Towards an Open-Source, Formally-Verified Secure Processor Srini - - PowerPoint PPT Presentation

towards an open source formally verified secure processor
SMART_READER_LITE
LIVE PREVIEW

Towards an Open-Source, Formally-Verified Secure Processor Srini - - PowerPoint PPT Presentation

Sep 07, 2023 514 likes •960 views

Towards an Open-Source, Formally-Verified Secure Processor Srini Devadas Massachusetts Institute of Technology Architectural Isolation of Processes Fundamental to maintaining correctness and privacy! 2 Performance Dictates

slide-1
SLIDE 1

Srini Devadas Massachusetts Institute of Technology

Towards an Open-Source, Formally-Verified Secure Processor

slide-2
SLIDE 2

Architectural Isolation

  • f Processes

2

Fundamental to maintaining correctness and privacy!

slide-3
SLIDE 3

Performance Dictates Microarchitectural Optimization

3

Isolation Breaks Because of Shared Microarchitectural State!

slide-4
SLIDE 4

Domain of Victim Transmitter Secret Receiver Channel Access Secret Attacker

Pre-existing (RSA conditional execution example) Written by attacker (Meltdown) Synthesized out of existing victim code by attacker (Spectre)

Building a Transmitter

4

slide-5
SLIDE 5

5

  • Real systems: large, complex, cyberphysical

(not secure)

  • Introducing a spy:

Hypervisor, Bios CPU

Side Channels Gone Wild!

DRAM Chipset

Network Thread L1 $ L2 $

L3 $

DRAM Ctrl.

Disk

Main board

OS

sharing! sharing! sharing! App admins! users! vendors! users! admins!

slide-6
SLIDE 6

Philosophy

Build enclaves on an enclave platform, not just processes

6

slide-7
SLIDE 7

Enclaves strengthen the process abstraction

  • Processes guarantee isolation of memory
  • Enclaves provide a stronger guarantee

– No other program can infer anything private from the enclave program through its use of shared resources or shared microarchitectural state

  • Largely decouple performance considerations

from security

  • Minimally invasive hardware changes
  • Provable security under chosen threat model

7

slide-8
SLIDE 8

A Typical Computer Trusted Computing Base

TRUSTED! TRUSTED! CPU! ! DRAM! Chipset! Network! Thread! L1 $! L2 $! L3 $! DRAM Ctrl.! Disk! Main! board! Privelege! BIOS (SMM)! Hypervisor (Ring 0, VMX root) ! OS Kernel (Ring 0) ! App! App! (Ring 3) ! Software…! … Running on hardware! Secure App!

slide-9
SLIDE 9

Single-Chip Secure Processor:

Shrink the TCB

Protected Environment

Memory

I/O Trusted Software

Protect Identify

  • Enclave assumes trusted hardware +

trusted software “monitor”

  • Operating system is untrusted

9

  • From Edward Suh’s ICS 2003 Talk
slide-10
SLIDE 10

Enclave Enclave

Enclave Lifecycle (simplified)

10

Enclave binary image

Untrusted software (OS)

Create enclave, Grant resources Load enclave Seal enclave

Enclave

Enclave binary image Enclave binary image

  • Enclave can no

longer be modified from outside Enclave has a measurement for attestation

slide-11
SLIDE 11

Enclave Lifecycle (simplified)

11

Untrusted software (OS)

Create enclave, Grant resources Load enclave Seal enclave Enter enclave Exit enclave

Enclave binary image

  • (enclave executes in a

strongly isolated environment)

Platform erases (flushes) sensitive state

slide-12
SLIDE 12

Strong Isolation Goal

  • Any attack by a privileged attacker on the

same machine as the victim that can extract a secret inside the victim enclave, could also have been run successfully by an attacker on a different machine than the victim.

– No protection against an enclave leaking its own secrets through its public API.

  • Three strategies for isolation: Spatial isolation,

temporal isolation and cryptography

12

slide-13
SLIDE 13

Sanctum Design

Victor Costan, Ilia Lebedev Sanctum: Minimal Hardware Extensions for Strong Software Isolation

slide-14
SLIDE 14

Software Stack

User Supervisor Hypervisor Machine Hypervisor Host Application Enclave Security Monitor Measurement Root Enclave multiplexing Operating System Enclave management Enclave syscall shims Sanctum-aware runtime Non-sensitive code and data Sensitive code and data Enclave setup

slide-15
SLIDE 15

User Supervisor Hypervisor Machine Hypervisor Host Application Enclave Security Monitor Measurement Root Enclave multiplexing Operating System Enclave management Enclave syscall shims Sanctum-aware runtime Non-sensitive code and data Sensitive code and data Enclave setup

Software Stack

slide-16
SLIDE 16

Target: multi-core processor

(no hyperthreading, no speculation)

L3 Cache CBox Core L2 Cache L3 Cache Slice L3 Cache Slice CBox Core L2 Cache Home Agent CBox Core L2 Cache L3 Cache Slice L3 Cache Slice CBox Core L2 Cache QPI Packetizer Memory Controller DDR3 Channel Ring to QPI Ring to PCIe I/O Controller UBox QPI Link PCIe Lanes

slide-17
SLIDE 17

Microarchitectural State Isolation in Sanctum Enclaves

  • Resources exclusively granted to an enclave,

and scheduled at the granularity of process context switches are isolated temporally

– Register files, branch predictors, private caches, and private TLBs

  • Resources shared between processes on-

demand, with arbitrarily small granularity are isolated spatially by partitioning

– Shared caches and shared TLBs

17

slide-18
SLIDE 18

Operating System Manages Page Tables

Virtual Address Physical Address Mapping Page Tables Virtual Address Space Physical Address Space Address Translation Software DRAM System bus

slide-19
SLIDE 19

Practical Software Attack

  • n SGX “Simulators”
  • Microsoft Research, IEEE S&P 2015: Exploit

no-noise side channel due to page faults

19

slide-20
SLIDE 20

Page Table Isolation

Host application space Host application space EVRANGE A Enclave A Virtual Address Space Physical Memory Enclave A region Enclave A page tables Enclave A region Enclave B region Enclave B page tables OS region OS region OS page tables Host application space Host application space EVRANGE B Enclave B Virtual Address Space

slide-21
SLIDE 21

Partitioning to Prevent Timing Attacks

21

Line Offset l-1…0 Address Tag n-1…s+l Set Index s+l-1…l Memory Address … Set S-1, Way 1 Set S-1, Way W-1 Set S-1, Way 0

⋮ ⋱ ⋮ ⋮

Set i, Way 1 Set i, Way W-1 … Set i, Way 0

⋮ ⋮ ⋮ ⋱

Set 1, Way W-1 Set 1, Way 0 … Set 1, Way 1 Set 0, Way W-1 … Set 0, Way 1 Set 0, Way 0

Enclave OS

slide-22
SLIDE 22

Page Coloring

DRAM Region Index Cache Line Offset 5 6 11 Page Offset 12 14 Cache Set Index DRAM Stripe Index 15 17 20 18 Cache Tag Address bits used by 256 KB of DRAM Address bits covering the maximum addressable physical space of 2 MB Physical page number (PPN)

slide-23
SLIDE 23

Page Colors = DRAM Regions

MEMTOP Normal DRAM page colors Sanctum DRAM page colors / regions MEMTOP Region 0 Region 1 Region 2 Region 3 Region 4 Region 5 Region 6 Region 7 LLC set colors

slide-24
SLIDE 24

Page Colors = DRAM Regions

MEMTOP Normal DRAM page colors Sanctum DRAM page colors / regions MEMTOP Region 0 Region 1 Region 2 Region 3 Region 4 Region 5 Region 6 Region 7 LLC set colors

A little bit-shifting gets us a large contiguous DRAM region

slide-25
SLIDE 25

Sanctum Secure Processor

No Speculation, No Hyperthreading

RISCV Rocket Core, Changes required by Sanctum (+ ~2% of core)

Also requires 9 new config registers

slide-26
SLIDE 26

Formally Verifying Enclaves

Pramod Subramanyan, Rohit Sinha, Ilia Lebedev, Sanjit Seshia A Formal Foundation for Secure Remote Execution of Enclaves

slide-27
SLIDE 27

Rigorously modeling the adversary

Adversary := set of ops an attacker can use to tamper with or observe enclave state. Any combination of these can be used at any time. Threat model := ∪(observation function, tamper function, model initial state)

27

slide-28
SLIDE 28

Abstract Enclaves

An entity that can perform a well-defined set of TAP actions, and has these properties: Measurement := Different enclaves have different measurements (also inverse) Integrity := Modelled attacker cannot affect enclave state Confidentiality := Modelled attacker cannot

  • bserve enclave state

28

slide-29
SLIDE 29

Proving Statements with the TAP

29

There is no “processor”. There aren’t cores.

Check invariants Do an attacker action Init

  • perations

Do a victim action

The proof describes a CFG with “forks”. Proof searches this graph for a path that violates an invariant. Threat model = TAP API + space of attacker actions

slide-30
SLIDE 30

Refinement Proofs

30

  • SGX refines TAP, i.e., every operation is SGX is

an operation in TAP

  • Caveat: For a limited observation function
  • Sanctum refines TAP for a more powerful
  • bservation function
slide-31
SLIDE 31

Sanctum Status and Current Limitations

  • We have built an open-source Sanctum based
  • n the RISC-V ISA

– Low performance and area overhead to support enclaves – Ongoing formal verification effort

  • Sanctum is an academic, lightweight processor
  • Apply its design philosophy to speculative
  • ut-of-order (OOO) processors, which need

to protect against Spectre-style attacks

31

slide-32
SLIDE 32

MI6 Design

Thomas Bourgeat, Ilia Lebedev, Andrew Wright, Sizhuo Zhang, Arvind MI6: Secure Enclaves in a Speculative Out-of-Order Processor

slide-33
SLIDE 33

RiscyOO Processor

33

Rename

ROB

ALU IQ

Issue

Reg Read

Exec

Reg Write MEM IQ

Issue

Reg Read Addr Calc Update LSQ

Physical Reg File

L1 D TLB

LSQ (LQ + SQ)

Commit Issue Ld

Deq

Store Buffer

L1 D$

Resp Ld Issue St Resp St Rename Table Speculation Manager Epoch Manager Scoreboard

ALU pipeline MEM pipeline Load-Store Unit Front-end

Fetch Bypass

Last Level Cache

slide-34
SLIDE 34

RiscyOO Processor

34

Rename

ROB

ALU IQ

Issue

Reg Read

Exec

Reg Write MEM IQ

Issue

Reg Read Addr Calc Update LSQ

Physical Reg File

L1 D TLB

LSQ (LQ + SQ)

Commit Issue Ld

Deq

Store Buffer

L1 D$

Resp Ld Issue St Resp St Rename Table Speculation Manager Epoch Manager Scoreboard

ALU pipeline MEM pipeline Load-Store Unit Front-end

Fetch Bypass

Last Level Cache

Not speculating during entire program results in average 3X slowdown!

slide-35
SLIDE 35

Memory System:

Non-blocking Caches

L1 I$

L1 D$

L2 TLB

Cache Cross Bar Shared L2 $

Page Walk Cross Bar

Core 1 Coherent uncached loads

D TLB I TLB

DRAM

L1 I$

L1 D$

L2 TLB

Core N

D TLB I TLB

Coherent

slide-36
SLIDE 36

Memory System:

Non-blocking Caches

L1 I$

L1 D$

L2 TLB

Cache Cross Bar Shared L2 $

Page Walk Cross Bar

Core 1 Coherent uncached loads

D TLB I TLB

DRAM

L1 I$

L1 D$

L2 TLB

Core N

D TLB I TLB

Coherent

Unfair Cache Cross Bar is a microarchitectural side channel exploitable by attacker!

slide-37
SLIDE 37

MI6 Processor

37

Rename

ROB

ALU IQ

Issue

Reg Read

Exec

Reg Write MEM IQ

Issue

Reg Read Addr Calc Update LSQ

Physical Reg File

L1 D TLB

LSQ (LQ + SQ)

Commit Issue Ld

Deq

Store Buffer

L1 D$

Resp Ld Issue St Resp St Rename Table Speculation Manager Epoch Manager Scoreboard

ALU pipeline MEM pipeline Load-Store Unit Front-end

Fetch Bypass

Last Level Cache

All modules with private state are flushed on enclave entry and exit. Performance overhead ~ 5%.

slide-38
SLIDE 38

MI6 Processor

38

Rename

ROB

ALU IQ

Issue

Reg Read

Exec

Reg Write MEM IQ

Issue

Reg Read Addr Calc Update LSQ

Physical Reg File

L1 D TLB

LSQ (LQ + SQ)

Commit Issue Ld

Deq

Store Buffer

L1 D$

Resp Ld Issue St Resp St Rename Table Speculation Manager Epoch Manager Scoreboard

ALU pipeline MEM pipeline Load-Store Unit Front-end

Fetch Bypass

Last Level Cache

Last Level Cache is spatially partitioned. Performance overhead ~7%.

slide-39
SLIDE 39

MI6 Processor

39

Rename

ROB

ALU IQ

Issue

Reg Read

Exec

Reg Write MEM IQ

Issue

Reg Read Addr Calc Update LSQ

Physical Reg File

L1 D TLB

LSQ (LQ + SQ)

Commit Issue Ld

Deq

Store Buffer

L1 D$

Resp Ld Issue St Resp St Rename Table Speculation Manager Epoch Manager Scoreboard

ALU pipeline MEM pipeline Load-Store Unit Front-end

Fetch Bypass

Last Level Cache

Every memory instruction will be stalled at the rename stage until the ROB is empty.

slide-40
SLIDE 40

MI6 Processor

40

Rename

ROB

ALU IQ

Issue

Reg Read

Exec

Reg Write MEM IQ

Issue

Reg Read Addr Calc Update LSQ

Physical Reg File

L1 D TLB

LSQ (LQ + SQ)

Commit Issue Ld

Deq

Store Buffer

L1 D$

Resp Ld Issue St Resp St Rename Table Speculation Manager Epoch Manager Scoreboard

ALU pipeline MEM pipeline Load-Store Unit Front-end

Fetch Bypass

Last Level Cache

Speculation is stopped ONLY during enclave copy operations à

  • verhead is negligible.
slide-41
SLIDE 41

MI6 Processor

41

Rename

ROB

ALU IQ

Issue

Reg Read

Exec

Reg Write MEM IQ

Issue

Reg Read Addr Calc Update LSQ

Physical Reg File

L1 D TLB

LSQ (LQ + SQ)

Commit Issue Ld

Deq

Store Buffer

L1 D$

Resp Ld Issue St Resp St Rename Table Speculation Manager Epoch Manager Scoreboard

ALU pipeline MEM pipeline Load-Store Unit Front-end

Fetch Bypass

Last Level Cache

Area overhead for hardware modifications is ~2% not counting L1 cache, FPU, LLC slice.

slide-42
SLIDE 42

Challenge

  • ~10% performance overhead for enclaves
  • Enclaves trade expressivity for security

– Cannot make system calls directly – Dynamic memory allocation is a security risk – Interaction with the outside leaks information

  • Adaptivity with provable security? Crypto to

the rescue?

– Secure demand paging using page-level memory encryption, integrity verification and ORAM

42

slide-43
SLIDE 43

Thank you for your attention!

43

Acknowledgements

  • Edward Suh
  • Victor Costan
  • Ilia Lebedev
  • Chris Fletcher
  • Ling Ren
  • Albert Kwon
  • Sanjit Seshia
  • Pramod Subramanyan
  • Arvind
  • Thomas Bourgeat
  • Andrew Wright
  • Sizhuo Zhang
  • Kyle Hogan
  • Jules Drean
  • Rohit Sinha
  • NSF, DARPA, ADI, Delta