ACM/IEEE CODES+ISSS 2018, Turin, Italy PAGURUS: Low-Overhead Dynamic Information Flow Tracking on Loosely Coupled Accelerators Luca Piccolboni, Giuseppe Di Guglielmo and Luca P. Carloni Columbia University, NY, USA
Systems-on-Chip (SoCs) Are Vulnerable to Software Attacks PULPino Processor Data Instr. Boot. Core ( RI5CY) RAM RAM RAM AXI UART SPI M. APB [M. Gautschi et al., IEEE VLSI ’17] ACM/IEEE CODES + ISSS 2018, Turin, Italy 2 / 16
Attacking PULPino Buffer-Overflow Attack memory location: 0xAA val = 7 num = 10 int nt buff[10], k; fun = 0xAA int (*fun)(int) = foo; int int num = atoi (argv[1]); buff[9] = sw (7) int val = atoi (argv[2]); int ... /* this is a bad idea */ buff[1] = sw (7) for for (k = 0; k < num; ++k) buff[0] = sw (7) buff[k] = sw(val) ; fun(1); // call foo? main memory ACM/IEEE CODES + ISSS 2018, Turin, Italy 3 / 16
Attacking PULPino can be used to call a malicious function Buffer-Overflow Attack memory location: 0xAA val = 7 num = 11 int nt buff[10], k; fun = sw (7) int (*fun)(int) = foo; int num = atoi (argv[1]); int buff[9] = sw (7) int val = atoi (argv[2]); int ... /* this is a bad idea */ buff[1] = sw (7) for for (k = 0; k < num; ++k) buff[0] = sw (7) buff[k] = sw(val) ; fun(1); // call foo? main memory ACM/IEEE CODES + ISSS 2018, Turin, Italy 3 / 16
Attacking PULPino Dynamic Information Flow Tracking (DIFT) memory location: 0xAA val = 0xA val = 11 1 num = 0x7 num = 7 0 int nt buff[10], k; func = 0xAA fun = sw (7) 1 int (*fun)(int) = foo; int num = atoi (argv[1]); int buff[9] = sw (0x7) buff[9] = sw (7) 1 int val = atoi (argv[2]); int ... ... /* this is a bad idea */ buff[1] = sw (0x7) buff[1] = sw (7) 1 for for (k = 0; k < num; ++k) buff[0] = sw (0x7) buff[0] = sw (7) buff[k] = sw(val) ; 1 fun(1); // call fun main memory main memory tags [G. E. Suh et al., ACM ASPLOS ’04] ACM/IEEE CODES + ISSS 2018, Turin, Italy 3 / 16
Homogenous SoCs Now Secured with DIFT PULPino Processor Data Instr. Boot. Core ( RI5CY) RAM RAM RAM AXI UART SPI M. APB [M. Gautschi et al., IEEE VLSI ’17] DIFT Extensions [C. Palmiero et al., IEEE HPEC ’18] ACM/IEEE CODES + ISSS 2018, Turin, Italy 4 / 16
Heterogeneous SoCs No-More-Secured with DIFT PULPino Processor Data Instr. Boot. Core ( RI5CY) RAM RAM RAM AXI UART Loosely Coupled Loosely Coupled Accelerator #1 Accelerator #2 SPI M. APB [M. Gautschi et al., IEEE VLSI ’17] DIFT Extensions [C. Palmiero et al., IEEE HPEC ’18] ACM/IEEE CODES + ISSS 2018, Turin, Italy 5 / 16
Attacking PULPino (Again) Buffer-Overflow Attack val = 0xA val = 7 1 int nt buff[10] = {0}; num = 0x7 num = 11 0 int (*f)(int) = foo ; func = 0xAA fun = 0xAA 1 int num = atoi (argv[1]); int int val = atoi (argv[2]); int buff[9] = sw (0x7) buff[9] = 0 1 /* this is a bad idea */ ... ... hw(num, val, buff) ; buff[1] = sw (0x7) buff[1] = 0 1 buff[0] = sw (0x7) buff[0] = 0 1 main memory main memory tags ACM/IEEE CODES + ISSS 2018, Turin, Italy 6 / 16
Attacking PULPino (Again) can be used to call a malicious function Buffer-Overflow Attack val = 0xA val = 7 1 int nt buff[10] = {0}; num = 0x7 num = 11 0 int (*f)(int) = foo ; func = 0xAA fun = hw (7) 0 int num = atoi (argv[1]); int int val = atoi (argv[2]); int buff[9] = sw (0x7) buff[9] = hw (7) 0 /* this is a bad idea */ ... ... hw(num, val, buff) ; buff[1] = sw (0x7) buff[1] = hw (7) 0 buff[0] = sw (0x7) buff[0] = hw (7) 0 the accelerator is not able to propagate the tags main memory main memory tags ACM/IEEE CODES + ISSS 2018, Turin, Italy 6 / 16
Contributions 1. We propose PAGURUS, a methodology to design a circuit shell that adds DIFT support to accelerators ACM/IEEE CODES + ISSS 2018, Turin, Italy 7 / 16
Contributions PULPino System-on-Chip Processor Data Instr. Boot. Core ( RI5CY) RAM RAM RAM AXI DIFT Shell UART DIFT Shell Loosely Coupled Loosely Coupled Accelerator #1 Accelerator #2 SPI M. APB ACM/IEEE CODES + ISSS 2018, Turin, Italy 7 / 16
Contributions 1. We propose PAGURUS, a methodology to design a circuit shell that adds DIFT support to accelerators a) The shell design is independent from the design of the accelerators and vice versa b) The shell has low overheads on both the performance and cost of accelerators 2. We propose a metric to quantitatively measure the security guarantees provided by the shell ACM/IEEE CODES + ISSS 2018, Turin, Italy 7 / 16
Preliminaries Assumptions and Attack Model 1. The hardware is safe: no hardware Trojans 2. The software is not safe: it contains bugs and vulnerabilities useful for the attackers The attackers exploit these vulnerabilities through common I/O interfaces with the goal of affecting the integrity and/or the confidentiality of the hardware-accelerated software applications ACM/IEEE CODES + ISSS 2018, Turin, Italy 8 / 16
Preliminaries Tagging Scheme 1. Coupled Scheme value #1 tag #1 value #2 tag #2 value #3 tag #3 main memory tags [J. Porquet et al., ACM/IEEE CODES’13] ACM/IEEE CODES + ISSS 2018, Turin, Italy 8 / 16
Preliminaries Tagging Scheme 1. Coupled Scheme 2. Decoupled Scheme value #1 value #2 value #3 tag #1 protected region in tag #2 memory tag #3 main memory [J. Porquet et al., ACM/IEEE CODES’13] ACM/IEEE CODES + ISSS 2018, Turin, Italy 8 / 16
Preliminaries Tagging Scheme 1. Coupled Scheme 2. Decoupled Scheme 2.1. Interleaved Scheme value #1 tag #1 value #2 tag offset = # words in memory between two tag #2 consecutive values value #3 (tag offset = 1) tag #3 main memory [J. Porquet et al., ACM/IEEE CODES’13] ACM/IEEE CODES + ISSS 2018, Turin, Italy 8 / 16
Contributions 1. We propose PAGURUS, a methodology to design a circuit shell that adds DIFT support to accelerators a) The shell design is independent from the design of the accelerators and vice versa b) The shell has low overheads on both the performance and cost of accelerators ACM/IEEE CODES + ISSS 2018, Turin, Italy 9 / 16
Accelerators Loosely Coupled Architecture Accelerator … configuration reg #1 reg #K register #1 register #2 ... register #K bank bank bank bank private local memory / scratchpad main memory ACM/IEEE CODES + ISSS 2018, Turin, Italy 9 / 16
Accelerators Loosely Coupled Architecture Accelerator … … configuration configuration reg #1 reg #K load input compute burst length val val val input bank bank bank bank private local memory / scratchpad main memory ACM/IEEE CODES + ISSS 2018, Turin, Italy 9 / 16
Accelerators Loosely Coupled Architecture Accelerator … configuration configuration reg #1 reg #K load input compute load load input val val val val val val bank bank bank bank private local memory / scratchpad main memory ACM/IEEE CODES + ISSS 2018, Turin, Italy 9 / 16
Accelerators Loosely Coupled Architecture Accelerator … configuration reg #1 reg #K load input compute load load load input val val val val val val burst length store store output val val val output bank bank bank bank private local memory / scratchpad main memory ACM/IEEE CODES + ISSS 2018, Turin, Italy 9 / 16
DIFT Shell DIFT Shell Loosely Coupled Architecture Accelerator Accelerator ACM/IEEE CODES + ISSS 2018, Turin, Italy 10 / 16
DIFT Shell DIFT Shell Loosely Coupled Architecture Accelerator shell configuration register #1 src_tag dst_tag register #2 ... register #K reg. #K+1: src_tag reg. #K+2: dst_tag Accelerator main memory ACM/IEEE CODES + ISSS 2018, Turin, Italy 10 / 16
DIFT Shell DIFT Shell Loosely Coupled Architecture Accelerator shell configuration src_tag dst_tag burst length val val src_tag shell load logic src_tag val tag val tag input if tag != src_tag DIFT_exception! Accelerator main memory ACM/IEEE CODES + ISSS 2018, Turin, Italy 10 / 16
DIFT Shell DIFT Shell Loosely Coupled Architecture Accelerator shell configuration src_tag dst_tag burst length shell load logic dst_tag val val val tag val tag dst_tag output shell store logic val tag val tag Accelerator main memory ACM/IEEE CODES + ISSS 2018, Turin, Italy 10 / 16
Contributions 1. We propose PAGURUS, a methodology to design a circuit shell that adds DIFT support to accelerators a) The shell design is independent from the design of the accelerators and vice versa b) The shell has low overheads on both the performance and cost of accelerators 2. We propose a metric to quantitatively measure the security guarantees provided by the shell ACM/IEEE CODES + ISSS 2018, Turin, Italy 11 / 16
A Security Metric Definition value #1 value #2 src_tag value #3 input main memory ACM/IEEE CODES + ISSS 2018, Turin, Italy 11 / 16
A Security Metric Definition value #1 [overwritten] DIFT Shell Loosely Coupled value #2 [overwritten] Accelerator val val val tag src_tag [overwritten] value #3 [overwritten] input value #1 output main memory ACM/IEEE CODES + ISSS 2018, Turin, Italy 11 / 16
A Security Metric Definition value #1 [overwritten] DIFT Shell Loosely Coupled value #2 [overwritten] Accelerator val val val tag src_tag [overwritten] DIFT_exception! value #3 [overwritten] input Information Leakage value #1 • Quantitative metric for security output main memory ACM/IEEE CODES + ISSS 2018, Turin, Italy 11 / 16
Recommend
More recommend