hdfi hardware assisted data flow isolation
play

HDFI: Hardware-Assisted Data-flow Isolation Chengyu Song 1 , - PowerPoint PPT Presentation

Nov 18, 2022 •21 likes •311 views

HDFI: Hardware-Assisted Data-flow Isolation Chengyu Song 1 , Hyungon Moon 2 , Monjur Alam 1 , Insu Yun 1 , Byoungyoung Lee 1 , Taesoo Kim 1 , Wenke Lee 1 , Yunheung Paek 2 1 Georgia Institute of Technology 2 Seoul National University Memory

  1. HDFI: Hardware-Assisted 
 Data-flow Isolation Chengyu Song 1 , Hyungon Moon 2 , Monjur Alam 1 , Insu Yun 1 , Byoungyoung Lee 1 , Taesoo Kim 1 , Wenke Lee 1 , Yunheung Paek 2 1 Georgia Institute of Technology 2 Seoul National University

  2. Memory corruption vulnerability causes, by year Uninitialized use Exploitation Trends: From Potential Risk to Actual Risk, RSA 2015 2

  3. A simple stack overflow sp ). 1 int main( int argc, const char *argv[]) { char buf[16]; 2 strcpy(buf, argv[1]); 3 return 0; 4 5 } ). 1 main: add sp,sp,-32 2 sd ra,24(sp) 3 ld a1,8(a1) ; argv[1] 4 mv a0,sp ; char buff[16] 5 - ; strcpy(buff, argv[1]) call strcpy 6 li a0,0 7 ld ra,24(sp) 8 add sp,sp,32 9 jr ra ; return 10 3

  4. A simple stack overflow ). 1 int main( int argc, const char *argv[]) { char buf[16]; 2 strcpy(buf, argv[1]); 3 return 0; 4 5 } buf ). 1 main: sp add sp,sp,-32 2 sd ra,24(sp) 3 ld a1,8(a1) ; argv[1] 4 mv a0,sp ; char buff[16] 5 - ; strcpy(buff, argv[1]) call strcpy 6 li a0,0 7 ld ra,24(sp) 8 add sp,sp,32 9 jr ra ; return 10 3

  5. A simple stack overflow ). ret addr 1 int main( int argc, const char *argv[]) { char buf[16]; 2 strcpy(buf, argv[1]); 3 return 0; 4 5 } buf ). 1 main: sp add sp,sp,-32 2 sd ra,24(sp) 3 ld a1,8(a1) ; argv[1] 4 mv a0,sp ; char buff[16] 5 - ; strcpy(buff, argv[1]) call strcpy 6 li a0,0 7 ld ra,24(sp) 8 add sp,sp,32 9 jr ra ; return 10 3

  6. A simple stack overflow ). ret addr 1 int main( int argc, const char *argv[]) { char buf[16]; 2 strcpy(buf, argv[1]); argv[1] 3 return 0; 4 5 } buf ). 1 main: sp add sp,sp,-32 2 sd ra,24(sp) 3 ld a1,8(a1) ; argv[1] 4 mv a0,sp ; char buff[16] 5 - ; strcpy(buff, argv[1]) call strcpy 6 li a0,0 7 ld ra,24(sp) 8 add sp,sp,32 9 jr ra ; return 10 3

  7. A simple stack overflow Code Injection ). ret addr 1 int main( int argc, const char *argv[]) { ROP char buf[16]; 2 strcpy(buf, argv[1]); argv[1] 3 return 0; 4 5 } buf ). 1 main: sp add sp,sp,-32 2 sd ra,24(sp) 3 ld a1,8(a1) ; argv[1] 4 mv a0,sp ; char buff[16] 5 - ; strcpy(buff, argv[1]) call strcpy 6 li a0,0 7 ld ra,24(sp) 8 add sp,sp,32 9 jr ra ; return 10 3

  8. Defense mechanisms ). ret addr 1 int main( int argc, const char *argv[]) { char buf[16]; 2 strcpy(buf, argv[1]); canary 3 return 0; 4 5 } buf ). 1 main: sp add sp,sp,-32 2 sd ra,24(sp) 3 ld a1,8(a1) ; argv[1] 4 mv a0,sp ; char buff[16] 5 - ; strcpy(buff, argv[1]) call strcpy 6 li a0,0 7 ld ra,24(sp) 8 add sp,sp,32 9 jr ra ; return 10 4

  9. Defense mechanisms ). ret addr 1 int main( int argc, const char *argv[]) { char buf[16]; 2 strcpy(buf, argv[1]); 3 return 0; 4 5 } buf ). 1 main: sp add sp,sp,-32 2 sd ra,24(sp) 3 ld a1,8(a1) ; argv[1] 4 mv a0,sp ; char buff[16] 5 - ; strcpy(buff, argv[1]) call strcpy 6 li a0,0 7 ld ra,24(sp) 8 add sp,sp,32 9 jr ra ; return 10 4

  10. Defense mechanisms ). ret addr 1 int main( int argc, const char *argv[]) { char buf[16]; 2 strcpy(buf, argv[1]); 3 return 0; 4 5 } buf shadow stack ). 1 main: sp add sp,sp,-32 2 sd ra,24(sp) 3 ld a1,8(a1) ; argv[1] 4 mv a0,sp ; char buff[16] 5 - ; strcpy(buff, argv[1]) call strcpy 6 li a0,0 7 ld ra,24(sp) 8 add sp,sp,32 9 jr ra ; return 10 4

  11. Limitations • Software: lacks good isolation mechanisms in 64-bit world • SFI and virtual address space: secure but expensive • Address randomization: efficient but insecure • Hardware: lacks flexibility • Context saving/restoring (setjmp/longjmp), deep recursion, kernel stack, etc. • Other data: code pointers, non-control data • Data shadowing: adds overheads • Breaks data locality, needs additional step to look up or reserved register(s) • Occupies additional memory 5

  12. Hardware-assisted data-flow isolation • Secure and efficient • Low performance overhead and strong security guarantees • Flexible • Capable of supporting different security model/mechanisms • Fine-grained • No more data-shadowing • Practical • Minimized hardware changes 6

  13. Data-flow Integrity [OSDI’06] Runtime data-flow should not deviate from static data-flow graph buf ). 1 main: sp add sp,sp,-32 2 sd ra,24(sp) 3 ld a1,8(a1) ; argv[1] 4 mv a0,sp ; char buff[16] 5 - ; strcpy(buff, argv[1]) call strcpy 6 li a0,0 7 ld ra,24(sp) 8 add sp,sp,32 9 jr ra ; return 10 7

  14. Data-flow Integrity [OSDI’06] 0 Runtime data-flow should not deviate 0 from static data-flow graph 0 buf 0 ). 1 main: sp add sp,sp,-32 2 0 sd ra,24(sp) 3 ld a1,8(a1) ; argv[1] 4 0 mv a0,sp ; char buff[16] 5 - ; strcpy(buff, argv[1]) call strcpy 6 0 li a0,0 7 ld ra,24(sp) 8 0 add sp,sp,32 9 jr ra ; return 10 0 7

  15. Data-flow Integrity [OSDI’06] ret addr 0 3 Runtime data-flow should not deviate 0 from static data-flow graph 0 buf 0 ). 1 main: sp add sp,sp,-32 2 0 sd ra,24(sp) 3 ld a1,8(a1) ; argv[1] 4 0 mv a0,sp ; char buff[16] 5 - ; strcpy(buff, argv[1]) call strcpy 6 0 li a0,0 7 ld ra,24(sp) 8 0 add sp,sp,32 9 jr ra ; return 10 0 7

  16. Data-flow Integrity [OSDI’06] ret addr 0 6 3 Runtime data-flow should not deviate argv[1] 6 0 from static data-flow graph 0 6 buf 6 0 ). 1 main: sp add sp,sp,-32 2 0 sd ra,24(sp) 3 ld a1,8(a1) ; argv[1] 4 0 mv a0,sp ; char buff[16] 5 - ; strcpy(buff, argv[1]) call strcpy 6 0 li a0,0 7 ld ra,24(sp) 8 0 add sp,sp,32 9 jr ra ; return 10 0 7

  17. Data-flow Integrity [OSDI’06] ret addr Exception 6 3 0 Runtime data-flow should not deviate argv[1] 6 0 from static data-flow graph 0 6 buf 6 0 ). 1 main: sp add sp,sp,-32 2 0 sd ra,24(sp) 3 ld a1,8(a1) ; argv[1] 4 0 mv a0,sp ; char buff[16] 5 - ; strcpy(buff, argv[1]) call strcpy 6 0 li a0,0 7 ld ra,24(sp) 8 0 add sp,sp,32 9 jr ra ; return 10 0 7

  18. ISA extension • Tagged memory • Machine word granularity • Fixed tag size à currently only 1 bit (sensitive or not) • Three new atomic instructions to enable DFI-style checks • sdset1, ldchk0, ldchk1 • New semantic of old instructions (backward compatible) • sd : sdset0 • ld : now tag check 8

  19. Hardware extension • Cache extension • Extra bits in the cache line for storing the tag (reusing existing cache coherence interconnect) • Memory Tagger • Emulating tagged memory without physically extending the main memory 9

  20. Optimizations • Memory Tagger introduces additional performance overhead • Naive implementation: 2x memory accesses, 1 for data, 1 for tag • Three optimization techniques • Tag cache • Tag valid bits (TVB) • Meta tag table (MTT) 10

  21. Return address protection • Policy: return address should always have tag 1 • Benefits: secure and supports context saving/restoring, deep recursion, modified return address, kernel stack ). 1 main: add sp,sp,-32 2 ? sdset1 ra,24(sp) 3 ld a1,8(a1) ; argv[1] 4 mv a0,sp ; char buff[16] 5 - call strcpy ; strcpy(buff, argv[1]) 6 li a0,0 7 ? ldchk1 ra,24(sp) 8 add sp,sp,32 9 jr ra ; return 10 11

  22. Various applications 12

  23. Implementations • Hardware • RISC-V RocketCore generator: 2198 LoC • Instantiated on Xilinx Zynq ZC706 FPGA board • Software (RISC-V toolchain) • Assembler gas: 16 LoC • Kernel modifications: 60 LoC • Security applications: 170 LoC 13

  24. Effectiveness of optimizations • Memory bandwidth and latency • SPEC CINT2000 Benchmark Tag Cache +TVB +MTT +TVB+MTT Benchmark Tag Cache +TVB +MTT +TVB+MTT 164.gzip 16.09% 2.18% 6.85% 1.87% L1 hit 0% 0% 0% 0% 175.vpr 29.51% 3.26% 7.71% 1.43% L1 miss 14.47% 5.26% 14.47% 5.26% 181.mcf 36.89% 3.08% 13.66% -0.11% Copy 13.14% 4.44% 11.84% 4.26% 16.11% 2.27% 7.61% 1.53% 10.62% 4.79% 9.45% 4.67% 197.parser Scale 254.gap 12.19% 1.04% 6.53% 0.71% Add 4.37% 1.26% 4.13% 1.2% 256.bzip2 14.52% 2.65% 3.63% 0.84% Triad 9.66% 1.96% 8.8% 1.83% 300.twolf 26.71% 2.97% 7.37% 0.36% 14

  25. Security experiments • With synthesized attacks Mechanism Attacks Result X Shadow stack RIPE Heap metadata protection Heap exploit X VTable protection VTable hijacking X X Code pointer separation (CPS) RIPE Code pointer separation (CPS) Format string exploit X Kernel protection Privilege escalation X X Private key leak prevention Heartbleed 15

  26. Impacts on security solutions • Security • Hardware-enforced isolation Application Language LoC • Simplicity Shadow Stack C++ (LLVM 3.3) 4 VTable Protection C++ (LLVM 3.3) 40 • No data shadowing CPS C++ (LLVM 3.3) 41 • Usability Kernel Protection C (Linux 3.14.41) 70 • Implementation/port is very easy Library Protection C (glibc 2.22) 10 Heartbleed Prevention C (OpenSSL 1.0.1a) 2 16

  27. Impacts on security solutions (cont.) • Efficiency Benchmark Shadow stack (GCC) SS+CPS (Clang) • GCC (-O2) 164.gzip 1.12% 2.42% 181.mcf 1.76% 3.54% • Clang (-O0) 3.34% 13.23% 254.gap 3.05% 4.61% 256.bzip2 17

  28. Security analysis • Attack surface • Inaccuracy of data-flow analysis • Deputy attacks • Best practice • CFI is necessary (e.g., CPS + shadow stack) • Recursive protection of pointers • Guarantee the trustworthiness of the written value • Use runtime memory safety technique to compensate inaccuracy of static analysis 18

Recommend

Taming Transactions: Towards Hardware-Assisted Control Flow Integrity using Transactional Memory

Taming Transactions: Towards Hardware-Assisted Control Flow Integrity using Transactional Memory

The 19th International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2016) Taming Transactions: Towards Hardware-Assisted Control Flow Integrity using Transactional Memory Marius Muench, Fabio Pagani, Yan Shoshitaishvili,

559 views • 25 slides
HW/SW Codesign Data Flow Hardware Implementation ECE 522 Mapping DFGs to Hardware As indicated

HW/SW Codesign Data Flow Hardware Implementation ECE 522 Mapping DFGs to Hardware As indicated

HW/SW Codesign Data Flow Hardware Implementation ECE 522 Mapping DFGs to Hardware As indicated in previous lectures, SDF graphs are particularly well-suited for map- ping directly into hardware For SDFs with single-rate schedules, all actors

109 views • 7 slides
HW/SW Codesign w/ FPGAs Data Flow Modeling I ECE 522 Data Flow Models As we discussed, hardware

HW/SW Codesign w/ FPGAs Data Flow Modeling I ECE 522 Data Flow Models As we discussed, hardware

HW/SW Codesign w/ FPGAs Data Flow Modeling I ECE 522 Data Flow Models As we discussed, hardware is parallel while software is sequential We need concurrent high-level models to allow designers to describe systems that are independent of

574 views • 12 slides
DATA FLOW ORIENTED HARDWARE DESIGN OF RNS-BASED POLYNOMIAL MULTIPLICATION FOR SHE ACCELERATION

DATA FLOW ORIENTED HARDWARE DESIGN OF RNS-BASED POLYNOMIAL MULTIPLICATION FOR SHE ACCELERATION

Jol Cathbras Alexandre Carbon Peter Milder Renaud Sirdey Nicolas Ventroux DATA FLOW ORIENTED HARDWARE DESIGN OF RNS-BASED POLYNOMIAL MULTIPLICATION FOR SHE ACCELERATION Conference on Cryptographic Hardware and Embedded Systems 2018 |

1.01k views • 35 slides
System-on-Chip Design Data Flow hardware Implementa8on Hao Zheng Dept. Comp Sci & Eng U of

System-on-Chip Design Data Flow hardware Implementa8on Hao Zheng Dept. Comp Sci & Eng U of

System-on-Chip Design Data Flow hardware Implementa8on Hao Zheng Dept. Comp Sci & Eng U of South Florida haozheng@usf.edu (813) 9744757 1 Single-Rate SDF to Hardware Single-rate SDF: all producJon/consumpJon rates are a fixed number

395 views • 13 slides
HOOP: Efficient Hardware-Assisted Out-of-Place Update for Non-Volatile Memory Miao Cai Chance

HOOP: Efficient Hardware-Assisted Out-of-Place Update for Non-Volatile Memory Miao Cai Chance

HOOP: Efficient Hardware-Assisted Out-of-Place Update for Non-Volatile Memory Miao Cai Chance Coats Jian Huang Systems Platform Research Group Non-Volatile Memory is a Revolutionary Technology Close-to-DRAM Performance Data

367 views • 21 slides
456 457 458 The purpose of shallow trench isolation (STI) is to provide isolation between

456 457 458 The purpose of shallow trench isolation (STI) is to provide isolation between

In this module we would review a typical gate first, poly-Si gate CMOS process flow. 456 457 458 The purpose of shallow trench isolation (STI) is to provide isolation between individual devices in a CMSO chip. Typical process details and the

381 views • 8 slides
Practical Secure Two-Party Computation and Applications Lecture 4: Hardware-Assisted

Practical Secure Two-Party Computation and Applications Lecture 4: Hardware-Assisted

Practical Secure Two-Party Computation and Applications Lecture 4: Hardware-Assisted Cryptographic Protocols Estonian Winter School in Computer Science 2016 Motivation 2 Two Areas Cryptographic Protocols Secure Hardware strong security

759 views • 52 slides
x86 ASM (1) 1 last time: VMs confjgurablity consistent environment isolation run malware in

x86 ASM (1) 1 last time: VMs confjgurablity consistent environment isolation run malware in

x86 ASM (1) 1 last time: VMs confjgurablity consistent environment isolation run malware in safe environment key mechanism: hardware support hardware gives VM monitor control when needed backup mechanism: emulation, binary translation 2

1.34k views • 118 slides
1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

Control-Flow Analysis and Loop Detection Context Last time Data-flow Speeding up data-flow analysis Flow of data values from defs to uses Could alternatively be represented as a data dependence Today Control-flow analysis

516 views • 5 slides
Two- and Multi-particle Cumulant Measurements of v n and Isolation of Flow and Nonflow in

Two- and Multi-particle Cumulant Measurements of v n and Isolation of Flow and Nonflow in

Two- and Multi-particle Cumulant Measurements of v n and Isolation of Flow and Nonflow in 200 GeV Au+Au Collisions by STAR = s NN Li Yi (for the STAR collaboration) Purdue University Aug. 15th, 2012 Outline Physics motivation

489 views • 35 slides
The Promises and Pitfalls of Hardware-Assisted Security Alexandra Dmitrienko

The Promises and Pitfalls of Hardware-Assisted Security Alexandra Dmitrienko

The Promises and Pitfalls of Hardware-Assisted Security Alexandra Dmitrienko Julius-Maximilians-Universitt Wrzburg alexandra.dmitrienko@uni-wuerzburg.de SEPTEMBER 9 13, 2019 CROSSING Summer School on Sustainable Security & Privacy

2.37k views • 187 slides
Entity declaration mode: in: flow into the circuit out: flow out of the circuit

Entity declaration mode: in: flow into the circuit out: flow out of the circuit

Outline 1. Basic VHDL program Basic Language Constructs of 2. Lexical elements and program format 3. Objects VHDL 4. Data type and operators RTL Hardware Design Chapter 3 1 RTL Hardware Design Chapter 3 2 by P. Chu by P. Chu Design

375 views • 10 slides
Efficient Hardware-assisted Logging with Asynchronous and Direct Update for Persistent Memory

Efficient Hardware-assisted Logging with Asynchronous and Direct Update for Persistent Memory

Efficient Hardware-assisted Logging with Asynchronous and Direct Update for Persistent Memory Jungi Jeong , Chang Hyun Park, Jaehyuk Huh, and Seungryoul Maeng International Symposium on Microarchitecture (MICRO) 2018 Storage-Class Memory

1.95k views • 155 slides
Flow Isolation Matt Mathis ICCRG at IETF 77 3/23/2010 Anaheim CA

Flow Isolation Matt Mathis ICCRG at IETF 77 3/23/2010 Anaheim CA

Flow Isolation Matt Mathis ICCRG at IETF 77 3/23/2010 Anaheim CA http://staff.psc.edu/mathis/papers FlowIsolation20100323.{pdf,odp} = The origin of TCP friendly Rate = RTT p MSS 0.7 [1997] Inspired TCP

649 views • 36 slides
Exceptional Control Flow: Hardware support for reacting to the rest of the world. Control Flow

Exceptional Control Flow: Hardware support for reacting to the rest of the world. Control Flow

Exceptional Control Flow: Hardware support for reacting to the rest of the world. Control Flow Processor: read instruction, execute it, go to next instruction, repeat Physical control flow Explicit changes: Jumps (conditional, unconditional)

428 views • 8 slides
Returning data-flow to asynchronous programming Matt Gilbert, Senior Staff Engineer, Qualcomm

Returning data-flow to asynchronous programming Matt Gilbert, Senior Staff Engineer, Qualcomm

Returning data-flow to asynchronous programming Matt Gilbert, Senior Staff Engineer, Qualcomm Technologies, Inc. 2018-04-16 Background Hardware design focuses on information flow (data and control): how do you compose the pieces of

601 views • 12 slides
An FPGA-Based Scalable Hardware Scheduler For Data-Flow Models Roberto Giorgi, Marco Procaccini,

An FPGA-Based Scalable Hardware Scheduler For Data-Flow Models Roberto Giorgi, Marco Procaccini,

IWES 2018 Third Italian Workshop on Embedded Systems Siena 13-14 September 2018 An FPGA-Based Scalable Hardware Scheduler For Data-Flow Models Roberto Giorgi, Marco Procaccini, Farnam Khalili University of Siena, Italy The end of Dennard

485 views • 19 slides
Position Paper: Challenges Towards Securing Hardware-assisted Execution Environments Zhenyu Ning 1

Position Paper: Challenges Towards Securing Hardware-assisted Execution Environments Zhenyu Ning 1

Position Paper: Challenges Towards Securing Hardware-assisted Execution Environments Zhenyu Ning 1 Fengwei Zhang 1 Weisong Shi 1 Larry Shi 2 1 Wayne State University 2 University of Houston November 21, 2019 1 Overview of The Talk Motivation

575 views • 24 slides
1 Ways to improve data-flow analysis efficiency Example (liveness) 1st 2nd 3rd

1 Ways to improve data-flow analysis efficiency Example (liveness) 1st 2nd 3rd

Speeding Up Data-Flow Analysis Solving the Data-flow Equations Last time Algorithm Various optimizations that use data-flow analysis for each node n in CFG initialize solutions in[n] = ; out[n] = Today repeat Speeding up

418 views • 4 slides
Flow Analysis Data-flow analysis, Control-flow analysis, Abstract interpretation, AAM Helpful

Flow Analysis Data-flow analysis, Control-flow analysis, Abstract interpretation, AAM Helpful

Flow Analysis Data-flow analysis, Control-flow analysis, Abstract interpretation, AAM Helpful Reading: Sections 1.1-1.5, 2.1 Data-flow analysis (DFA) A framework for statically proving facts about program data. Focuses on simple, finite

1.04k views • 54 slides
1 Liveness by Example (cont) Control Flow Graphs (CFGs) Live range of a Definition a is live

1 Liveness by Example (cont) Control Flow Graphs (CFGs) Live range of a Definition a is live

Introduction to Data-flow analysis Data-flow Analysis Last Time Idea Undergraduate compilers review Data-flow analysis derives information about the dynamic behavior of a program by only examining the static code Assem.Instr data

903 views • 4 slides
Serializable Snapshot Isolation Making ISOLATION LEVEL SERIALIZABLE Provide Serializable

Serializable Snapshot Isolation Making ISOLATION LEVEL SERIALIZABLE Provide Serializable

Serializable Snapshot Isolation Making ISOLATION LEVEL SERIALIZABLE Provide Serializable Isolation Dan Ports Kevin Grittner MIT Wisconsin Court System Saturday, May 21, 2011 1 Overview Serializable isolation makes it easier to reason

922 views • 60 slides
Isolation William Arthur , Sahil Madeka, Reetuparna Das, Todd Austin MICRO, Waikiki, Hawaii, US

Isolation William Arthur , Sahil Madeka, Reetuparna Das, Todd Austin MICRO, Waikiki, Hawaii, US

Locking Down Insecure Indirection with Hardware-Based Control-Data Isolation William Arthur , Sahil Madeka, Reetuparna Das, Todd Austin MICRO, Waikiki, Hawaii, US December 7 th 2015 Goal of this work MAKE SOFTWARE MORE SECURE Reducing the

654 views • 32 slides

More recommend