PUMP: a programmable unit for metadata processing

We introduce the Programmable Unit for Metadata Processing (PUMP), a novel software-hardware element that allows flexible computation with uninterpreted metadata alongside the main computation with modest impact on runtime performance (typically 10--40% for single policies, compared to metadata-free computation on 28 SPEC CPU2006 C, C++, and Fortran programs). While a host of prior work has illustrated the value of ad hoc metadata processing for specific policies, we introduce an architectural model for extensible, programmable metadata processing that can handle arbitrary metadata and arbitrary sets of software-defined rules in the spirit of the time-honored 0-1-∞ rule. Our results show that we can match or exceed the performance of dedicated hardware solutions that use metadata to enforce a single policy, while adding the ability to enforce multiple policies simultaneously and achieving flexibility comparable to software solutions for metadata processing. We demonstrate the PUMP by using it to support four diverse safety and security policies---spatial and temporal memory safety, code and data taint tracking, control-flow integrity including return-oriented-programming protection, and instruction/data separation---and quantify the performance they achieve, both singly and in combination.

[1]  Dawn Xiaodong Song,et al.  SoK: Eternal War in Memory , 2013, 2013 IEEE Symposium on Security and Privacy.

[2]  Hovav Shacham,et al.  When good instructions go bad: generalizing return-oriented programming to RISC , 2008, CCS.

[3]  Babak Falsafi,et al.  Flexible Hardware Acceleration for Instruction-Grain Program Monitoring , 2008, 2008 International Symposium on Computer Architecture.

[4]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[5]  Chao Zhang,et al.  Practical Control Flow Integrity and Randomization for Binary Executables , 2013, 2013 IEEE Symposium on Security and Privacy.

[6]  Michael Burrows,et al.  Eraser: a dynamic data race detector for multi-threaded programs , 1997, TOCS.

[7]  Herbert Bos,et al.  Out of Control: Overcoming Control-Flow Integrity , 2014, 2014 IEEE Symposium on Security and Privacy.

[8]  David Zhang,et al.  Secure program execution via dynamic information flow tracking , 2004, ASPLOS XI.

[9]  Christoforos E. Kozyrakis,et al.  Raksha: a flexible information flow architecture for software security , 2007, ISCA '07.

[10]  Nael B. Abu-Ghazaleh,et al.  SIFT: a low-overhead dynamic information flow tracking architecture for SMT processors , 2011, CF '11.

[11]  Srivaths Ravi,et al.  Architectural Support for Run-Time Validation of Program Data Properties , 2007, IEEE Transactions on Very Large Scale Integration (VLSI) Systems.

[12]  Herbert Bos,et al.  Minemu: The World's Fastest Taint Tracker , 2011, RAID.

[13]  Alejandro Russo,et al.  Dynamic vs. Static Flow-Sensitive Security Analysis , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[14]  Frederic T. Chong,et al.  Minos: Architectural support for protecting control data , 2006, TACO.

[15]  Xi Wang,et al.  Improving application security with data flow assertions , 2009, SOSP '09.

[16]  Thomas F. Knight,et al.  A Minimal Trusted Computing Base for Dynamically Ensuring Secure Information Flow , 2001 .

[17]  Udit Dhawan,et al.  Area-efficient near-associative memories on FPGAs , 2013, FPGA '13.

[18]  G. Edward Suh,et al.  High-performance parallel accelerator for flexible and efficient run-time monitoring , 2012, IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012).

[19]  Guru Venkataramani,et al.  FlexiTaint: A programmable accelerator for dynamic taint propagation , 2008, 2008 IEEE 14th International Symposium on High Performance Computer Architecture.

[20]  Trent Jaeger,et al.  Implicit Flows: Can't Live with 'Em, Can't Live without 'Em , 2008, ICISS.

[21]  John L. Henning SPEC CPU2006 benchmark descriptions , 2006, CARN.

[22]  G. Edward Suh,et al.  Flexible and Efficient Instruction-Grained Run-Time Monitoring Using On-Chip Reconfigurable Fabric , 2010, 2010 43rd Annual IEEE/ACM International Symposium on Microarchitecture.

[23]  Ravishankar K. Iyer,et al.  Defeating memory corruption attacks via pointer taintedness detection , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[24]  A. Retrospective,et al.  The UNIX Time-sharing System , 1977 .

[25]  Michael Burrows,et al.  Eraser: a dynamic data race detector for multithreaded programs , 1997, TOCS.

[26]  Milo M. K. Martin,et al.  Hardware-Enforced Comprehensive Memory Safety , 2013, IEEE Micro.

[27]  Somayeh Sardashti,et al.  The gem5 simulator , 2011, CARN.

[28]  Mathias Payer,et al.  Control-Flow Integrity , 2017, ACM Comput. Surv..

[29]  Carlo H. Séquin,et al.  RISC I: a reduced instruction set VLSI computer , 1981, ISCA '98.

[30]  Keshav Pingali,et al.  I-structures: data structures for parallel computing , 1986, Graph Reduction.

[31]  Benjamin C. Pierce,et al.  All Your IFCException Are Belong to Us , 2013, 2013 IEEE Symposium on Security and Privacy.

[32]  Daniel M. Roy,et al.  Enhancing Server Availability and Security Through Failure-Oblivious Computing , 2004, OSDI.

[33]  Binyu Zang,et al.  From Speculation to Security: Practical and Efficient Information Flow Tracking Using Speculative Hardware , 2008, 2008 International Symposium on Computer Architecture.

[34]  Christoforos E. Kozyrakis,et al.  Decoupling Dynamic Information Flow Tracking with a dedicated coprocessor , 2009, 2009 IEEE/IFIP International Conference on Dependable Systems & Networks.

[35]  Mark A. Holliday Techniques for Cache and Memory Simulation Using Address Reference Traces , 1991, Int. J. Comput. Simul..

[36]  Amir Roth,et al.  Using DISE to protect return addresses from attack , 2005, CARN.

[37]  Norman P. Jouppi,et al.  CACTI 6.0: A Tool to Model Large Caches , 2009 .

[38]  Krste Asanovic,et al.  Mondrian memory protection , 2002, ASPLOS X.