PAGURUS: Low-Overhead Dynamic Information Flow ......PAGURUS: Low-Overhead Dynamic Information Flow...
Transcript of PAGURUS: Low-Overhead Dynamic Information Flow ......PAGURUS: Low-Overhead Dynamic Information Flow...
PAGURUS:Low-OverheadDynamicInformationFlowTrackingonLooselyCoupledAccelerators
LucaPiccolboni,GiuseppeDiGuglielmoandLucaP.CarloniColumbiaUniversity,NY,USA
ACM/IEEECODES+ISSS2018,Turin,Italy
ACM/IEEECODES+ISSS2018,Turin,Italy 2/16
[M.Gautschietal.,IEEEVLSI’17]
DataRAM
Instr.RAM
Boot.RAM
AXI
UART
SPIM.APB
PULPino
ProcessorCore(RI5CY)
Systems-on-Chip(SoCs)AreVulnerabletoSoftwareAttacks
ACM/IEEECODES+ISSS2018,Turin,Italy 3 /16
mainmemory
...
buff[0]=sw(7)
buff[1]=sw(7)
buff[9]=sw(7)
fun=0xAA
num=10
val=7
int buff[10], k;int (*fun)(int) = foo;int num = atoi(argv[1]);int val = atoi(argv[2]);/* this is a bad idea */for (k = 0; k < num; ++k)buff[k] = sw(val);
fun(1); // call foo?
Buffer-OverflowAttackAttackingPULPino
memorylocation:0xAA
ACM/IEEECODES+ISSS2018,Turin,Italy 3 /16
mainmemory
...
buff[0]=sw(7)
buff[1]=sw(7)
buff[9]=sw(7)
fun=sw(7)
num=11
val=7
int buff[10], k;int (*fun)(int) = foo;int num = atoi(argv[1]);int val = atoi(argv[2]);/* this is a bad idea */for (k = 0; k < num; ++k)buff[k] = sw(val);
fun(1); // call foo?
memorylocation:0xAA
Buffer-OverflowAttackAttackingPULPino canbeusedtocalla
maliciousfunction
ACM/IEEECODES+ISSS2018,Turin,Italy 3 /16
DynamicInformationFlowTracking(DIFT)
mainmemory
...
buff[0]=sw(0x7)
buff[1]=sw(0x7)
buff[9]=sw(0x7)
func=0xAA
num=0x7
val=0xA 1
0
1
1
1
1
mainmemory
...
buff[0]=sw(7)
buff[1]=sw(7)
buff[9]=sw(7)
num=7
val=11
AttackingPULPino
int buff[10], k;int (*fun)(int) = foo;int num = atoi(argv[1]);int val = atoi(argv[2]);/* this is a bad idea */for (k = 0; k < num; ++k)buff[k] = sw(val);
fun(1); // call fun
memorylocation:0xAA
fun=sw(7)
[G.E.Suhetal.,ACMASPLOS’04]tags
ACM/IEEECODES+ISSS2018,Turin,Italy 4 /16
[M.Gautschietal.,IEEEVLSI’17]
UART
SPIM.
PULPino
DataRAM
Instr.RAM
Boot.RAM
ProcessorCore(RI5CY)
[C.Palmieroetal.,IEEEHPEC’18]DIFTExtensions
NowSecuredwithDIFTHomogenousSoCs
AXI
APB
ACM/IEEECODES+ISSS2018,Turin,Italy 5 /16
[M.Gautschietal.,IEEEVLSI’17]
UART
SPIM.
DataRAM
Instr.RAM
Boot.RAM
ProcessorCore(RI5CY)
LooselyCoupledAccelerator#1
[C.Palmieroetal.,IEEEHPEC’18]
PULPinoNo-More-SecuredwithDIFTHeterogeneousSoCs
DIFTExtensions
LooselyCoupledAccelerator#2
AXI
APB
ACM/IEEECODES+ISSS2018,Turin,Italy 6 /16
AttackingPULPino(Again)
int buff[10] = {0};int (*f)(int) = foo;int num = atoi(argv[1]);int val = atoi(argv[2]);/* this is a bad idea */hw(num, val, buff);
Buffer-OverflowAttack
mainmemory
...
buff[0]=sw(0x7)
buff[1]=sw(0x7)
buff[9]=sw(0x7)
func=0xAA
num=0x7
val=0xA 1
0
1
1
1
mainmemory
...
buff[0]=0
buff[1]=0
buff[9]=0
num=11
val=7
tags
fun=0xAA 1
ACM/IEEECODES+ISSS2018,Turin,Italy 6 /16
AttackingPULPino(Again)
0
0
0
0
0theacceleratorisnotabletopropagatethetags
Buffer-OverflowAttack
1
mainmemory
...
buff[0]=sw(0x7)
buff[1]=sw(0x7)
buff[9]=sw(0x7)
func=0xAA
num=0x7
val=0xA
mainmemory
...
buff[0]=hw(7)
buff[1]=hw(7)
buff[9]=hw(7)
num=11
val=7
fun=hw(7)
canbeusedtocallamaliciousfunction
tags
int buff[10] = {0};int (*f)(int) = foo;int num = atoi(argv[1]);int val = atoi(argv[2]);/* this is a bad idea */hw(num, val, buff);
ACM/IEEECODES+ISSS2018,Turin,Italy 7 /16
Contributions
1. WeproposePAGURUS,amethodologytodesignacircuitshell thataddsDIFTsupporttoaccelerators
DIFTShell
ACM/IEEECODES+ISSS2018,Turin,Italy 7 /16
AXI
UART
SPIM.APB
PULPinoSystem-on-Chip
DataRAM
Instr.RAM
Boot.RAM
ProcessorCore(RI5CY)
DIFTShe
ll
Contributions
LooselyCoupledAccelerator#1
LooselyCoupledAccelerator#2
ACM/IEEECODES+ISSS2018,Turin,Italy 7 /16
Contributions
2. Weproposea metric toquantitativelymeasurethesecurityguaranteesprovidedbytheshell
a) Theshelldesignisindependent fromthedesignoftheacceleratorsandviceversa
b) Theshellhaslow overheadsonboththeperformanceandcostofaccelerators
1. WeproposePAGURUS,amethodologytodesignacircuitshell thataddsDIFTsupporttoaccelerators
ACM/IEEECODES+ISSS2018,Turin,Italy 8/16
1. Thehardwareissafe:nohardwareTrojans
AssumptionsandAttackModelPreliminaries
2. Thesoftwareisnot safe:itcontainsbugsandvulnerabilitiesusefulfortheattackers
TheattackersexploitthesevulnerabilitiesthroughcommonI/Ointerfaceswiththegoalofaffectingtheintegrityand/ortheconfidentialityofthehardware-acceleratedsoftwareapplications
ACM/IEEECODES+ISSS2018,Turin,Italy 8 /16
mainmemory
value#1
1. CoupledScheme
value#2
value#3
PreliminariesTaggingScheme
tag#1
tag#2
tag#3
tags
[J.Porquetetal.,ACM/IEEECODES’13]
ACM/IEEECODES+ISSS2018,Turin,Italy 8 /16
mainmemory
value#1
1. CoupledScheme
tag#1
tag#3
protectedregioninmemory
value#2
value#3
tag#2
2. DecoupledScheme
PreliminariesTaggingScheme
[J.Porquetetal.,ACM/IEEECODES’13]
ACM/IEEECODES+ISSS2018,Turin,Italy 8 /16
mainmemory
value#1
1. CoupledScheme
tag#1
tag#3
value#2
value#3
tag#2
2. DecoupledScheme2.1.InterleavedScheme
tagoffset =#wordsinmemorybetweentwoconsecutivevalues
(tagoffset=1)
PreliminariesTaggingScheme
[J.Porquetetal.,ACM/IEEECODES’13]
ACM/IEEECODES+ISSS2018,Turin,Italy 9 /16
Contributions
a) Theshelldesignisindependent fromthedesignoftheacceleratorsandviceversa
b) Theshellhaslow overheadsonboththeperformanceandcostofaccelerators
1. WeproposePAGURUS,amethodologytodesignacircuitshellthataddsDIFTsupporttoaccelerators
ACM/IEEECODES+ISSS2018,Turin,Italy 9 /16
ArchitectureLooselyCoupledAccelerator
mainmemory
register#1
register#2
register#K
...
Accelerators
configuration reg#1 … reg#K
privatelocalmemory/scratchpad
bank bank bank bank
ACM/IEEECODES+ISSS2018,Turin,Italy 9 /16
LooselyCoupledAccelerator
mainmemory
input
computeburstlength
Accelerators
configuration …
loadinputval val val
configuration reg#1 … reg#K
privatelocalmemory/scratchpad
bank bank bank bank
Architecture
ACM/IEEECODES+ISSS2018,Turin,Italy 9 /16
LooselyCoupledAccelerator
mainmemory
load computeloadinput
Accelerators
configuration
loadinputval val val val val val
configuration reg#1 … reg#K
privatelocalmemory/scratchpad
bank bank bank bank
Architecture
output
ACM/IEEECODES+ISSS2018,Turin,Italy 9 /16
LooselyCoupledAccelerator
mainmemory
load
storeburstlength storeoutput
Accelerators
load loadinputval val val val val val
computeloadinput
val val val
configuration reg#1 … reg#K
privatelocalmemory/scratchpad
bank bank bank bank
Architecture
ACM/IEEECODES+ISSS2018,Turin,Italy 10/16
DIFTShellArchitecture
DIFTShe
ll
Accelerator
LooselyCoupledAccelerator
ACM/IEEECODES+ISSS2018,Turin,Italy 10/16
DIFTShellArchitecture
mainmemory
register#1
register#2
register#K
...
shellconfiguration
reg.#K+1:src_tag
reg.#K+2:dst_tag
dst_tagsrc_tag
Accelerator
LooselyCoupledAccelerator
DIFTShe
ll
ACM/IEEECODES+ISSS2018,Turin,Italy 10/16
DIFTShellArchitecture
shellconfiguration
mainmemory
input
src_tagsrc_tag shellloadlogic
if tag!=src_tagDIFT_exception!
val val
val tag val tag
Accelerator
dst_tagsrc_tagburstlength
LooselyCoupledAccelerator
DIFTShe
ll
ACM/IEEECODES+ISSS2018,Turin,Italy 10/16
DIFTShellArchitecture
shellconfiguration
mainmemory
shellloadlogic
shellstorelogic
val val
val tag val tag
output
dst_tagdst_tag
val tag val tag
dst_tagsrc_tag
Accelerator
burstlength
LooselyCoupledAccelerator
DIFTShe
ll
ACM/IEEECODES+ISSS2018,Turin,Italy 11/16
Contributions
a) Theshelldesignisindependent fromthedesignoftheacceleratorsandviceversa
b) Theshellhaslow overheadsonboththeperformanceandcostofaccelerators
1. WeproposePAGURUS,amethodologytodesignacircuitshellthataddsDIFTsupporttoaccelerators
2. Weproposea metric toquantitativelymeasurethesecurityguaranteesprovidedbytheshell
ACM/IEEECODES+ISSS2018,Turin,Italy 11/16
ASecurityMetricDefinition
mainmemory
input
value#1
src_tag
value#2
value#3
ACM/IEEECODES+ISSS2018,Turin,Italy 11/16
ASecurityMetricDefinition
mainmemory
input
value#1[overwritten]
src_tag[overwritten]
value#2[overwritten]
value#3[overwritten]
value#1
LooselyCoupledAccelerator
DIFTShe
ll
val tagval val
output
ACM/IEEECODES+ISSS2018,Turin,Italy 11/16
ASecurityMetric
mainmemory
input
value#1[overwritten]
src_tag[overwritten]
value#2[overwritten]
value#3[overwritten]
LooselyCoupledAccelerator
DIFTShe
ll
val tagval val
value#1
DIFT_exception!
InformationLeakage• Quantitativemetricforsecurity
Definition
output
ACM/IEEECODES+ISSS2018,Turin,Italy 12/16
ASecurityMetric
• InformationLeakage:amountofdatathatcanbeproducedasoutputbyanacceleratorbeforeitsshellrealizesthattheinputhasbeencorrupted
I/Oratio:thenumberofloadburstsnecessarytoproduceastoreburst
Analysis
1. Tagoffset: tagoffset leakage
2. Algorithm: I/Oratio leakage
ACM/IEEECODES+ISSS2018,Turin,Italy 12/16
ASecurityMetric
• InformationLeakage:amountofdatathatcanbeproducedasoutputbyanacceleratorbeforeitsshellrealizesthattheinputhasbeencorrupted
1. Tagoffset: tagoffset leakage
2. Algorithm: I/Oratio leakage
3. Implementation: burstlen. leakage
4. Workload: work. size leakage
Analysis
ExperimentalResults
13/16
ExperimentalSetup(1/2)
ACM/IEEECODES+ISSS2018,Turin,Italy
• Wedesignedthreelooselycoupledaccelerators:• GRAY:convertsaRGBimageintoagrayscaleimage• MEAN:calculatesthemeanofa2Dmatrix(columns)• MULTS:mutipliesa2Dmatrixbyitstranspose
ExperimentalResults
13/16
ExperimentalSetup(1/2)
ACM/IEEECODES+ISSS2018,Turin,Italy
• Wedesignedthreelooselycoupledaccelerators:• GRAY:convertsaRGBimageintoagrayscaleimage• MEAN:calculatesthemeanofa2Dmatrix(columns)• MULTS:mutipliesa2Dmatrixbyitstranspose
GRAY
loadburst
storeburst
ExperimentalResults
13/16
ExperimentalSetup(1/2)
ACM/IEEECODES+ISSS2018,Turin,Italy
• Wedesignedthreelooselycoupledaccelerators:• GRAY:convertsaRGBimageintoagrayscaleimage• MEAN:calculatesthemeanofa2Dmatrix(columns)• MULTS:mutipliesa2Dmatrixbyitstranspose
GRAY
…
MEAN
ExperimentalResults
13/16
ExperimentalSetup(1/2)
ACM/IEEECODES+ISSS2018,Turin,Italy
• Wedesignedthreelooselycoupledaccelerators:• GRAY:convertsaRGBimageintoagrayscaleimage• MEAN:calculatesthemeanofa2Dmatrix(columns)• MULTS:mutipliesa2Dmatrixbyitstranspose
GRAY
…
MEAN
…
MULTS
ExperimentalResults
13/16
ExperimentalSetup(1/2)
ACM/IEEECODES+ISSS2018,Turin,Italy
• Wedesignedthreelooselycoupledaccelerators:• GRAY:convertsaRGBimageintoagrayscaleimage• MEAN:calculatesthemeanofa2Dmatrix(columns)• MULTS:mutipliesa2Dmatrixbyitstranspose
• WeusedCadenceStratusHLS forhigh-levelsynthesisandXilinxVivadoforlogicsynthesisà Virtex-7FPGA
• WedesignedtheacceleratorsandtheshellinSystemC
ExperimentalResults
14/16
ExperimentalSetup(2/2)
ACM/IEEECODES+ISSS2018,Turin,Italy
Weexploreddifferentalternativesbyvarying:• accelerator• tagoffset• burstsize• workload
[P.Mantovanietal.,ACM/IEEEDAC’16]
EmbeddedScalablePlatforms
[L.P.Carloni,ACM/IEEEDAC’16]
LooselyCoupledAccelerator
ProcessorCore (Leon3)
+Shell
MemoryController
I/Ochannelsandperipher.
Network-on-Chip
- 128x128- small- 512x512- medium- 2048x2048- large
ExperimentalResults
14/16ACM/IEEECODES+ISSS2018,Turin,Italy
QuantitativeSecurityAnalysis- MEAN
0%
20%
40%
60%
80%
100%
26 27 28 29 210 211 212 213
info
rma
tion
lea
kag
e (
%)
burst size (bytes)
0%
20%
40%
60%
80%
100%
26 27 28 29 210 211 212 213
burst size (bytes)
0%
20%
40%
60%
80%
100%
26 27 28 29 210 211 212 213
info
rmatio
n le
aka
ge (
%)
burst size (bytes)
medium
small
large
220
213
224
215216
211
0%
20%
40%
60%
80%
100%
26 27 28 29 210 211 212 213
info
rma
tion
lea
kag
e (
%)
burst size (bytes)
0%
20%
40%
60%
80%
100%
26 27 28 29 210 211 212 213
burst size (bytes)
0%
20%
40%
60%
80%
100%
26 27 28 29 210 211 212 213
info
rmatio
n le
aka
ge (
%)
burst size (bytes)
ExperimentalResults
14/16ACM/IEEECODES+ISSS2018,Turin,Italy
QuantitativeSecurityAnalysis- MEAN
maxinformationleakage=>thehighesttagoffset
mininformationleakage=>thelowesttagoffset
220
213
medium
224
215
small
large
216
211
ExperimentalResults
14/16ACM/IEEECODES+ISSS2018,Turin,Italy
QuantitativeSecurityAnalysis- MEAN
0%
20%
40%
60%
80%
100%
26 27 28 29 210 211 212 213
info
rma
tion
lea
kag
e (
%)
burst size (bytes)
0%
20%
40%
60%
80%
100%
26 27 28 29 210 211 212 213
burst size (bytes)
0%
20%
40%
60%
80%
100%
26 27 28 29 210 211 212 213
info
rmatio
n le
aka
ge (
%)
burst size (bytes)
220
213
medium
224
215
small
large
216
211
ExperimentalResults
14/16ACM/IEEECODES+ISSS2018,Turin,Italy
QuantitativeSecurityAnalysis- GRAY
0%
20%
40%
60%
80%
100%
26 27 28 29 210 211 212 213
info
rmatio
n le
aka
ge (
%)
burst size (bytes)
0%
20%
40%
60%
80%
100%
26 27 28 29 210 211 212 213
info
rmatio
n le
aka
ge (
%)
burst size (bytes)
0%
20%
40%
60%
80%
100%
26 27 28 29 210 211 212 213
info
rma
tion
lea
kag
e (
%)
burst size (bytes)
220
213
medium
224
215
small
large
216
211
ExperimentalResults
14/16ACM/IEEECODES+ISSS2018,Turin,Italy
QuantitativeSecurityAnalysis- GRAY
0%
20%
40%
60%
80%
100%
26 27 28 29 210 211 212 213
info
rma
tion
lea
kag
e (
%)
burst size (bytes)
0%
20%
40%
60%
80%
100%
26 27 28 29 210 211 212 213
info
rmatio
n le
aka
ge (
%)
burst size (bytes)
0%
20%
40%
60%
80%
100%
26 27 28 29 210 211 212 213
info
rmatio
n le
aka
ge (
%)
burst size (bytes)
219
25
medium
223
25
small
large
215
25
ExperimentalResults
14/16ACM/IEEECODES+ISSS2018,Turin,Italy
QuantitativeSecurityAnalysis- MULTS
0%
20%
40%
60%
80%
100%
26 27 28 29 210 211 212 213
burst size (bytes)
0.00%
0.02%
0.04%
0.06%
0.08%
0.10%
0.12%
0.14%
0%
20%
40%
60%
80%
100%
26 27 28 29 210 211 212 213
burst size (bytes)
0.0%
0.1%
0.2%
0.3%
0.4%
0.5%
0%
20%
40%
60%
80%
100%
26 27 28 29 210 211 212 213
info
rmatio
n le
aka
ge (
%)
burst size (bytes)
0.0%
0.2%
0.4%
0.6%
0.8%
1.0%
1.2%
1.4%
1.6%
220
214
medium
224
216
small
large
216
212
0%
20%
40%
60%
80%
100%
26 27 28 29 210 211 212 213
burst size (bytes)
0.00%
0.02%
0.04%
0.06%
0.08%
0.10%
0.12%
0.14%
0%
20%
40%
60%
80%
100%
26 27 28 29 210 211 212 213
info
rmatio
n le
aka
ge (
%)
burst size (bytes)
0.0%
0.2%
0.4%
0.6%
0.8%
1.0%
1.2%
1.4%
1.6%
0%
20%
40%
60%
80%
100%
26 27 28 29 210 211 212 213
burst size (bytes)
0.0%
0.1%
0.2%
0.3%
0.4%
0.5%
ExperimentalResults
14/16ACM/IEEECODES+ISSS2018,Turin,Italy
QuantitativeSecurityAnalysis- MULTS
220
214
medium
224
216
small
large
216
212
ExperimentalResults
14/16ACM/IEEECODES+ISSS2018,Turin,Italy
PerformanceAnalysis- GRAY
1.0
1.2
1.4
1.6
1.8
2.0
2.2
2.4
2.6
26 27 28 29 210 211 212 213
gray - large
no
rma
lize
d e
xecu
tion
tim
e
burst size (bytes)
1.0
1.2
1.4
1.6
1.8
2.0
2.2
2.4
26 27 28 29 210 211 212 213
gray - medium
norm
aliz
ed e
xecu
tion tim
e
burst size (bytes)
1.0
1.2
1.4
1.6
1.8
2.0
2.2
2.4
26 27 28 29 210 211 212 213
gray - small
norm
aliz
ed e
xecu
tion tim
e
burst size (bytes)
20
26
212
no tags
medium
small
large
ExperimentalResults
14/16ACM/IEEECODES+ISSS2018,Turin,Italy
1.0
1.2
1.4
1.6
1.8
2.0
2.2
2.4
2.6
26 27 28 29 210 211 212 213
gray - large
no
rma
lize
d e
xecu
tion
tim
e
burst size (bytes)
1.0
1.2
1.4
1.6
1.8
2.0
2.2
2.4
26 27 28 29 210 211 212 213
gray - medium
norm
aliz
ed e
xecu
tion tim
e
burst size (bytes)
1.0
1.2
1.4
1.6
1.8
2.0
2.2
2.4
26 27 28 29 210 211 212 213
gray - small
norm
aliz
ed e
xecu
tion tim
e
burst size (bytes)
20
26
212
no tagsPerformanceAnalysis- GRAYmedium
small
large
ExperimentalResults
14/16ACM/IEEECODES+ISSS2018,Turin,Italy
1.0
1.2
1.4
1.6
1.8
2.0
2.2
2.4
2.6
26 27 28 29 210 211 212 213
gray - large
no
rma
lize
d e
xecu
tion
tim
e
burst size (bytes)
1.0
1.2
1.4
1.6
1.8
2.0
2.2
2.4
26 27 28 29 210 211 212 213
gray - medium
norm
aliz
ed e
xecu
tion tim
e
burst size (bytes)
1.0
1.2
1.4
1.6
1.8
2.0
2.2
2.4
26 27 28 29 210 211 212 213
gray - small
norm
aliz
ed e
xecu
tion tim
e
burst size (bytes)
20
26
212
no tagsPerformanceAnalysis- GRAYmedium
small
large
ExperimentalResults
14/16ACM/IEEECODES+ISSS2018,Turin,Italy
1.0
1.2
1.4
1.6
1.8
2.0
2.2
2.4
2.6
26 27 28 29 210 211 212 213
gray - large
no
rma
lize
d e
xecu
tion
tim
e
burst size (bytes)
1.0
1.2
1.4
1.6
1.8
2.0
2.2
2.4
26 27 28 29 210 211 212 213
gray - small
norm
aliz
ed e
xecu
tion tim
e
burst size (bytes)
1.0
1.2
1.4
1.6
1.8
2.0
2.2
2.4
26 27 28 29 210 211 212 213
gray - medium
norm
aliz
ed e
xecu
tion tim
e
burst size (bytes)
20
26
212
no tagsPerformanceAnalysis- GRAYmedium
small
large
15/16
• WeproposePAGURUS,aflexiblemethodologytodesignashellthatextendsDIFTtoaccelerators
1. Theshelldesignisindependentfromtheacceleratordesignandviceversa
2. Theshellhasnegligiblecostoverheadandreasonableperformanceoverhead
• Wedefinethemetric ofinformationleakageforacceleratorstoquantitativelymeasuresecurity
ACM/IEEECODES+ISSS2018,Turin,Italy
Conclusions
Speaker:LucaPiccolboniColumbiaUniversity,NY
Questions?
ACM/IEEECODES+ISSS2018,Turin,Italy
PAGURUS:Low-OverheadDynamicInformationFlowTrackingonLooselyCoupleAccelerators