Architectural Support for Software-Defined Metadata Processing

Optimized hardware for propagating and checking software-programmable metadata tags can achieve low runtime overhead. We generalize prior work on hardware tagging by considering a generic architecture that supports software-defined policies over metadata of arbitrary size and complexity; we introduce several novel microarchitectural optimizations that keep the overhead of this rich processing low. Our model thus achieves the efficiency of previous hardware-based approaches with the flexibility of the software-based ones. We demonstrate this by using it to enforce four diverse safety and security policies---spatial and temporal memory safety, taint tracking, control-flow integrity, and code and data separation---plus a composite policy that enforces all of them simultaneously. Experiments on SPEC CPU2006 benchmarks with a PUMP-enhanced RISC processor show modest impact on runtime (typically under 10%) and power ceiling (less than 10%), in return for some increase in energy usage (typically under 60%) and area for on-chip memory structures (110%).

[1]  K. Mai,et al.  Architecture and circuit techniques for a 1.1-GHz 16-kb reconfigurable memory in 0.18-/spl mu/m CMOS , 2005, IEEE Journal of Solid-State Circuits.

[2]  Babak Falsafi,et al.  FADE: A programmable filtering accelerator for instruction-grain monitoring , 2014, 2014 IEEE 20th International Symposium on High Performance Computer Architecture (HPCA).

[3]  Olatunji Ruwase,et al.  A Practical Dynamic Buffer Overflow Detector , 2004, NDSS.

[4]  Andrei Sabelfeld,et al.  Information-Flow Security for a Core of JavaScript , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[5]  Alessandro Orso,et al.  Effective memory protection using dynamic tainting , 2007, ASE '07.

[6]  Srivaths Ravi,et al.  Architectural Support for Run-Time Validation of Program Data Properties , 2007, IEEE Transactions on Very Large Scale Integration (VLSI) Systems.

[7]  John L. Henning SPEC CPU2006 benchmark descriptions , 2006, CARN.

[8]  Peter G. Neumann,et al.  The CHERI capability model: Revisiting RISC in an age of risk , 2014, 2014 ACM/IEEE 41st International Symposium on Computer Architecture (ISCA).

[9]  Amir Roth,et al.  DISE: a programmable macro engine for customizing applications , 2003, ISCA '03.

[10]  David A. Moon,et al.  Architecture of the Symbolics 3600 , 1985, ISCA '85.

[11]  Cheng Wang,et al.  LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks , 2006, 2006 39th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO'06).

[12]  Frederic T. Chong,et al.  Minos: Architectural support for protecting control data , 2006, TACO.

[13]  Jonathan M. Smith,et al.  Low-fat pointers: compact encoding and efficient gate-level implementation of fat pointers for spatial safety and capability-based security , 2013, CCS.

[14]  Karthikeyan Sankaralingam,et al.  Power struggles: Revisiting the RISC vs. CISC debate on contemporary ARM and x86 architectures , 2013, 2013 IEEE 19th International Symposium on High Performance Computer Architecture (HPCA).

[15]  Keshav Pingali,et al.  I-structures: data structures for parallel computing , 1986, Graph Reduction.

[16]  Benjamin C. Pierce,et al.  All Your IFCException Are Belong to Us , 2013, 2013 IEEE Symposium on Security and Privacy.

[17]  Martín Abadi,et al.  XFI: software guards for system address spaces , 2006, OSDI '06.

[18]  Chao Zhang,et al.  Practical Control Flow Integrity and Randomization for Binary Executables , 2013, 2013 IEEE Symposium on Security and Privacy.

[19]  Michael Burrows,et al.  Eraser: a dynamic data race detector for multithreaded programs , 1997, TOCS.

[20]  Milo M. K. Martin,et al.  Hardware-Enforced Comprehensive Memory Safety , 2013, IEEE Micro.

[21]  Mark S. Miller,et al.  Capability Myths Demolished , 2003 .

[22]  Timothy Sherwood,et al.  A small cache of large ranges: Hardware methods for efficiently searching, storing, and updating big dataflow tags , 2008, 2008 41st IEEE/ACM International Symposium on Microarchitecture.

[23]  Milo M. K. Martin,et al.  CETS: compiler enforced temporal safety for C , 2010, ISMM '10.

[24]  Alejandro Russo,et al.  Dynamic vs. Static Flow-Sensitive Security Analysis , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[25]  Ruby B. Lee,et al.  A software-hardware architecture for self-protecting data , 2012, CCS.

[26]  Deian Stefan,et al.  Flexible dynamic information flow control in Haskell , 2012, Haskell '11.

[27]  Vikram S. Adve,et al.  KCoFI: Complete Control-Flow Integrity for Commodity Operating System Kernels , 2014, 2014 IEEE Symposium on Security and Privacy.

[28]  Udit Dhawan,et al.  Area-efficient near-associative memories on FPGAs , 2013, FPGA '13.

[29]  G. Edward Suh,et al.  High-performance parallel accelerator for flexible and efficient run-time monitoring , 2012, IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012).

[30]  Beat Kleiner,et al.  Graphical Methods for Data Analysis , 1983 .

[31]  Guru Venkataramani,et al.  FlexiTaint: A programmable accelerator for dynamic taint propagation , 2008, 2008 IEEE 14th International Symposium on High Performance Computer Architecture.

[32]  Trent Jaeger,et al.  Implicit Flows: Can't Live with 'Em, Can't Live without 'Em , 2008, ICISS.

[33]  Ravishankar K. Iyer,et al.  Defeating memory corruption attacks via pointer taintedness detection , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[34]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.

[35]  R. L. Hoffman,et al.  IBM System/38 support for capability-based addressing , 1981, ISCA '81.

[36]  John M. Chambers,et al.  Graphical Methods for Data Analysis , 1983 .

[37]  Elliott I. Organick,et al.  Computer System Organization: The B5700/B6700 Series , 1973 .

[38]  C MowryTodd,et al.  Flexible Hardware Acceleration for Instruction-Grain Program Monitoring , 2008 .

[39]  Mihai Budiu,et al.  Control-flow integrity principles, implementations, and applications , 2009, TSEC.

[40]  James R. Larus,et al.  Evaluation of the SPUR Lisp Architecture , 1986, ISCA.

[41]  Babak Falsafi,et al.  Log-based architectures for general-purpose monitoring of deployed code , 2006, ASID '06.

[42]  Michael Burrows,et al.  Eraser: a dynamic data race detector for multi-threaded programs , 1997, TOCS.

[43]  Thomas H. Austin,et al.  Efficient purely-dynamic information flow analysis , 2009, PLAS '09.

[44]  Pin Zhou,et al.  HARD: Hardware-Assisted Lockset-based Race Detection , 2007, 2007 IEEE 13th International Symposium on High Performance Computer Architecture.

[45]  Shuichi Sakai,et al.  Low-Overhead Architecture for Security Tag , 2009, 2009 15th IEEE Pacific Rim International Symposium on Dependable Computing.

[46]  Herbert Bos,et al.  Out of Control: Overcoming Control-Flow Integrity , 2014, 2014 IEEE Symposium on Security and Privacy.

[47]  Elliott Irving Organick,et al.  Computer system organization: The B5700/B6700 series (ACM monograph series) , 1973 .

[48]  David Black-Schaffer,et al.  Efficient Embedded Computing , 2008, Computer.

[49]  Stephen McCamant,et al.  DTA++: Dynamic Taint Analysis with Targeted Control-Flow Propagation , 2011, NDSS.

[50]  Thomas F. Knight,et al.  A Minimal Trusted Computing Base for Dynamically Ensuring Secure Information Flow , 2001 .

[51]  David Donald Miller Chapter 8 – Security , 2003 .

[52]  M SmithJonathan,et al.  Architectural Support for Software-Defined Metadata Processing , 2015 .

[53]  Martín Abadi,et al.  Access Control Based on Execution History , 2003, NDSS.

[54]  David Zhang,et al.  Secure program execution via dynamic information flow tracking , 2004, ASPLOS XI.

[55]  Christoforos E. Kozyrakis,et al.  Raksha: a flexible information flow architecture for software security , 2007, ISCA '07.

[56]  Ahmad-Reza Sadeghi,et al.  Stitching the Gadgets: On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection , 2014, USENIX Security Symposium.

[57]  B J Smith,et al.  A pipelined, shared resource MIMD computer , 1986 .

[58]  Edward A. Feustel,et al.  On The Advantages of Tagged Architecture , 1973, IEEE Transactions on Computers.

[59]  Christoforos E. Kozyrakis,et al.  Hardware Enforcement of Application Security Policies Using Tagged Memory , 2008, OSDI.

[60]  A. Retrospective,et al.  The UNIX Time-sharing System , 1977 .

[61]  Ben Niu,et al.  Modular control-flow integrity , 2014, PLDI.

[62]  Milo M. K. Martin,et al.  Hardbound: architectural support for spatial safety of the C programming language , 2008, ASPLOS.

[63]  Xi Wang,et al.  Improving application security with data flow assertions , 2009, SOSP '09.

[64]  Bennet S. Yee,et al.  Native Client: A Sandbox for Portable, Untrusted x86 Native Code , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[65]  Milo M. K. Martin,et al.  WatchdogLite: Hardware-Accelerated Compiler-Based Pointer Checking , 2014, CGO '14.

[66]  Norman P. Jouppi,et al.  CACTI 6.0: A Tool to Model Large Caches , 2009 .

[67]  Krste Asanovic,et al.  Mondrian memory protection , 2002, ASPLOS X.

[68]  Daniel M. Roy,et al.  Enhancing Server Availability and Security Through Failure-Oblivious Computing , 2004, OSDI.

[69]  Somayeh Sardashti,et al.  The gem5 simulator , 2011, CARN.

[70]  James Newsome,et al.  Dynamic Taint Analysis for Automatic Detection, Analysis, and SignatureGeneration of Exploits on Commodity Software , 2005, NDSS.

[71]  Hari Kannan Ordering decoupled metadata accesses in multiprocessors , 2009, 2009 42nd Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).

[72]  Carlo H. Séquin,et al.  RISC I: a reduced instruction set VLSI computer , 1981, ISCA '98.

[73]  Carlos V. Rozas,et al.  Innovative instructions and software model for isolated execution , 2013, HASP '13.

[74]  Babak Falsafi,et al.  Flexible Hardware Acceleration for Instruction-Grain Program Monitoring , 2008, 2008 International Symposium on Computer Architecture.

[75]  Deepak Garg,et al.  Information Flow Control in WebKit's JavaScript Bytecode , 2014, POST.

[76]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.