Instruction Caches in Static WCET Analysis of Artificially Diversified Software Joachim Fellmuth, Thomas G¨ othel, Sabine Glesner Technische Universit¨ at Berlin Software and Embedded Systems Engineering ECRTS 2018, Barcelona SESE
Introduction Background Cache Analysis for Diverse Programs Evaluation Conclusion Motivation Cyber-physical systems (CPS) omnipresent safety-critical , hard real-time requirements highly interconnected → large attack surface SESE Static Cache Analysis for Diverse Software 2/ 18 Joachim Fellmuth
Introduction Background Cache Analysis for Diverse Programs Evaluation Conclusion Motivation Cyber-physical systems (CPS) omnipresent safety-critical , hard real-time requirements highly interconnected → large attack surface Security important development aspect unsafe languages enable code-reuse attacks → use knowledge of system’s memory SESE Static Cache Analysis for Diverse Software 2/ 18 Joachim Fellmuth
Introduction Background Cache Analysis for Diverse Programs Evaluation Conclusion Motivation Cyber-physical systems (CPS) omnipresent safety-critical , hard real-time requirements highly interconnected → large attack surface Security important development aspect unsafe languages enable code-reuse attacks → use knowledge of system’s memory Artificial software diversity hides memory layout (e.g. randomize instruction addresses) copes with unknown attack types WCET-aware security increase possible [FHPG17] SESE Static Cache Analysis for Diverse Software 2/ 18 Joachim Fellmuth
Introduction Background Cache Analysis for Diverse Programs Evaluation Conclusion Problem Problem : Uncertainty induces pessimism in WCET analysis timing impact of some randomized diversification techniques unpredictable [DDNS12, LHBF14, Coh93, FSA97, WMHL12] WCET hardware analyses rely on full knowledge of the program addresses state-of-the-art cache analyses not able to produce upper bound estimate for all program variants [HJR11, ZK15, BC08, Cul13, LGR + 16] All miss has to be assumed as worst-case cache behavior SESE Static Cache Analysis for Diverse Software 3/ 18 Joachim Fellmuth
Introduction Background Cache Analysis for Diverse Programs Evaluation Conclusion Proposed Solution Our goal: Efficient WCET cache analysis for diverse programs powerful diversity approach reuse established analyses , compatible with IPET tight worst-case estimate over all variants Approach: relocation and reordering of code fragments introduce uncertainty into WCET cache analysis aggregate results for all variants per basic block SESE Static Cache Analysis for Diverse Software 4/ 18 Joachim Fellmuth
Introduction Background Cache Analysis for Diverse Programs Evaluation Conclusion Outline 1 Background Artificial software diversity WCET Analysis 2 Cache Analysis for Diverse Programs Must Analysis Further Analyses 3 Evaluation 4 Conclusion SESE Static Cache Analysis for Diverse Software 5/ 18 Joachim Fellmuth
Introduction Background Cache Analysis for Diverse Programs Evaluation Conclusion Outline 1 Background Artificial software diversity WCET Analysis 2 Cache Analysis for Diverse Programs Must Analysis Further Analyses 3 Evaluation 4 Conclusion SESE Static Cache Analysis for Diverse Software 6/ 18 Joachim Fellmuth
Introduction Background Cache Analysis for Diverse Programs Evaluation Conclusion Artificial software diversity Semantically equivalent program variants → different program layout in memory → exploit compiler decisions to obtain variants SESE Static Cache Analysis for Diverse Software 7/ 18 Joachim Fellmuth
Introduction Background Cache Analysis for Diverse Programs Evaluation Conclusion Artificial software diversity Semantically equivalent program variants → different program layout in memory → exploit compiler decisions to obtain variants We use relocation and reordering of rearrangeable code parts (fragments) → no changes to instructions (code size) and CFG → predictable behavior over all variants → covers the entire instruction memory SESE Static Cache Analysis for Diverse Software 7/ 18 Joachim Fellmuth
Introduction Background Cache Analysis for Diverse Programs Evaluation Conclusion Artificial software diversity Semantically equivalent program variants → different program layout in memory → exploit compiler decisions to obtain variants We use relocation and reordering of rearrangeable code parts (fragments) → no changes to instructions (code size) and CFG → predictable behavior over all variants → covers the entire instruction memory Different fragment granularities possible → segment-, function, block level SESE Static Cache Analysis for Diverse Software 7/ 18 Joachim Fellmuth
Introduction Background Cache Analysis for Diverse Programs Evaluation Conclusion Cache analysis: Must (LRU) bb2: bb1: bb4: bb5: bb6: CFG creation bb3: bb7: SESE Static Cache Analysis for Diverse Software 8/ 18 Joachim Fellmuth
Introduction Background Cache Analysis for Diverse Programs Evaluation Conclusion Cache analysis: Must (LRU) cache (A=2): bb2: 9 set 1 i1 set 1 i2 bb1: 10 set 2 i1 10 bb4: 1 1 2 2 3 bb5: 3 bb6: 4 6 4 Assign cache 7 5 blocks and sets 7 5 6 bb3: 11 11 12 bb7: 8 8 9 SESE Static Cache Analysis for Diverse Software 8/ 18 Joachim Fellmuth
Introduction Background Cache Analysis for Diverse Programs Evaluation Conclusion Cache analysis: Must (LRU) cache (A=2): - - - - bb2: - - - - 9 set 1 i1 set 1 i2 bb1: 10 set 2 i1 10 9 10 - - - - - - bb4: 1 1 age 1 9 6 - 8 2 - 2 3 - age 2 2 3 1 2 3 - 9 10 - - bb5: 3 Abstract Cache bb6: 4 6 4 State (ACS) 7 5 filled using fix- 7 5 point algorithm 6 1 6 7 - 9 2 3 - 5 6 3 4 1 2 - - bb3: 11 11 - 6 - - 12 1 2 3 - bb7: 9 10 11 12 8 - - - - 8 9 SESE Static Cache Analysis for Diverse Software 8/ 18 Joachim Fellmuth
Introduction Background Cache Analysis for Diverse Programs Evaluation Conclusion Cache analysis: Must (LRU) cache (A=2): - - - - bb2: - - - - 9 set 1 i1 set 1 i2 bb1: 10 set 2 i1 10 9 10 - - - - - - bb4: 1 1 age 1 9 6 - 8 2 - 2 3 - age 2 2 3 1 2 3 - 9 10 - - bb5: 3 bb6: 4 6 4 ACS update 7 5 function 7 5 6 1 6 7 - 9 2 3 - 5 6 3 4 1 2 - - bb3: 11 11 - 6 - - 12 1 2 3 - bb7: 9 10 11 12 8 - - - - 8 9 SESE Static Cache Analysis for Diverse Software 8/ 18 Joachim Fellmuth
Introduction Background Cache Analysis for Diverse Programs Evaluation Conclusion Cache analysis: Must (LRU) cache (A=2): - - - - bb2: - - - - 9 set 1 i1 set 1 i2 bb1: 10 set 2 i1 10 9 10 - - - - - - bb4: 1 1 age 1 9 6 - 8 2 - 2 3 - age 2 2 3 1 2 3 - 9 10 - - bb5: 3 bb6: 4 6 4 ACS join func- 7 5 tion 7 5 6 1 6 7 - 9 2 3 - 5 6 3 4 1 2 - - bb3: 11 11 - 6 - - 12 1 2 3 - bb7: 9 10 11 12 8 - - - - 8 9 SESE Static Cache Analysis for Diverse Software 8/ 18 Joachim Fellmuth
Introduction Background Cache Analysis for Diverse Programs Evaluation Conclusion Cache analysis: Must (LRU) cache (A=2): bb2: 9 set 1 i1 set 1 i2 bb1: 10 set 2 i1 10 bb4: 1 1 2 2 3 bb5’: 16 bb5: 3 16 Diversity: bb6: 4 17 6 4 17 Alt. node location - 7 5 18 different number of 7 5 18 memory blocks 6 bb3: 11 11 12 bb7: 8 8 9 SESE Static Cache Analysis for Diverse Software 8/ 18 Joachim Fellmuth
Introduction Background Cache Analysis for Diverse Programs Evaluation Conclusion Cache analysis: Must (LRU) cache (A=2): bb2: 9 set 1 i1 set 1 i2 bb1: 10 set 2 i1 10 bb4: 1 1 2 2 3 bb5’: 17 bb5: 3 17 f r a bb6: 4 18 g 6 Diversity: m f 4 18 r e a n 7 Different fragments: g t m 5 19 a 7 e Conflicts unknown n 5 19 t b 6 bb3: 11 11 12 bb7: 8 8 9 SESE Static Cache Analysis for Diverse Software 8/ 18 Joachim Fellmuth
Introduction Background Cache Analysis for Diverse Programs Evaluation Conclusion Outline 1 Background Artificial software diversity WCET Analysis 2 Cache Analysis for Diverse Programs Must Analysis Further Analyses 3 Evaluation 4 Conclusion SESE Static Cache Analysis for Diverse Software 9/ 18 Joachim Fellmuth
Introduction Background Cache Analysis for Diverse Programs Evaluation Conclusion Cache Analysis for diverse Programs Uncertainty of relocation and reordering in Abstract Cache State every basic block (BB) belongs to a fragment distances to BB are only known within this fragment → one ”virtual” cache per fragment → regular cache replacement within fragment → cache contents of other fragments subject to worst-case behavior depends on offset within set → cache behavior is equal over all sets → fragment starts at 0 plus offset → one cache representation for each possible offset SESE Static Cache Analysis for Diverse Software 10/ 18 Joachim Fellmuth
Introduction Background Cache Analysis for Diverse Programs Evaluation Conclusion Location-tolerant Must analysis bb2: bb1: bb4: bb5: bb6: regular CFG bb3: bb7: SESE Static Cache Analysis for Diverse Software 11/ 18 Joachim Fellmuth
Recommend
More recommend