S oftware- H ardware I nformation F low T racking + M ulticore Colleen Lewis & Cynthia Sturton...

Software-Hardware Information

Flow Tracking + Multicore

Colleen Lewis & Cynthia Sturton

SHIFT+M

Goals

• Design information flow control on multicore message passing

• Determine the cost of safe communication to CPU performance

• Low impact to receiving node from malicious sender

Asbestos

• Prevents unauthorized communication

• Message passing

• Applications set their policy

• Single Core

Asbestos on Multicore

• Distributed labels and checks

• Hardware component + trusted library

• Message passing

OS

Hardware

OS

Hardware

OS

Hardware

OS

Hardware

OS

Hardware

OS

Hardware

Round #Allowed?Valid?PIDremotePIDlocal Round #Allowed?Valid?PIDremotePIDlocal

MessageValid? MessageValid?

Buffered MessageBuffered Message

OS – Taint Unit

Network

Hardware – Taint Unit

MetareceiveMetasendRound #PIDlocal MetareceiveMetasendRound #PIDlocal

Design

Message

Request Taint

Sp1 Rp2

Taint

Protocol - Simple

=?

Problem

Sending Process Changes Taint Label Before

Responding With Taint

Message

Request Taint

Sp1 Rp2

Taint

Sending Process Modifies Taint

Modify Taint

OS

Hardware

OS

Hardware

OS

Hardware




OS – Taint Unit

Network



Design

Message, round = 2

Request Taint, round = 2

Sp1 Rp2

Taint, round = 2

Protocol – With Round Numbers

Modify Taint

Problem

Every Message Requires Three Messages

OS

Hardware

OS

Hardware

OS

Hardware




OS – Taint Unit

Network



Design

Message, round = 2

Sp1 Rp2

Cache The Taint Check Result



2p1 p2 1 1

Problem

Buffering Messages Requires Receiving Node

CPU Time

Message, round = 2

Sp1 Rp2

Software Costs

OS

Hardware

OS

Hardware

OS

Hardware




OS – Taint Unit

Network



Design

Message, round = 2


Sp1 Rp2

Taint, round = 2

Hardware Buffer


Hardware

1

Problem

Both Sending And Receiving CPU Time Wasted on Deny

Message, round = 2


Sp1 Rp2

Taint, round = 2

Software Costs

=?

Quick Deny – Taint Meta Data

• Send Taint meta data with message

• Reject if sender has higher number of the most classified labels


OS

Hardware

OS

Hardware

OS

Hardware




OS – Taint Unit

Network



Design

Message, round = 2, meta = 3

Sp1 Rp2

Quick Deny – Taint Meta Data

1

Hardware – Taint UnitMetareceiveMetasendRound #PIDlocal MetareceiveMetasendRound #PIDlocal

p1 2 6

3Send > 1Receive

Hardware – Taint UnitMetareceiveMetasendRound #PIDlocal MetareceiveMetasendRound #PIDlocal

p1 2 3 2

REJECT

Problem

Quality of Service

B = Buffering messages

RT = Reading taint to send

RT = Reading taint for comparison

C = Comparison

Message, round = 2


S R

Taint, round = 2

Software Costs

=?




C = Comparison

Quality of Service

B + RT + CRT

Receiver Work

Sender Work

RTB + RT + C Hardware

Buffer

RT >> C

~ 1




C = Comparison

Quality of Service

RTB + RT + C

Cache Hit or Quick Deny

B + RT + CRT

Receiver Work

Sender Work

Communication Rate

% P

rod

uctiv

e W

ork

Communication Rate (per node)

Message Arrival Rate

% P

rod

uctiv

e W

ork

Message Arrival Rate

Allowed Communication

% P

rod

uctiv

e W

ork

% of Allowed Communication

All cache

hits

Some cache

hits

No cache

hits

All HW

buffering

Some HW

buffering

No HW

buffering

Simulation

• Simics – full system multicore simulator

• Implemented message passing

• Added latency at nodes to represent – Buffering messages– Reading taint to send– Reading taint for comparison– Comparison

Conclusions

• Message passing is well suited for information flow tracking

• We can bound the cost of secure communication in a distributed protocol

S oftware- H ardware I nformation F low T racking + M ulticore Colleen Lewis & Cynthia Sturton...

Documents

Transcript of S oftware- H ardware I nformation F low T racking + M ulticore Colleen Lewis & Cynthia Sturton...