seclabel enhancing risc v platform security with labelled
play

SecLabel: Enhancing RISC-V Platform Security with Labelled - PowerPoint PPT Presentation

May 04, 2023 •258 likes •795 views

SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture Zhenyu Ning 1,2 , Yinqian Zhang 3 , and Fengwei Zhang 2 1 Wayne State University, 2 Southern University of Science and Technology, 3 The Ohio State University Outline

  1. SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture Zhenyu Ning 1,2 , Yinqian Zhang 3 , and Fengwei Zhang 2 1 Wayne State University, 2 Southern University of Science and Technology, 3 The Ohio State University

  2. Outline Introduction • Pointer Integrity • Memory Boundary Protection • Dynamic Taint Analysis • Implementation • Conclusion • SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture 2

  3. Outline Introduction • Pointer Integrity • Memory Boundary Protection • Dynamic Taint Analysis • Implementation • Conclusion • SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture 3

  4. Introduction • The RISC-V architecture is well-known for its open nature. Open Source, No License fee • Open to new design and extension • • Open to challenge. Security problems in x86 and ARM architecture remains on RISC-V platforms. • E.g., pointer integrity, memory boundary protection, and dynamic taint • analysis. SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture 4

  5. Introduction Any effective defense on RISC-V? SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture 5

  6. Outline Introduction • Pointer Integrity • Memory Boundary Protection • Dynamic Taint Analysis • Implementation • Conclusion • SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture 6

  7. Pointer Integrity • To ensure that the pointer is not corrupted. Code-pointer Integrity and Data-pointer Integrity. • if *x0 = 0 then *x0 = 0 x1 = addr1 else x1 = addr2 jmp to x1 SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture 7

  8. Pointer Integrity • To ensure that the pointer is not corrupted. Code-pointer Integrity and Data-pointer Integrity. • if *x0 = 0 then *x0 = 0 x1 = addr1 x1 = addr1 else x1 = addr2 jmp to x1 SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture 8

  9. Pointer Integrity • To ensure that the pointer is not corrupted. Code-pointer Integrity and Data-pointer Integrity. • if *x0 = 0 then *x0 = 0 x1 = addr1 x1 = addr3 Code-pointer else Attack x1 = addr2 jmp to x1 SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture 9

  10. Pointer Integrity • To ensure that the pointer is not corrupted. Code-pointer Integrity and Data-pointer Integrity. • if *x0 = 0 then *x0 = 0 x1 = addr1 else x1 = addr2 jmp to x1 SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture 10

  11. Pointer Integrity • To ensure that the pointer is not corrupted. Code-pointer Integrity and Data-pointer Integrity. • if *x0 = 0 then *x0 = 2 x1 = addr1 else x1 = addr2 jmp to x1 SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture 11

  12. Pointer Integrity • To ensure that the pointer is not corrupted. Code-pointer Integrity and Data-pointer Integrity. • if *x0 = 0 then *x0 = 2 x1 = addr1 x1 = addr2 Data-pointer else Attack x1 = addr2 jmp to x1 SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture 12

  13. Pointer Integrity: Buffer Overflow Start of the attack: In most cases, a buffer overflow vulnerability. • … Params Return Addr Frame Pointer Local Var a Local Var b Local Var c Stack Pointer … SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture 13

  14. Pointer Integrity: Buffer Overflow Start of the attack: In most cases, a buffer overflow vulnerability. • … Params Return Addr Frame Pointer Local Var a Local Var b Local Var c Stack Pointer … SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture 14

  15. Pointer Integrity: Buffer Overflow Start of the attack: In most cases, a buffer overflow vulnerability. • … … Params Params Return Addr Return Addr Buffer Overflow Frame Pointer Frame Pointer Attack Local Var a Local Var a Local Var b Local Var b Local Var c Stack Pointer Random data Stack Pointer … … SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture 15

  16. Pointer Integrity: Buffer Overflow Start of the attack: In most cases, a buffer overflow vulnerability. • … … Params Params Return Addr Return Addr Buffer Overflow Frame Pointer Frame Pointer Attack Local Var a Local Var a Local Var b Random data Local Var c Stack Pointer Random data Stack Pointer … … SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture 16

  17. Pointer Integrity: Buffer Overflow Start of the attack: In most cases, a buffer overflow vulnerability. • … … Params Params Return Addr Return Addr Buffer Overflow Frame Pointer Frame Pointer Attack Local Var a Random data Local Var b Random data Local Var c Stack Pointer Random data Stack Pointer … … SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture 17

  18. Pointer Integrity: Buffer Overflow Start of the attack: In most cases, a buffer overflow vulnerability. • … … Params Params Return Addr Return Addr Buffer Overflow Frame Pointer Random data Attack Local Var a Random data Local Var b Random data Local Var c Stack Pointer Random data Stack Pointer … … SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture 18

  19. Pointer Integrity: Buffer Overflow Start of the attack: In most cases, a buffer overflow vulnerability. • … … Params Params Return Addr Modified Addr Buffer Overflow Frame Pointer Random data Attack Local Var a Random data Local Var b Random data Local Var c Stack Pointer Random data Stack Pointer … … SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture 19

  20. Pointer Integrity: Canary Stack Canary [1] : The most widely used defense to buffer overflow attack. • … … Params Params Return Addr Modified Addr Buffer Overflow Frame Pointer Random data Attack Canary Random data Local Var a Random data Local Var b Stack Pointer Random data Stack Pointer … … SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture 20

  21. Pointer Integrity: Canary Stack Canary [1] : The most widely used defense to buffer overflow attack. • … … Params Params Return Addr Modified Addr Buffer Overflow Frame Pointer Random data Attack Canary is changed Canary Random data by overflow Local Var a Random data Local Var b Stack Pointer Random data Stack Pointer … … SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture 21

  22. Pointer Integrity: Canary Stack Canary [1] : The most widely used defense to buffer overflow attack. • Weakness: • Easy to bypass [2] • Not efficient to defend against data-pointer attack • SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture 22

  23. Pointer Integrity: PAC Pointer Authentication Code [3] is introduced in 64-bit ARMv8.3 architecture. • 0 63 A pointer in 64-bit system Is it really necessary to use a 64-bit address? SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture 23

  24. Pointer Integrity: PAC Is it really necessary to use a 64-bit address? 2 64 bit = 16384 PB = 16.8 millions TB = 17.2 billions GB • Summit : 10 PB memory • Sunway TaihuLight : 1.32 PB memory • Linux : Up to 128 TB virtual memory • Windows : Up to 16 TB virtual memory • SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture 24

  25. Pointer Integrity: PAC Pointer Authentication Code [3] is introduced in 64-bit ARMv8.3 architecture. • 0 63 A pointer in 64-bit system SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture 25

  26. Pointer Integrity: PAC Pointer Authentication Code [3] is introduced in 64-bit ARMv8.3 architecture. • 63 54 48 47 0 PAC Virtual Address Pointer Value + 64-bit Context Value + 128-bit Secret Key => PAC • Up to 48 bits for virtual address, and at least 7 bits for PAC • SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture 26

  27. Pointer Integrity: PAC PAC is good, but the deployment is painful. • The mechanism is released with ARMv8.3 architecture since 2016. • ARM does not release any processor with ARMv8.3 till now. • The only processors with PAC support are Apple A12 and A13. • Closed ecosystem. • No available to system developers. • SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture 27

  28. Pointer Integrity: RISC-V RISC-V based PAC • A group of new hardware instructions • Forge PAC, examine PAC, strip PAC • New registers for storing the 128-bit secret key • Secret keys for data pointers and code pointers • Hardware-based crypto engine • Generate PAC from pointer and 64-bit context value • SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture 28

  29. Outline Introduction • Pointer Integrity • Memory Boundary Protection • Dynamic Taint Analysis • Implementation • Conclusion • SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture 29

  30. Memory Boundary Protection • To ensure the memory access won’t go out of its expected boundary. … … a[0] a[0] a a a[1] a[1] int a[10]; … a[8] = 1 … a[8] a[8] a[8] a[9] a[9] … … SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture 30

Recommend

HERO: Open-Source Heterogeneous Embedded Research Platform for Exploring RISC-V Manycore

HERO: Open-Source Heterogeneous Embedded Research Platform for Exploring RISC-V Manycore

HERO: Open-Source Heterogeneous Embedded Research Platform for Exploring RISC-V Manycore Architectures on FPGA First Workshop on Computer Architecture Research with RISC-V (CARRV) @ MICRO 50 2017-10-14 Andreas Kurth Pirmin Vogel Alessandro

216 views • 21 slides
ENHANCING SCIENTIFIC COMPUTATION USING A VARIABLE PRECISION FPU WITH A RISC-V PROCESSOR Y.Durand,

ENHANCING SCIENTIFIC COMPUTATION USING A VARIABLE PRECISION FPU WITH A RISC-V PROCESSOR Y.Durand,

ENHANCING SCIENTIFIC COMPUTATION USING A VARIABLE PRECISION FPU WITH A RISC-V PROCESSOR Y.Durand, C.Fabre, A. Bocco, T. Trevisan | IMPRENUM Project | Oct 2019 | 1 USE CASES FOR (LARGE) VARIABLE PRECISION Applications Techniques & Kernels

317 views • 8 slides
Why RISC-V Is Not Nearly Boring Enough Al Stone Principal Software Engineer Platform Enablement

Why RISC-V Is Not Nearly Boring Enough Al Stone Principal Software Engineer Platform Enablement

Why RISC-V Is Not Nearly Boring Enough Al Stone Principal Software Engineer Platform Enablement Red Hat When RISC-V Grows Up... The ISA is only a small part of a product What we need is to be dead boring To get there, we need:

300 views • 13 slides
Analyzing embedded software technologies on RISC-V64 using Ghidra driving your security forward

Analyzing embedded software technologies on RISC-V64 using Ghidra driving your security forward

Presented by: Joris Jonkers Both & Patrick Spaans Supervisor: Alexandru Geana Analyzing embedded software technologies on RISC-V64 using Ghidra driving your security forward 1 Introduction RISC-V64 - Like ARM but open source - One

524 views • 37 slides
RISC-V Foundation Security Standing Committee Call to action !! Helena Handschuh, Rambus, SSC

RISC-V Foundation Security Standing Committee Call to action !! Helena Handschuh, Rambus, SSC

RISC-V Foundation Security Standing Committee Call to action !! Helena Handschuh, Rambus, SSC Chair CHES 2018 Rump Session, Amsterdam, September 10 th 2018 A security standing committee for the RISC-V Foundation RISC-V Foundation; a

211 views • 4 slides
RISC V and Security: How, When and Why Helena Handschuh Rambus Security Technologies Fellow

RISC V and Security: How, When and Why Helena Handschuh Rambus Security Technologies Fellow

RISC V and Security: How, When and Why Helena Handschuh Rambus Security Technologies Fellow RISCV Security Standing Committee Chair CHES 2019 @ Atlanta 08/26/2019 Outline RISCV Foundation Security Standing Committee Creation and

350 views • 33 slides
Updates from the RISC-V TEE Group Nick Kossifidis <mick@ics.forth.gr> Security-related

Updates from the RISC-V TEE Group Nick Kossifidis <mick@ics.forth.gr> Security-related

Updates from the RISC-V TEE Group Nick Kossifidis <mick@ics.forth.gr> Security-related RISC-V Task Groups 2 About the TEE Task Group One of the most popular groups (112 registered members) Regular conference calls / mailing list

675 views • 13 slides
HPE SecureData for Big Data Platform HPE Vertica Big Data Platform HPE Security Data

HPE SecureData for Big Data Platform HPE Vertica Big Data Platform HPE Security Data

HPE SecureData for Big Data Platform HPE Vertica Big Data Platform HPE Security Data Security February 2016 Data Security Impacts Design and Delivery of Big Data Projects Data Security frequently is a leading Role Security Impacts

545 views • 23 slides
On Hypersequents and Labelled Sequents Translating Labelled Sequent Proofs to Hypersequent Proofs

On Hypersequents and Labelled Sequents Translating Labelled Sequent Proofs to Hypersequent Proofs

On Hypersequents and Labelled Sequents Translating Labelled Sequent Proofs to Hypersequent Proofs Robert Rothenberg 1 2 1 School of Computer Science University of St Andrews 2 Interactive Information, Ltd Edinburgh Workshop in Honour of Roy

393 views • 26 slides
The future of operating systems on RISC-V Alex Bradbury asb@lowrisc.org @asbradbury 4th

The future of operating systems on RISC-V Alex Bradbury asb@lowrisc.org @asbradbury 4th

The future of operating systems on RISC-V Alex Bradbury asb@lowrisc.org @asbradbury 4th March 2019 Structure of this talk Introduction to RISC-V RISC-V status Selected RISC-V topics RISC-V and open hardware: the future

733 views • 28 slides
Ho How w to o Bui Build & Secur cure a RISC-V Em Embe bedde ded System HARDWEAR.IO,

Ho How w to o Bui Build & Secur cure a RISC-V Em Embe bedde ded System HARDWEAR.IO,

Ho How w to o Bui Build & Secur cure a RISC-V Em Embe bedde ded System HARDWEAR.IO, September 2019 Cesare Garlati, Sandro Pinto RISC-V ISA Security Building Blocks Privi vilege lege Levels vels & Contro rol l and Status

120 views • 11 slides
Roadmap 1. Instruction Set Architectures (ISA) What is CISC? What is RISC? Why did RISC prevail

Roadmap 1. Instruction Set Architectures (ISA) What is CISC? What is RISC? Why did RISC prevail

Roadmap 1. Instruction Set Architectures (ISA) What is CISC? What is RISC? Why did RISC prevail in the instruction set wars? Describe a simple RISC ISA called DLX 2. Designing a simple DLX processor: Single Cycle Implementation Multiple

1.01k views • 21 slides
Roadmap 1. Instruction Set Architectures (ISA) What is CISC? What is RISC? Why did RISC prevail

Roadmap 1. Instruction Set Architectures (ISA) What is CISC? What is RISC? Why did RISC prevail

Roadmap 1. Instruction Set Architectures (ISA) What is CISC? What is RISC? Why did RISC prevail in the instruction set wars? Describe a simple RISC ISA called DLX 2. Designing a simple DLX processor: Single Cycle Implementation Multiple

753 views • 11 slides
Security enhancing CAN transceivers Bernd Elend Principal Engineer March 8 th , 2017

Security enhancing CAN transceivers Bernd Elend Principal Engineer March 8 th , 2017

Security enhancing CAN transceivers Bernd Elend Principal Engineer March 8 th , 2017 Introduction: SECURITY REQUIRES A LAYERED APPROACH NXPs 4 + 1 Layer approach for vehicle cyber security: Multiple security techniques, at different

485 views • 19 slides
Enhancing Openness and Transparency in NRC Security Inspection Programs NRC Headquarters

Enhancing Openness and Transparency in NRC Security Inspection Programs NRC Headquarters

Enhancing Openness and Transparency in NRC Security Inspection Programs NRC Headquarters Rockville, MD Sept 4, 2008; 9:30 a.m. 12 noon 1 AGENDA Welcome Patricia Trish Holahan, Director Division of Security Operations (DSO)

479 views • 14 slides
Mobile Device and Platform Security Part II John Mitchell Two lectures on mobile security

Mobile Device and Platform Security Part II John Mitchell Two lectures on mobile security

CS 155 Spring 2018 Mobile Device and Platform Security Part II John Mitchell Two lectures on mobile security Introduction: platforms and trends Threat categories Physical, platform malware, malicious apps Defense

1.17k views • 93 slides
Protein NMR What do you need for the assignment? To prepare isotopically labelled protein ( 13

Protein NMR What do you need for the assignment? To prepare isotopically labelled protein ( 13

Protein NMR What do you need for the assignment? To prepare isotopically labelled protein ( 13 C, 15 N labelled media) To know the amino acid sequence To record several multiple-dimensional experiments To install appropriate

321 views • 19 slides
WELCOME TO MY PRESENTATION MARITIME SECURITY Common interest and Enhancing Cooperation

WELCOME TO MY PRESENTATION MARITIME SECURITY Common interest and Enhancing Cooperation

WELCOME TO MY PRESENTATION MARITIME SECURITY Common interest and Enhancing Cooperation PRESENTED BY Rea Adm BORIN KHUN Deputy Secretary General, National Committee for Maritime Security. Phnom Penh, May 25 2012. INTRODUCTION THE

720 views • 7 slides
Mobile Device and Platform Security John Mitchell Two lectures on mobile security Introduction:

Mobile Device and Platform Security John Mitchell Two lectures on mobile security Introduction:

Spring 2018 CS 155 Mobile Device and Platform Security John Mitchell Two lectures on mobile security Introduction: platforms and trends Threat categories n Physical, platform malware, malicious apps Defense against physical theft Thurs

1.28k views • 64 slides
UCP GROUP Maritime Security Services UCP GROUP ONE SOLUTION ONE PLATFORM ONE SECURITY SERVICE

UCP GROUP Maritime Security Services UCP GROUP ONE SOLUTION ONE PLATFORM ONE SECURITY SERVICE

UCP GROUP Maritime Security Services UCP GROUP ONE SOLUTION ONE PLATFORM ONE SECURITY SERVICE Maritime Security - Commercial Shipping Security - Cruise Liner Security - Super-Yacht Security Maritime Security Services UCP GROUP is a market

247 views • 22 slides
LOGIC TECHNOLOGY FOR CS EDUCATION RISCAL The RISC Algorithm Language Wolfgang Schreiner

LOGIC TECHNOLOGY FOR CS EDUCATION RISCAL The RISC Algorithm Language Wolfgang Schreiner

LOGIC TECHNOLOGY FOR CS EDUCATION RISCAL The RISC Algorithm Language Wolfgang Schreiner Research Institute for Symbolic Computation (RISC) Wolfgang.Schreiner@risc.jku.at http://www.risc.jku.at Systematic Problem Solving A key competence

1.25k views • 73 slides
LOGIC TECHNOLOGY FOR CS EDUCATION RISCAL The RISC Algorithm Language Wolfgang Schreiner

LOGIC TECHNOLOGY FOR CS EDUCATION RISCAL The RISC Algorithm Language Wolfgang Schreiner

LOGIC TECHNOLOGY FOR CS EDUCATION RISCAL The RISC Algorithm Language Wolfgang Schreiner Research Institute for Symbolic Computation (RISC) Wolfgang.Schreiner@risc.jku.at http://www.risc.jku.at Systematic Problem Solving A key competence

592 views • 24 slides
PROCESSOR DEVELOPMENT THE FREE AND OPEN RISC INSTRUCTION SET ARCHITECTURE Codasip is the

PROCESSOR DEVELOPMENT THE FREE AND OPEN RISC INSTRUCTION SET ARCHITECTURE Codasip is the

ENHANCED TOOLS FOR RISC-V PROCESSOR DEVELOPMENT THE FREE AND OPEN RISC INSTRUCTION SET ARCHITECTURE Codasip is the leading provider of RISC-V processor IP Codasip Bk : A portfolio of RISC-V processors Uniquely providing design automation tools

318 views • 9 slides
Enhancing global security through space Enhancing global security through space the role of

Enhancing global security through space Enhancing global security through space the role of

Enhancing global security through space Enhancing global security through space the role of COPUOS and UNOOSA the role of COPUOS and UNOOSA ACUNS Annual Meeting ACUNS Annual Meeting New Security Challenges New Security Challenges

669 views • 18 slides

More recommend