PAGURUS: Low-Overhead Dynamic Information Flow Tracking...

PAGURUS:Low-OverheadDynamicInformationFlowTrackingonLooselyCoupledAccelerators

LucaPiccolboni,GiuseppeDiGuglielmoandLucaP.CarloniColumbiaUniversity,NY,USA

ACM/IEEECODES+ISSS2018,Turin,Italy

ACM/IEEECODES+ISSS2018,Turin,Italy 2/16

[M.Gautschietal.,IEEEVLSI’17]

DataRAM

Instr.RAM

Boot.RAM

SPIM.APB

PULPino

ProcessorCore(RI5CY)

Systems-on-Chip(SoCs)AreVulnerabletoSoftwareAttacks

ACM/IEEECODES+ISSS2018,Turin,Italy 3 /16

mainmemory

buff[0]=sw(7)

buff[1]=sw(7)

buff[9]=sw(7)

fun=0xAA

num=10

int buff[10], k;int (*fun)(int) = foo;int num = atoi(argv[1]);int val = atoi(argv[2]);/* this is a bad idea */for (k = 0; k < num; ++k)buff[k] = sw(val);

fun(1); // call foo?

Buffer-OverflowAttackAttackingPULPino

memorylocation:0xAA

mainmemory

buff[0]=sw(7)

buff[1]=sw(7)

buff[9]=sw(7)

fun=sw(7)

num=11

fun(1); // call foo?

memorylocation:0xAA

Buffer-OverflowAttackAttackingPULPino canbeusedtocalla

maliciousfunction

DynamicInformationFlowTracking(DIFT)

mainmemory

buff[0]=sw(0x7)

buff[1]=sw(0x7)

buff[9]=sw(0x7)

func=0xAA

num=0x7

val=0xA 1

mainmemory

buff[0]=sw(7)

buff[1]=sw(7)

buff[9]=sw(7)

val=11

AttackingPULPino

fun(1); // call fun

memorylocation:0xAA

fun=sw(7)

[G.E.Suhetal.,ACMASPLOS’04]tags

PULPino

DataRAM

Instr.RAM

Boot.RAM

[C.Palmieroetal.,IEEEHPEC’18]DIFTExtensions

NowSecuredwithDIFTHomogenousSoCs

DataRAM

Instr.RAM

Boot.RAM

LooselyCoupledAccelerator#1

[C.Palmieroetal.,IEEEHPEC’18]

PULPinoNo-More-SecuredwithDIFTHeterogeneousSoCs

DIFTExtensions

AttackingPULPino(Again)

int buff[10] = {0};int (*f)(int) = foo;int num = atoi(argv[1]);int val = atoi(argv[2]);/* this is a bad idea */hw(num, val, buff);

Buffer-OverflowAttack

mainmemory

buff[0]=sw(0x7)

buff[1]=sw(0x7)

buff[9]=sw(0x7)

func=0xAA

num=0x7

val=0xA 1

mainmemory

buff[0]=0

buff[1]=0

buff[9]=0

num=11

fun=0xAA 1

AttackingPULPino(Again)

0theacceleratorisnotabletopropagatethetags

Buffer-OverflowAttack

mainmemory

buff[0]=sw(0x7)

buff[1]=sw(0x7)

buff[9]=sw(0x7)

func=0xAA

num=0x7

val=0xA

mainmemory

buff[0]=hw(7)

buff[1]=hw(7)

buff[9]=hw(7)

num=11

fun=hw(7)

canbeusedtocallamaliciousfunction

int buff[10] = {0};int (*f)(int) = foo;int num = atoi(argv[1]);int val = atoi(argv[2]);/* this is a bad idea */hw(num, val, buff);

Contributions

1. WeproposePAGURUS,amethodologytodesignacircuitshell thataddsDIFTsupporttoaccelerators

DIFTShell

SPIM.APB

PULPinoSystem-on-Chip

DataRAM

Instr.RAM

Boot.RAM

DIFTShe

Contributions

2. Weproposea metric toquantitativelymeasurethesecurityguaranteesprovidedbytheshell

a) Theshelldesignisindependent fromthedesignoftheacceleratorsandviceversa

b) Theshellhaslow overheadsonboththeperformanceandcostofaccelerators

1. WeproposePAGURUS,amethodologytodesignacircuitshell thataddsDIFTsupporttoaccelerators

1. Thehardwareissafe:nohardwareTrojans

AssumptionsandAttackModelPreliminaries

2. Thesoftwareisnot safe:itcontainsbugsandvulnerabilitiesusefulfortheattackers

TheattackersexploitthesevulnerabilitiesthroughcommonI/Ointerfaceswiththegoalofaffectingtheintegrityand/ortheconfidentialityofthehardware-acceleratedsoftwareapplications

mainmemory

value#1

1. CoupledScheme

value#2

value#3

PreliminariesTaggingScheme

[J.Porquetetal.,ACM/IEEECODES’13]

mainmemory

value#1

1. CoupledScheme

protectedregioninmemory

value#2

value#3

2. DecoupledScheme

mainmemory

value#1

1. CoupledScheme

value#2

value#3

2. DecoupledScheme2.1.InterleavedScheme

tagoffset =#wordsinmemorybetweentwoconsecutivevalues

(tagoffset=1)

Contributions

1. WeproposePAGURUS,amethodologytodesignacircuitshellthataddsDIFTsupporttoaccelerators

ArchitectureLooselyCoupledAccelerator

mainmemory

register#1

register#2

register#K

Accelerators

configuration reg#1 … reg#K

privatelocalmemory/scratchpad

bank bank bank bank

LooselyCoupledAccelerator

mainmemory

computeburstlength

Accelerators

configuration …

loadinputval val val

bank bank bank bank

Architecture

mainmemory

load computeloadinput

Accelerators

configuration

loadinputval val val val val val

bank bank bank bank

Architecture

output

mainmemory

storeburstlength storeoutput

Accelerators

load loadinputval val val val val val

computeloadinput

val val val

bank bank bank bank

Architecture

DIFTShellArchitecture

DIFTShe

Accelerator

mainmemory

register#1

register#2

register#K

shellconfiguration

reg.#K+1:src_tag

reg.#K+2:dst_tag

dst_tagsrc_tag

Accelerator

DIFTShe

shellconfiguration

mainmemory

src_tagsrc_tag shellloadlogic

if tag!=src_tagDIFT_exception!

val val

val tag val tag

Accelerator

dst_tagsrc_tagburstlength

DIFTShe

shellconfiguration

mainmemory

shellloadlogic

shellstorelogic

val val

val tag val tag

output

dst_tagdst_tag

val tag val tag

dst_tagsrc_tag

Accelerator

burstlength

DIFTShe

Contributions

1. WeproposePAGURUS,amethodologytodesignacircuitshellthataddsDIFTsupporttoaccelerators

2. Weproposea metric toquantitativelymeasurethesecurityguaranteesprovidedbytheshell

ASecurityMetricDefinition

mainmemory

value#1

src_tag

value#2

value#3

ASecurityMetricDefinition

mainmemory

value#1[overwritten]

src_tag[overwritten]

value#1

DIFTShe

val tagval val

output

ASecurityMetric

mainmemory

src_tag[overwritten]

DIFTShe

val tagval val

value#1

DIFT_exception!

InformationLeakage• Quantitativemetricforsecurity

Definition

output

ASecurityMetric

• InformationLeakage:amountofdatathatcanbeproducedasoutputbyanacceleratorbeforeitsshellrealizesthattheinputhasbeencorrupted

I/Oratio:thenumberofloadburstsnecessarytoproduceastoreburst

Analysis

1. Tagoffset: tagoffset leakage

2. Algorithm: I/Oratio leakage

ASecurityMetric

• InformationLeakage:amountofdatathatcanbeproducedasoutputbyanacceleratorbeforeitsshellrealizesthattheinputhasbeencorrupted

1. Tagoffset: tagoffset leakage

2. Algorithm: I/Oratio leakage

3. Implementation: burstlen. leakage

4. Workload: work. size leakage

Analysis

ExperimentalResults

ExperimentalSetup(1/2)

• Wedesignedthreelooselycoupledaccelerators:• GRAY:convertsaRGBimageintoagrayscaleimage• MEAN:calculatesthemeanofa2Dmatrix(columns)• MULTS:mutipliesa2Dmatrixbyitstranspose

ExperimentalResults

loadburst

storeburst

ExperimentalResults

• WeusedCadenceStratusHLS forhigh-levelsynthesisandXilinxVivadoforlogicsynthesisà Virtex-7FPGA

• WedesignedtheacceleratorsandtheshellinSystemC

ExperimentalResults

Weexploreddifferentalternativesbyvarying:• accelerator• tagoffset• burstsize• workload

[P.Mantovanietal.,ACM/IEEEDAC’16]

EmbeddedScalablePlatforms

[L.P.Carloni,ACM/IEEEDAC’16]

ProcessorCore (Leon3)

+Shell

MemoryController

I/Ochannelsandperipher.

Network-on-Chip

- 128x128- small- 512x512- medium- 2048x2048- large

ExperimentalResults

14/16ACM/IEEECODES+ISSS2018,Turin,Italy

QuantitativeSecurityAnalysis- MEAN

26 27 28 29 210 211 212 213

burst size (bytes)

26 27 28 29 210 211 212 213

burst size (bytes)

26 27 28 29 210 211 212 213

rmatio

burst size (bytes)

medium

215216

26 27 28 29 210 211 212 213

burst size (bytes)

26 27 28 29 210 211 212 213

burst size (bytes)

26 27 28 29 210 211 212 213

rmatio

burst size (bytes)

ExperimentalResults

maxinformationleakage=>thehighesttagoffset

mininformationleakage=>thelowesttagoffset

medium

ExperimentalResults

26 27 28 29 210 211 212 213

burst size (bytes)

26 27 28 29 210 211 212 213

burst size (bytes)

26 27 28 29 210 211 212 213

rmatio

burst size (bytes)

medium

ExperimentalResults

QuantitativeSecurityAnalysis- GRAY

26 27 28 29 210 211 212 213

rmatio

burst size (bytes)

26 27 28 29 210 211 212 213

rmatio

burst size (bytes)

26 27 28 29 210 211 212 213

burst size (bytes)

medium

ExperimentalResults

QuantitativeSecurityAnalysis- GRAY

26 27 28 29 210 211 212 213

burst size (bytes)

26 27 28 29 210 211 212 213

rmatio

burst size (bytes)

26 27 28 29 210 211 212 213

rmatio

burst size (bytes)

medium

ExperimentalResults

QuantitativeSecurityAnalysis- MULTS

26 27 28 29 210 211 212 213

burst size (bytes)

26 27 28 29 210 211 212 213

burst size (bytes)

26 27 28 29 210 211 212 213

rmatio

burst size (bytes)

medium

26 27 28 29 210 211 212 213

burst size (bytes)

26 27 28 29 210 211 212 213

rmatio

burst size (bytes)

26 27 28 29 210 211 212 213

burst size (bytes)

ExperimentalResults

QuantitativeSecurityAnalysis- MULTS

medium

ExperimentalResults

PerformanceAnalysis- GRAY

26 27 28 29 210 211 212 213

gray - large

burst size (bytes)

26 27 28 29 210 211 212 213

gray - medium

tion tim

burst size (bytes)

26 27 28 29 210 211 212 213

gray - small

tion tim

burst size (bytes)

no tags

medium

ExperimentalResults

26 27 28 29 210 211 212 213

gray - large

burst size (bytes)

26 27 28 29 210 211 212 213

gray - medium

tion tim

burst size (bytes)

26 27 28 29 210 211 212 213

gray - small

tion tim

burst size (bytes)

no tagsPerformanceAnalysis- GRAYmedium

ExperimentalResults

26 27 28 29 210 211 212 213

gray - large

burst size (bytes)

26 27 28 29 210 211 212 213

gray - medium

tion tim

burst size (bytes)

26 27 28 29 210 211 212 213

gray - small

tion tim

burst size (bytes)

ExperimentalResults

26 27 28 29 210 211 212 213

gray - large

burst size (bytes)

26 27 28 29 210 211 212 213

gray - small

tion tim

burst size (bytes)

26 27 28 29 210 211 212 213

gray - medium

tion tim

burst size (bytes)

• WeproposePAGURUS,aflexiblemethodologytodesignashellthatextendsDIFTtoaccelerators

1. Theshelldesignisindependentfromtheacceleratordesignandviceversa

2. Theshellhasnegligiblecostoverheadandreasonableperformanceoverhead

• Wedefinethemetric ofinformationleakageforacceleratorstoquantitativelymeasuresecurity

Conclusions

Speaker:LucaPiccolboniColumbiaUniversity,NY

Questions?

PAGURUS:Low-OverheadDynamicInformationFlowTrackingonLooselyCoupleAccelerators

PAGURUS: Low-Overhead Dynamic Information Flow Tracking...

Documents

Ram Matriz Ram

PULPino: Datasheet - PULP platformPULPino: Datasheet Imperio: TheﬁrstPULPinoASIC Andreas Traber, Michael Gautschi {atraber,gautschi}@iis.ee.ethz.ch June9,2017

2016emprendimientos.files.wordpress.comI RAM Mar del Plata I RAM Mediterráneo I RAM NOA I RAM China I RAM Ecuador I RAM IRAM Nuevo Cuyo I RAM Patagonia Posadas I RAM Puerto Madryn

PULPino: A small single-core RISC-V SoC€¦ · PULPino: A small single-core RISC-V SoC | 06.01.2016 | ETH Zurich, Integrated Systems Lab (IIS) University of Bologna, Micrel Lab Around

delhi.gov.indelhi.gov.in/DoIT/DOIT/DOIT_UDD/Pdf/LOP-59-1639.pdf · DADU RAM ROCHA RAM DADOO RAM SODA RAM ... RAM DAYAL SADHU RAM PYARE LAL HE-MU RAM ... Sant Ram Bilori Ganu Ram Ramsaroop

Automatically generated PDF from existing · PDF fileKaram Chand Geeta Ram Ganga Ram Puran Dass Matwar Singh Paras Ram Devi Singh Ram Loc Bhokka Ram Surat Ram ijay Kumar Shubham Chand

Ram Concep Ram Concept.pdft

PULPino: A small single-core RISC-V SoC - iis-projectsiis-projects.ee.ethz.ch/images/d/d0/Pulpino_poster_riscv2015.pdf · PULPino: A small single-core RISC-V SoC Andreas Traber, Florian

Memoria Ram RAM OK

COSMOS: Coordination of High-Level Synthesis and …piccolboni/papers/piccolboni_tecs17.pdf · 150 COSMOS: Coordination of High-Level Synthesis and Memory Optimization for Hardware

CV: Ram Mudambi, March 2021 RAM MUDAMBI

PAGURUS: Low-Overhead Dynamic Information Flow ......PAGURUS: Low-Overhead Dynamic Information Flow Tracking on Loosely Coupled Accelerators Luca Piccolboni, Giuseppe Di Guglielmo

Matrix (RAM) - Metrolibraryarchives.metro.net/DB_Attachments/151210_RAM.pdf · A. RAM – Risk Allocation Matrix RAM Goals & Overview RAM Process RAM Statistics Assigning Risk Levels

StarWind RAM Disk: Using as RAM Disk Emulator · Title: StarWind RAM Disk: Using as RAM Disk Emulator Created Date: 20100506121006Z

it.delhigovt.nic.init.delhigovt.nic.in/writereaddata/odr20122699.pdf · Devki Nandan Ram Parsad Ram Murti Ram Swaroop Subeydar Ram Tirkha Ram Dharm Pal ... Jug Nandan Kalam Singh

rajrmsa.nic.inrajrmsa.nic.in/Public/Circular/22-06-2017-203437~Circular.pdfbhawani shankar bhoma ram saini atma ram ram chandra ... shri ram budiya banna ram mogji patidar 14-

Ram Ram Ram Ram Ram Ram Ram Ram Ram - Neem … happy in my to o My f to rally, but it I d I ... Laying a New Foundation For the Taos Neem Karoli Baba ... Each oç these be oved guru

Ram 1500 Brochure - Ram Trucks

Ram Ram Handicraft West Bengal India

energy.rajasthan.gov.inenergy.rajasthan.gov.in/content/dam/raj/energy/corporate...Sh.Prahlad Ram Slo Sh.Tulsi Ram Sh.Vaja Ram Slo Sh.Ada Ram Sh.Lachha Ram S/o Sh.Roo a Ji Sh.Babu Lai