the ascend secure processor
play

The Ascend Secure Processor Christopher Fletcher MIT 1 Joint work - PowerPoint PPT Presentation

Mar 03, 2023 •543 likes •923 views

The Ascend Secure Processor Christopher Fletcher MIT 1 Joint work with Srini Devadas, Marten van Dijk Ling Ren, Albert Kwon, Xiangyao Yu Elaine Shi & Emil Stefanov David Wentzlaff & Princeton Team (Mike, Tri, Jonathan,

  1. The Ascend Secure Processor Christopher Fletcher MIT 1

  2. Joint work with • Srini Devadas, Marten van Dijk • Ling Ren, Albert Kwon, Xiangyao Yu • Elaine Shi & Emil Stefanov • David Wentzlaff & Princeton Team (Mike, Tri, Jonathan, Alexey, Yaosheng) • Omer Khan 2

  3. Last talk: Intel SGX Data Integrity MEE Address Timing 3

  4. Ascend Processor This talk Data Integrity Memory controller Address Timing 4

  5. Outline • Motivation + Oblivious RAM (ORAM) primer • ORAM in Hardware • Demo  5

  6. If ( secret variable ) { Op Address Time R 0 1 … scan memory … W 1 10 } R 5 15 R 6 16 R 7 17 Binary search • SGX broken through page faults [Xu et al.’15] • Shared library usage [Zhuang et al.’04] • Search queries [Islam et al.’12] 6

  7. Oblivious RAM (ORAM) [Goldreich- Ostrovsky’96] Chip pins On-chip Cache miss ORAM Shuffled Controller Provably removes all access pattern leakage 7

  8. ORAM security definition • Access is 3 tuple: ( op = Read/write, address , data ) • Consider access sequences A and A’ A = [ (op 1 , address 1 , data 1 ), (op 2 , address 2 , data 2 ), … ] A’ = [ (op 1 ’, address 1 ’, data 1 ’), (op 2 ’, address 2 ’, data 2 ’), … ] • If |A| == |A’| then ORAM(A) ≈ ORAM(A’) 8

  9. Path ORAM [CCS’13] “The ORAM” Chip pins ORAM Controller (on-chip) Read/writes 9

  10. Block assigned to random path. Block lives on that path . A, 2 Off-chip B, 3 PosMap A, 2 B, 3 Path 1 2 3 4 10

  11. Chip pins Empty space = dummy encryptions Not Encrypted Encrypted Off-chip B, 3 PosMap A, 2 A, 2 dummy B, 3 dummy dummy dummy dummy Path 1 2 3 4 11

  12. Path ORAM Access: Read+write the path the block is assigned to. 12

  13. Path ORAM Access: Read+write the path the block is assigned to. Off-chip B, 3 PosMap dummy A, 2 4 A, 2 dummy dummy B, 3 A, 4 B, 3 dummy dummy dummy dummy Stash Path 1 2 3 4 13

  14. Typically, 4 slots per bucket “Z=4” Off-chip B, 3 Z=1 …for simplicity dummy dummy dummy dummy dummy Path 1 2 3 4 14

  15. Too big! Off-chip B, 3 A, 4 A, 4 B, 3 15

  16. Map recursion [Shi et al., 11] PosMap ORAM PosMap ORAM 2 Block On-chip On-chip Map’ Map’ Map A, 4 B, 3 Small enough Smaller 16

  17. Map recursion [Shi et al., 11] On-chip PosMap PosMap PosMap Data ORAM ORAM 1 ORAM 2 17

  18. Path ORAM summary Blocks assigned to paths. B Access block: Read+write path. Adversary sees: random paths. 4 2 3 1 18

  19. ORAM in Hardware 19

  20. First ORAM Ascend in silicon in silicon • Collaboration with David Wentzlaff’s group @ Princeton MIT Team 20

  21. First silicon fully functional @ 500 MHz & .9 V Design (Verilog) Open Source 21

  22. Blocks must live on assigned path or in stash . Can overflow Off-chip PosMap A, 4 B, 2 A, 4 B, 2 Stash Path 1 2 3 4 22

  23. Blocks must live on assigned path or in stash . Off-chip Bottleneck in prior work [Maas et al. ‘13] PosMap Causes 3 X avg. slowdown on SPEC. A, 4 B, 2 A, 4 B, 2 Stash Path 1 2 3 4 23

  24. Bit blasted stash eviction [FCCM’15] Bit vectors Path block , Path evict , occ Can be pipelined def evict( Path block , Path evict , occ ): t 1 = Path block ⊕ Path evict evict() t 2 = bit_reverse( ( (t 1 Ʌ – t 1 ) – 1) Ʌ occ ) ~ circuit ret bit_reverse( t 2 Ʌ – t 2 ) occ ’ ≈ greatest common prefix 24

  25. Simple design, no performance bottleneck. 25

  26. Integrity protection for ORAM ORAM Cache miss Shuffled Overlay Hash tree 26

  27. ORAM logic Test harness SHA-3 One SHA-3 unit FPGA Prototype 27

  28. Cheap Integrity Scheme [ASPLOS’15] • Per-block MAC { Block data , Hash(Block data , Block addr, counter ) } • Good: Hash 1 block, NOT path • Bad: Need to store counters on-chip • Replace entries in map with counters! 28

  29. Block A’’ MAC K ( Counter || A’’ || data) Want: Path P = PosMap[A] Counter for A’’’ + 1 A’’’+1 Counter for A’’’ A ’’’ Algorithm: Given A: derive A’, A’’, A’’’ Data PosMap P’ = PRF (A’ || PosMap [A’] = Counter ) ORAM PosMap ORAM 1 P’’ = PRF (A’’ || ORAMAccess (A’’, P’)) ORAM 2 P = PRF (A’’’ || ORAMAccess (A’’’, P’’)) Data = ORAMAccess (A, P) Block A’’’ P Block P’ P’’ Counter A’ Block A’’ (A, D) On-chip PosMap (root of trust) Problem: |C| > |P| More schemes … to get |C| < |P| Integrity checks

  30. Cheap Integrity Scheme [ASPLOS’15] Result: Hashing decreased by 68 X , simple design 30

  31. ORAM randomizes data layout. Computer architecture assumes data locality. Subtree size = row size ISCA’13 31

  32. # Row misses: tree height ~ tree height ~ subtree height 32

  33. Row misses: 60% overhead 13% overhead 33

  34. 460M transistors AES rounds Stash evict() PLL ORAM .5 mm Tile 0 Tile 1 Tile 2 Tile 3 Tile 4 Encryption Stash Recursion, PLB, Tile 5 Tile 6 Tile 7 Tile 8 Tile 9 Integrity 6 mm Tile Tile Tile Tile Tile 2 mm 10 11 12 13 14 Tile Tile Tile Tile Tile Hash unit 15 16 17 18 19 Tile Tile Tile Tile Tile 20 21 22 23 24 6 mm 34

  35. 2 DRAM channels, In-order core, Slowdown vs. 2-level cache hierarchy, 1 MByte last-level cache insecure ORAM = 1208 cycles / tree lookup 11 Slowdown (X) 1 tpcc ycsb astar bzip2 gcc gob h264 libq mcf omnet perl sjeng avg 35

  36. Demo 36

  37. Backup 37

Recommend

Ascend Biopharmaceuticals Limited Corporate Overview October 2016 ASCEND BIOPHARMACEUTICALS

Ascend Biopharmaceuticals Limited Corporate Overview October 2016 ASCEND BIOPHARMACEUTICALS

Ascend Biopharmaceuticals Limited Corporate Overview October 2016 ASCEND BIOPHARMACEUTICALS LIMITED Disclaimer This presentation is being provided for the sole purpose of providing the recipients with background information about Ascend

429 views • 19 slides
MI6 Secure Enclaves ... in a Speculative Out-of-Order Processor Overview Goals of MI6 Big

MI6 Secure Enclaves ... in a Speculative Out-of-Order Processor Overview Goals of MI6 Big

Damian Barabonkov MI6 Secure Enclaves ... in a Speculative Out-of-Order Processor Overview Goals of MI6 Big Ideas Paper Feedback Motivation of MI6 Threat Model Implementation Performance Analysis

383 views • 24 slides
ASCEND Randomized placebo-controlled trial of aspirin 100 mg daily in 15,480 patients with

ASCEND Randomized placebo-controlled trial of aspirin 100 mg daily in 15,480 patients with

ASCEND Randomized placebo-controlled trial of aspirin 100 mg daily in 15,480 patients with diabetes and no baseline cardiovascular disease Jane Armitage and Louise Bowman on behalf of the ASCEND Study Collaborative Group Funded by British

468 views • 14 slides
Systems Architecture The ARM Processor The ARM Processor p. 1/14 The ARM Processor ARM:

Systems Architecture The ARM Processor The ARM Processor p. 1/14 The ARM Processor ARM:

Systems Architecture The ARM Processor The ARM Processor p. 1/14 The ARM Processor ARM: Advanced RISC Machine First developed in 1983 by Acorn Computers ARM Ltd was formed in 1988 to continue development Advantages of the ARM

391 views • 14 slides
Deconstructing a Secure Processor Black Hat Washington D.C. Christopher Tarnovsky

Deconstructing a Secure Processor Black Hat Washington D.C. Christopher Tarnovsky

February 2, 2010 Deconstructing a Secure Processor Black Hat Washington D.C. Christopher Tarnovsky Flylogic, Inc. chris@flylogic.net http://www.flylogic.net Decapsulate Perform initial examination Identify device if

1.38k views • 6 slides
Design and Implementation of the AEGIS Single-Chip Secure Processor Using Physical Random

Design and Implementation of the AEGIS Single-Chip Secure Processor Using Physical Random

Design and Implementation of the AEGIS Single-Chip Secure Processor Using Physical Random Functions G. Edward Suh, Charles W. ODonnell, Ishan Sachdev, and Srinivas Devadas Massachusetts Institute of Technology 1 New Security Challenges

356 views • 31 slides
The M e Morgan S State e Un University ty AS ASCEND Co Community-Based ed P Parti tici

The M e Morgan S State e Un University ty AS ASCEND Co Community-Based ed P Parti tici

The M e Morgan S State e Un University ty AS ASCEND Co Community-Based ed P Parti tici cipatory R Res esea earch ch ( (CBPR) Gr Grants ts P Prog ogram Gillian B B. Silver, M MPH, C CPH for t the A ASCEND C CBPR PR

263 views • 14 slides
Towards an Open-Source, Formally-Verified Secure Processor Srini Devadas Massachusetts

Towards an Open-Source, Formally-Verified Secure Processor Srini Devadas Massachusetts

Towards an Open-Source, Formally-Verified Secure Processor Srini Devadas Massachusetts Institute of Technology Architectural Isolation of Processes Fundamental to maintaining correctness and privacy! 2 Performance Dictates

959 views • 43 slides
ASCEND A randomized trial of omega-3 fatty acids (fish oil) versus placebo for primary

ASCEND A randomized trial of omega-3 fatty acids (fish oil) versus placebo for primary

ASCEND A randomized trial of omega-3 fatty acids (fish oil) versus placebo for primary cardiovascular prevention in 15,480 patients with diabetes Jane Armitage and Louise Bowman on behalf of the ASCEND Study Collaborative Group Funded by

168 views • 14 slides
ASCEND A randomized trial of omega-3 fatty acids (fish oil) versus placebo for primary

ASCEND A randomized trial of omega-3 fatty acids (fish oil) versus placebo for primary

ASCEND A randomized trial of omega-3 fatty acids (fish oil) versus placebo for primary cardiovascular prevention in 15,480 patients with diabetes Jane Armitage and Louise Bowman on behalf of the ASCEND Study Collaborative Group Funded by

180 views • 13 slides
FPGA co-processor Patrick Dunne for the co-processor group Introduction Co-processor will

FPGA co-processor Patrick Dunne for the co-processor group Introduction Co-processor will

FPGA co-processor Patrick Dunne for the co-processor group Introduction Co-processor will take care of data compression and trigger primitive generation Co-processor will also perform data buffering for supernova trigger Sits on FELIX

522 views • 13 slides
1 Welcome to Ascend! If youre looking for a new ed leadership role in the coming year,

1 Welcome to Ascend! If youre looking for a new ed leadership role in the coming year,

1 Welcome to Ascend! If youre looking for a new ed leadership role in the coming year, youve come to the right place. 2 Im Justin Baeder, Director of The Principal Center. Today I want to talk about your path to the next level. 3

1.4k views • 112 slides
Demystifying the Secure Enclave Processor Tarjei Mandt (@kernelpool) Mathew Solnik (@msolnik)

Demystifying the Secure Enclave Processor Tarjei Mandt (@kernelpool) Mathew Solnik (@msolnik)

Demystifying the Secure Enclave Processor Tarjei Mandt (@kernelpool) Mathew Solnik (@msolnik) David Wang (@planetbeing) About Us Tarjei Mandt Senior Security Researcher, Azimuth Security tm@azimuthsecurity.com Mathew Solnik

1.51k views • 95 slides
Ascend &amp; AXA M anagment Liability We Aim Higher Who We Are rradar is a specialist

Ascend &amp; AXA M anagment Liability We Aim Higher Who We Are rradar is a specialist

Ascend &amp; AXA M anagment Liability We Aim Higher Who We Are rradar is a specialist litigation and commercial law firm that uses legal expertise and digital tools to proactively manage, advise and deliver business solutions to reduce legal

318 views • 27 slides
Processor Design Pipelined Processor Hung-Wei Tseng Drawbacks of a single-cycle processor

Processor Design Pipelined Processor Hung-Wei Tseng Drawbacks of a single-cycle processor

Processor Design Pipelined Processor Hung-Wei Tseng Drawbacks of a single-cycle processor The cycle time is determined by the longest instruction Could be very long, thinking about fetch data from DRAM Hardware is mostly idle 3

866 views • 47 slides
Welcome to PhotoPRINT 6 PhotoPRINT 6 is designed to help your productivity ascend to new heights,

Welcome to PhotoPRINT 6 PhotoPRINT 6 is designed to help your productivity ascend to new heights,

Welcome to PhotoPRINT 6 PhotoPRINT 6 is designed to help your productivity ascend to new heights, while maintaining SAis signature ease-of-use interface. The following is a brief list of new features and improvements. . New Features

425 views • 20 slides
How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing

How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing

DIMACS Workshop On Secure Routing March 10, 2010 How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing Protocols? $ $ Sharon Goldberg Microsoft Research &amp; Boston University y Michael Schapira

701 views • 54 slides
versus placebo for primary cardiovascular prevention in 15,480 patients with diabetes Jane

versus placebo for primary cardiovascular prevention in 15,480 patients with diabetes Jane

ASCEND A randomized trial of omega-3 fatty acids (fish oil) versus placebo for primary cardiovascular prevention in 15,480 patients with diabetes Jane Armitage and Louise Bowman on behalf of the ASCEND Study Collaborative Group Funded by

158 views • 12 slides
Randomized placebo-controlled trial of aspirin 100 mg daily in 15,480 patients with diabetes and

Randomized placebo-controlled trial of aspirin 100 mg daily in 15,480 patients with diabetes and

ASCEND Randomized placebo-controlled trial of aspirin 100 mg daily in 15,480 patients with diabetes and no baseline cardiovascular disease Jane Armitage and Louise Bowman on behalf of the ASCEND Study Collaborative Group Funded by British Heart

166 views • 16 slides
Processor Architecture: Current Trends A B Transfer a truckload at a time from A to B Processor

Processor Architecture: Current Trends A B Transfer a truckload at a time from A to B Processor

Processor Architecture: Current Trends A B Transfer a truckload at a time from A to B Processor Architecture: Current Trends A B Make it more powerful Faster: Engine, Lighter, Wheels, .. Bigger: More work per trip Processor

446 views • 10 slides
Embedded systems &amp; the Nios II soft core processor A Nios II processor system I equivalent to

Embedded systems &amp; the Nios II soft core processor A Nios II processor system I equivalent to

Embedded systems &amp; the Nios II soft core processor A Nios II processor system I equivalent to a microcontroller or System on a chip (SoC) The Nios II processor family consits of two configurable 32-bit Harvard architecture cores Fast (/f

121 views • 10 slides
F F Fast Transforms using the Cell/B.E. Processor Fast Transforms using the Cell/B.E. Processor

F F Fast Transforms using the Cell/B.E. Processor Fast Transforms using the Cell/B.E. Processor

F F Fast Transforms using the Cell/B.E. Processor Fast Transforms using the Cell/B.E. Processor t T t T f f i g th C ll/B E P i g th C ll/B E P David A. Bader joint work with Seunghwa Kang and Virat Agarwal Sony-Toshiba-IBM Center of

612 views • 47 slides
Cortex-A15 Processor ARMs next generation mobile applications processor Travis Lanier Senior

Cortex-A15 Processor ARMs next generation mobile applications processor Travis Lanier Senior

Exploring the Design of the Cortex-A15 Processor ARMs next generation mobile applications processor Travis Lanier Senior Product Manager 1 Cortex-A15: Next Generation Leadership Cortex-A class multi-processor 1 TB physical addressing

717 views • 33 slides
IC220: Set #13: Building a real processor! ( Chapter 5) 1 The Processor: Datapath &amp; Control

IC220: Set #13: Building a real processor! ( Chapter 5) 1 The Processor: Datapath &amp; Control

IC220: Set #13: Building a real processor! ( Chapter 5) 1 The Processor: Datapath &amp; Control READING: 5.1 5.4 We're ready to look at an implementation of the MIPS Simplified to contain only: memory-reference

244 views • 8 slides

More recommend