SAGE: Software-based Attestation for GPU Execution

—With the application of machine learning to security-critical and sensitive domains, there is a growing need for integrity and privacy in computation using accelerators, such as GPUs. Unfortunately, the support for trusted execution on GPUs is currently very limited – trusted execution on accelerators is particularly challenging since the attestation mechanism should not reduce performance. Although hardware support for trusted execution on GPUs is emerging, we study purely software-based approaches for trusted GPU execution. A software-only approach offers dis-tinct advantages: (1) complement hardware-based approaches, enhancing security especially when vulnerabilities in the hardware implementation degrade security, (2) operate on GPUs without hardware support for trusted execution, and (3) achieve security without reliance on secrets embedded in the hardware, which can be extracted as history has shown. In this work, we present SAGE, a software-based attestation mechanism for GPU execution. SAGE enables secure code execution on NVIDIA GPUs of the Ampere architecture (A100), providing properties of code integrity and secrecy, computation integrity, as well as data integrity and secrecy – all in the presence of malicious code running on the GPU and CPU. Our evaluation demonstrates that SAGE is already practical today for executing code in a trustworthy way on GPUs without specific hardware support.

[1]  Gene Tsudik,et al.  On the TOCTOU Problem in Remote Attestation , 2020, CCS.

[2]  Luigi Carro,et al.  G-PUF: An Intrinsic PUF Based on GPU Error Signatures , 2020, 2020 IEEE European Test Symposium (ETS).

[3]  Stefan Katzenbeisser,et al.  Decay-Based DRAM PUFs in Commodity Devices , 2019, IEEE Transactions on Dependable and Secure Computing.

[4]  Xiaofeng Wang,et al.  Enabling Privacy-Preserving, Compute- and Data-Intensive Computing using Heterogeneous Trusted Execution Environment , 2019, ArXiv.

[5]  Simha Sethumadhavan,et al.  Heterogeneous Isolated Execution for Commodity GPUs , 2019, ASPLOS.

[6]  Marco Maggioni,et al.  Dissecting the NVidia Turing T4 GPU via Microbenchmarking , 2019, ArXiv.

[7]  Rodrigo Bruno,et al.  Graviton: Trusted Execution Environments on GPUs , 2018, OSDI.

[8]  Andrew W. Moore,et al.  Understanding PCIe performance for end host networking , 2018, SIGCOMM.

[9]  Dan Boneh,et al.  Slalom: Fast, Verifiable and Private Execution of Neural Networks in Trusted Hardware , 2018, ICLR.

[10]  Marco Maggioni,et al.  Dissecting the NVIDIA Volta GPU Architecture via Microbenchmarking , 2018, ArXiv.

[11]  David A. Wood,et al.  Border control: Sandboxing accelerators , 2015, 2015 48th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).

[12]  Daniel J. Bernstein,et al.  Investigating SRAM PUFs in large CPUs and GPUs , 2015, SPACE.

[13]  Amir Akhavan,et al.  GPUs and chaos: a new true random number generator , 2015, Nonlinear Dynamics.

[14]  Xeno Kovah,et al.  BIOS chronomancy: fixing the core root of trust for measurement , 2013, CCS.

[15]  James Newsome,et al.  ReDABLS: Revisiting Device Attestation with Bounded Leakage of Secrets , 2013, Security Protocols Workshop.

[16]  Xeno Kovah,et al.  New Results for Timing-Based Attestation , 2012, 2012 IEEE Symposium on Security and Privacy.

[17]  Adrian Perrig,et al.  VIPER: verifying the integrity of PERipherals' firmware , 2011, CCS '11.

[18]  William J. Dally,et al.  GPUs and the Future of Parallel Computing , 2011, IEEE Micro.

[19]  Adrian Perrig,et al.  SAKE: Software attestation for key establishment in sensor networks , 2008, Ad Hoc Networks.

[20]  Carlos C. Solari Designing for security , 2007, Bell Labs Technical Journal.

[21]  Elaine Shi,et al.  Pioneer: verifying code integrity and enforcing untampered code execution on legacy systems , 2005, SOSP '05.

[22]  Yongdae Kim,et al.  Remote Software-Based Attestation for Wireless Sensors , 2005, ESAS.

[23]  Pradeep K. Khosla,et al.  SWATT: softWare-based attestation for embedded devices , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[24]  Elaine B. Barker,et al.  A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications , 2000 .

[25]  Charalampos Manifavas,et al.  A new family of authentication protocols , 1998, OPSR.

[26]  Zhipeng Jia,et al.  Telekine: Secure Computing with Cloud GPUs , 2020, NSDI.

[27]  Virgil D. Gligor,et al.  Establishing Software Root of Trust Unconditionally , 2019, NDSS.

[28]  Srinivas Devadas,et al.  Intel SGX Explained , 2016, IACR Cryptol. ePrint Arch..