PHMon: A Programmable Hardware Monitor and Its …...PHMon: A Programmable Hardware Monitor and Its Security Use Cases Leila Delshadtehrani, Sadullah Canakci, Boyou Zhou, Schuyler

PHMon: A Programmable Hardware Monitorand Its Security Use Cases

Leila Delshadtehrani, Sadullah Canakci, Boyou Zhou,Schuyler Eldridge, Ajay Joshi, and Manuel Egele

[email protected]

Boston University

August 12, 2020

IntroductionPHMon

Conclusion

MotivationOverview

Motivation

Current Trend

Growing demand to enforcesecurity policies in hardware

Intel SGX

Intel TXT

Intel MPXARM

TrustZone

AMD SVM

Intel CET

ARM PA

...

1994

SafeC

2008

Hardbound2009

Softbound

2013

MPXAnnounced

2015

MPXAvailable

2018-2019

MPXDisabled

[AUSTIN, PLDI’94] [DEVIETTI, ASPLOS’08] [NAGARAKATTE, PLDI’09]

What ifwe could have a flexible hardwareimplementation that could enhanceand enforce a variety of securitypolicies as security threats evolve?!

Boston University August 12, 2020 2/10

IntroductionPHMon

Conclusion

MotivationOverview

Motivation

Current Trend


Intel SGX

Intel TXT

Intel MPXARM

TrustZone

AMD SVM

Intel CET

ARM PA

...

1994

SafeC

2008

Hardbound2009

Softbound

2013

MPXAnnounced

2015

MPXAvailable

2018-2019

MPXDisabled




IntroductionPHMon

Conclusion

MotivationOverview

Motivation

Current Trend


Intel SGX

Intel TXT

Intel MPXARM

TrustZone

AMD SVM

Intel CET

ARM PA

...

1994

SafeC

2008

Hardbound2009

Softbound

2013

MPXAnnounced

2015

MPXAvailable

2018-2019

MPXDisabled




IntroductionPHMon

Conclusion

MotivationOverview

Our Proposal - PHMon

PHMon

A hardware monitor and the full

software stack around it

A programmable hardware monitorinterfaced with a RISC-V Rocketprocessor on an FPGAOS supportSoftware APISecurity use cases

How Does It Work?

A user/admin configures the hardwaremonitor

The hardware monitor collects the

runtime execution informationChecks for the specified events, e.g., detectsbranch instructionsPerforms follow-up actions, e.g., an ALUoperation

Hardware

APIApplication

Full SW Stack

OS

N

User/AdminEvent/Action SpecificationUsing PHMon API

ProgramPHMon

PHMonMonitor theexecution

Is processTerminated?

Is PHMonDisabled?

PHMonStop

Monitoring

Take Actions

Monitor Events

Y YN


IntroductionPHMon

Conclusion

HardwareSoftwareImplementationUse Cases

Hardware Overview

HW Functionality

Collect the instructiontrace

Find matches withprogrammed events

Take follow-up actions

RISC-V RocketMicroprocessor

PipelinedProcessor Core

L1Data Cache

PC_GEN

/Fetch

Dec

Exe

Mem

WB

TU

PHMon

PHMon

ALULocal

RegisterFile

Control Unit (CU)

Matc

h Qu

eue

MU_d

ata

MU_a

ddr

MU_i

d...

Match Packet

conf_ptr

Config Unit-0 (CFU-0)

...Type2b

In13b

In23b

Fn4b

Out3b

Data64b

Action Config Table

conf_ctr

Action Unit (AU)

Commit Log- inst- pc_src- pc_dst- addr- data

Cmd/Resp

InterruptMemory

Match Unit-0 (MU-0)

Predicate:- inst = *8067- pc_src = *- pc_dst = *- addr = *- data = *

Counter Threshold

=?

Comparator

Commit Log

Memory Request

Command

Response

Interrupt

Memory Response

RoCC Interface


IntroductionPHMon

Conclusion


Software Overview

Software Interface

A list of functions that use RISC-V’s

standard ISA extension

Configure PHMonCommunicate with PHMon

Reset MU-0 and configure the match pattern

phmon_reset_val(0);phmon_pattern(0, &mask_inst0)

Compare pc_dst and pc_src, and trigger an interrupt

action_mu0.op_type = e_OP_ALU; //ALU operationaction_mu0.in1 = e_IN_DATA_RESP; //MU_respaction_mu0.in2 = e_IN_LOC3; //Local3action_mu0.fn = e_ALU_SEQ; //Set Equalaction_mu0.out = e_OUT_INTR; //Interrupt regphmon_action_config(0, &action_mu0);

OS Support

Per process OS support

Maintain PHMoninformation duringcontext switches

Interrupt handling OS

support

Delegate interrupt toOSTerminate theviolating process


IntroductionPHMon

Conclusion


Implementation and Evaluation Framework

Implementation

PHMon as a RoCC, written in Chisel HDL

Interfaced with the in-order RISC-V Rocket core

Linux kernel v4.15

RISC-V gnu toolchain for cross-compilation

Evaluation

Prototyped on Xilinx Zynq Zedboard

Rocket core + PHMon

Open-sourced at https://github.com/bu-icsg/PHMon


IntroductionPHMon

Conclusion


Use Cases

Shadow Stack

Preventing InformationLeakage

Shadow Stack

Hardware AcceleratedFuzzing

Watchpoints andAccelerated Debugger

https://security.googleblog.com/2019/10/protecting-against-code-reuse-in-linux30.html,https://www.darkreading.com/attacks-breaches/heartbleed-attack-targeted-enterprise-vpn-/d/d-id/1204592,https://medium.com/@dieswaytoofast/fuzzing-and-deep-learning-5aae84c20303,https://hackernoon.com/professional-debugging-in-rails-1yr2bnz

Shadow StackHardware Accelerated

Fuzzing

https://security.googleblog.com/2019/10/protecting-against-code-reuse-in-linux30.html,https://medium.com/@dieswaytoofast/fuzzing-and-deep-learning-5aae84c20303,


IntroductionPHMon

Conclusion


Use Cases

Shadow Stack


Shadow Stack



https://security.googleblog.com/2019/10/protecting-against-code-reuse-in-linux30.html,https://www.darkreading.com/attacks-breaches/heartbleed-attack-targeted-enterprise-vpn-/d/d-id/1204592,https://medium.com/@dieswaytoofast/fuzzing-and-deep-learning-5aae84c20303,https://hackernoon.com/professional-debugging-in-rails-1yr2bnz

Shadow StackHardware Accelerated

Fuzzing

https://security.googleblog.com/2019/10/protecting-against-code-reuse-in-linux30.html,https://medium.com/@dieswaytoofast/fuzzing-and-deep-learning-5aae84c20303,


IntroductionPHMon

Conclusion


Use Cases: Shadow Stack

PHMon-based Shadow Stack

Simple and flexible

Two MUs

Shared memory space

Allocated by OS as auser-space memory

Secure

Efficient

For SPECint2000,SPECint2006, and MiBenchbenchmarks, on average,0.9% performance overhead

Return Address

ArgumentRegistersSaved

RegistersLocal

Variables

...

Main Stack

Return Address

...

Shadow Stack

Return Address

Return Address

bzip2

libquantumgobmk

hmmerastar

h264ref

xalancbmk gccGeoMean

0.00.51.01.52.02.53.03.5

Perfo

rman

ce O

verh

ead

(%)

0.30.5

1.1 1.1 1.2

2.6 2.7

3.4

1.2

SPECint2006


IntroductionPHMon

Conclusion


Use Cases: Hardware Accelerated Fuzzing

American Fuzzy Lop (AFL)[Zalewski, 2013]

A state-of-the-art fuzzer

Two main units

The fuzzing logic

The instrumentation suiteCompiler-basedQEMU-based

https://rabbitbreeders.us/american-fuzzy-lop-rabbits/

Parent Process (AFL)

Program ExecutionOn RISC-V Processor

Fork+Execv(1)

Processterminates

(4)

Monitoring (2)/Updating the

branch coverage (3)

Reading thebranch coverage (5)

Shared Memory Region

Memory

QEMU Child Process

(The Fuzzed Program)

QEMU-based AFL


Memory

PHMon-based AFL


IntroductionPHMon

Conclusion





Two main units

The fuzzing logic





Fork+Execv(1)

Processterminates

(4)


branch coverage (3)



Memory

QEMU Child Process


QEMU-based AFL


Memory

PHMon-based AFL


IntroductionPHMon

Conclusion





Two main units

The fuzzing logic



sleu

thki

t

zstd

unac

e

inde

nt

nasm

pcre

Geo

Mea

n

Benchmarks

0

5

10

15

20

25

Perf

orm

ance

impr

ovem

ent (

X)

11.313.7

16.417.8 18.9

20.6

16.1

3.7

7.6

4.26.1 5.2 6.3 5.4

1.0 1.0 1.0 1.0 1.0 1.0 1.0

Baseline AFLPHMon

Fork Server

PHMon improves AFL’s performanceby 16× over the baseline

Power overhead: 5%

Area overhead: 13.5%



Fork+Execv(1)

Processterminates

(4)


branch coverage (3)



Memory

QEMU Child Process


QEMU-based AFL


Memory

PHMon-based AFL


IntroductionPHMon

Conclusion

Conclusion

Ref: https://www.linux-apps.com/p/1082429/

A hardware monitor with full software stack

Shadow Stack


Shadow Stack



Versatile and easily adopted

FPGA prototype

ARTIFACTEVALUATED

PASSED

https://www.usenix.org/system/files/sec20spring_delshadtehrani_prepub.pdf

https://github.com/bu-icsg/PHMon

? Thanks! You can reach me [email protected] for follow-up questions.

More information


Documents

PHMon: A Programmable Hardware Monitor and Its …...PHMon: A Programmable Hardware Monitor and Its Security Use Cases Leila Delshadtehrani, Sadullah Canakci, Boyou Zhou, Schuyler