile 2 mm 10 11 12 13 14 Tile Tile Tile Tile Tile Hash unit 15 16 17 18 19 Tile Tile Tile Tile Tile 20 21 22 23 24 6 mm 34

  35. 2 DRAM channels, In-order core, Slowdown vs. 2-level cache hierarchy, 1 MByte last-level cache insecure ORAM = 1208 cycles / tree lookup 11 Slowdown (X) 1 tpcc ycsb astar bzip2 gcc gob h264 libq mcf omnet perl sjeng avg 35

  36. Demo 36

  37. Backup 37

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Ascend Biopharmaceuticals Limited Corporate Overview October 2016 ASCEND BIOPHARMACEUTICALS

Ascend Biopharmaceuticals Limited Corporate Overview October 2016 ASCEND BIOPHARMACEUTICALS

Ascend Biopharmaceuticals Limited Corporate Overview October 2016 ASCEND BIOPHARMACEUTICALS LIMITED Disclaimer This presentation is being provided for the sole purpose of providing the recipients with background information about Ascend

429 views • 19 slides
MI6 Secure Enclaves ... in a Speculative Out-of-Order Processor Overview Goals of MI6 Big

MI6 Secure Enclaves ... in a Speculative Out-of-Order Processor Overview Goals of MI6 Big

Damian Barabonkov MI6 Secure Enclaves ... in a Speculative Out-of-Order Processor Overview Goals of MI6 Big Ideas Paper Feedback Motivation of MI6 Threat Model Implementation Performance Analysis

383 views • 24 slides
ASCEND Randomized placebo-controlled trial of aspirin 100 mg daily in 15,480 patients with

ASCEND Randomized placebo-controlled trial of aspirin 100 mg daily in 15,480 patients with

ASCEND Randomized placebo-controlled trial of aspirin 100 mg daily in 15,480 patients with diabetes and no baseline cardiovascular disease Jane Armitage and Louise Bowman on behalf of the ASCEND Study Collaborative Group Funded by British

468 views • 14 slides
Systems Architecture The ARM Processor The ARM Processor p. 1/14 The ARM Processor ARM:

Systems Architecture The ARM Processor The ARM Processor p. 1/14 The ARM Processor ARM:

Systems Architecture The ARM Processor The ARM Processor p. 1/14 The ARM Processor ARM: Advanced RISC Machine First developed in 1983 by Acorn Computers ARM Ltd was formed in 1988 to continue development Advantages of the ARM

391 views • 14 slides
Deconstructing a Secure Processor Black Hat Washington D.C. Christopher Tarnovsky

Deconstructing a Secure Processor Black Hat Washington D.C. Christopher Tarnovsky

February 2, 2010 Deconstructing a Secure Processor Black Hat Washington D.C. Christopher Tarnovsky Flylogic, Inc. chris@flylogic.net http://www.flylogic.net Decapsulate Perform initial examination Identify device if

1.38k views • 6 slides
Design and Implementation of the AEGIS Single-Chip Secure Processor Using Physical Random

Design and Implementation of the AEGIS Single-Chip Secure Processor Using Physical Random

Design and Implementation of the AEGIS Single-Chip Secure Processor Using Physical Random Functions G. Edward Suh, Charles W. ODonnell, Ishan Sachdev, and Srinivas Devadas Massachusetts Institute of Technology 1 New Security Challenges

356 views • 31 slides
The M e Morgan S State e Un University ty AS ASCEND Co Community-Based ed P Parti tici

The M e Morgan S State e Un University ty AS ASCEND Co Community-Based ed P Parti tici

The M e Morgan S State e Un University ty AS ASCEND Co Community-Based ed P Parti tici cipatory R Res esea earch ch ( (CBPR) Gr Grants ts P Prog ogram Gillian B B. Silver, M MPH, C CPH for t the A ASCEND C CBPR PR

263 views • 14 slides
Towards an Open-Source, Formally-Verified Secure Processor Srini Devadas Massachusetts

Towards an Open-Source, Formally-Verified Secure Processor Srini Devadas Massachusetts

Towards an Open-Source, Formally-Verified Secure Processor Srini Devadas Massachusetts Institute of Technology Architectural Isolation of Processes Fundamental to maintaining correctness and privacy! 2 Performance Dictates

959 views • 43 slides
ASCEND A randomized trial of omega-3 fatty acids (fish oil) versus placebo for primary

ASCEND A randomized trial of omega-3 fatty acids (fish oil) versus placebo for primary

ASCEND A randomized trial of omega-3 fatty acids (fish oil) versus placebo for primary cardiovascular prevention in 15,480 patients with diabetes Jane Armitage and Louise Bowman on behalf of the ASCEND Study Collaborative Group Funded by

168 views • 14 slides
ASCEND A randomized trial of omega-3 fatty acids (fish oil) versus placebo for primary

ASCEND A randomized trial of omega-3 fatty acids (fish oil) versus placebo for primary

ASCEND A randomized trial of omega-3 fatty acids (fish oil) versus placebo for primary cardiovascular prevention in 15,480 patients with diabetes Jane Armitage and Louise Bowman on behalf of the ASCEND Study Collaborative Group Funded by

180 views • 13 slides
FPGA co-processor Patrick Dunne for the co-processor group Introduction Co-processor will

FPGA co-processor Patrick Dunne for the co-processor group Introduction Co-processor will

FPGA co-processor Patrick Dunne for the co-processor group Introduction Co-processor will take care of data compression and trigger primitive generation Co-processor will also perform data buffering for supernova trigger Sits on FELIX

522 views • 13 slides
1 Welcome to Ascend! If youre looking for a new ed leadership role in the coming year,

1 Welcome to Ascend! If youre looking for a new ed leadership role in the coming year,

1 Welcome to Ascend! If youre looking for a new ed leadership role in the coming year, youve come to the right place. 2 Im Justin Baeder, Director of The Principal Center. Today I want to talk about your path to the next level. 3

1.4k views • 112 slides
Demystifying the Secure Enclave Processor Tarjei Mandt (@kernelpool) Mathew Solnik (@msolnik)

Demystifying the Secure Enclave Processor Tarjei Mandt (@kernelpool) Mathew Solnik (@msolnik)

Demystifying the Secure Enclave Processor Tarjei Mandt (@kernelpool) Mathew Solnik (@msolnik) David Wang (@planetbeing) About Us Tarjei Mandt Senior Security Researcher, Azimuth Security tm@azimuthsecurity.com Mathew Solnik

1.51k views • 95 slides
Ascend &amp; AXA M anagment Liability We Aim Higher Who We Are rradar is a specialist

Ascend &amp; AXA M anagment Liability We Aim Higher Who We Are rradar is a specialist

Ascend &amp; AXA M anagment Liability We Aim Higher Who We Are rradar is a specialist litigation and commercial law firm that uses legal expertise and digital tools to proactively manage, advise and deliver business solutions to reduce legal

318 views • 27 slides
Processor Design Pipelined Processor Hung-Wei Tseng Drawbacks of a single-cycle processor

Processor Design Pipelined Processor Hung-Wei Tseng Drawbacks of a single-cycle processor

Processor Design Pipelined Processor Hung-Wei Tseng Drawbacks of a single-cycle processor The cycle time is determined by the longest instruction Could be very long, thinking about fetch data from DRAM Hardware is mostly idle 3

866 views • 47 slides
Welcome to PhotoPRINT 6 PhotoPRINT 6 is designed to help your productivity ascend to new heights,

Welcome to PhotoPRINT 6 PhotoPRINT 6 is designed to help your productivity ascend to new heights,

Welcome to PhotoPRINT 6 PhotoPRINT 6 is designed to help your productivity ascend to new heights, while maintaining SAis signature ease-of-use interface. The following is a brief list of new features and improvements. . New Features

425 views • 20 slides
Test-Case Reduc-on for C Compiler Bugs John Regehr,

Test-Case Reduc-on for C Compiler Bugs John Regehr,

Test-Case Reduc-on for C Compiler Bugs John Regehr, Yang Chen, Pascal Cuoq, Eric Eide, Chucky Ellison, Xuejun Yang Background: Csmith [PLDI

797 views • 48 slides
Status Report: Adjoint Code with the History Updates NAGWare Fortran Compiler v5.1 Merge

Status Report: Adjoint Code with the History Updates NAGWare Fortran Compiler v5.1 Merge

CompAD-II Report Michael Maier Status Report: Adjoint Code with the History Updates NAGWare Fortran Compiler v5.1 Merge Outlook Michael Maier Department of Computer Science RWTH Aachen University Germany maier@stce.rwth-aachen.de 5 th

174 views • 13 slides
Exploiting dummy codes in Elliptic Curve Cryptography Andy Russon 4 June 2020 2/20 About me

Exploiting dummy codes in Elliptic Curve Cryptography Andy Russon 4 June 2020 2/20 About me

Exploiting dummy codes in Elliptic Curve Cryptography Andy Russon 4 June 2020 2/20 About me PhD thesis on elliptic curves Orange, and Universit de Rennes 1 Risk assessment and audit Interest: challenges (root-me, CryptoHack), korean

1.15k views • 54 slides
Sta$c Single Assignment (SSA) Form SSA form Sta$c single

Sta$c Single Assignment (SSA) Form SSA form Sta$c single

Sta$c Single Assignment (SSA) Form SSA form Sta$c single assignment form Intermediate representa$on of program in which every use of a variable

539 views • 34 slides
Xylem: Enhancing Vertical Thermal Conduction in 3D Processor-Memory Stacks Aditya Agrawal, Josep

Xylem: Enhancing Vertical Thermal Conduction in 3D Processor-Memory Stacks Aditya Agrawal, Josep

Xylem: Enhancing Vertical Thermal Conduction in 3D Processor-Memory Stacks Aditya Agrawal, Josep Torrellas and Sachin Idgunji University of Illinois at Urbana Champaign and Nvidia Corporation http://iacoma.cs.uiuc.edu MICRO, October 2017 Xylem

388 views • 18 slides
Dummy Dummy fetchDiscounts is a side effect, a dummy can replace it for testing Dummy - Unit

Dummy Dummy fetchDiscounts is a side effect, a dummy can replace it for testing Dummy - Unit

Dummy Dummy fetchDiscounts is a side effect, a dummy can replace it for testing Dummy - Unit Test Dummy - Unit Test The object has nothing to do with the assertion of this test Stub Stub The service is not a core piece of our function, just

711 views • 24 slides
Indicator Variables for Seasonal Time Series A simple way to estimate seasonal effects in a

Indicator Variables for Seasonal Time Series A simple way to estimate seasonal effects in a

Indicator Variables for Seasonal Time Series A simple way to estimate seasonal effects in a time series; e.g., for quarterly data: Set up four indicator (dummy) variables, one for each quarter; Use them as inputs in a regression

231 views • 10 slides
Evolving a CUDA Kernel from an nVidia Template W. B. Langdon CREST lab, Department of Computer

Evolving a CUDA Kernel from an nVidia Template W. B. Langdon CREST lab, Department of Computer

Evolving a CUDA Kernel from an nVidia Template W. B. Langdon CREST lab, Department of Computer Science 16a.7.2010 Introduction Using genetic programming to create C source code How? Why? Proof of concept: gzip on graphics card

390 views • 25 slides

More recommend