128-BitAddressinginRISC-VandSecurity
PresentaCon
• Background/FoundaConalNoCons– Fromthe1970’stotoday
• ExascaleIssues• Proposal(Strawman)• ProtecConstructuresfor
currentaddressspaces• References
22016_NOV_RISCV_WORKSHOP
Background
• Sincethelate70’s,mainstreamprocessorshaveincreasedthesizeofthevirtualspacebysimplyaddingmorebits– DECPDP/11&VAX:16è32– DataGeneralEclipse/MV:16è32– SPARC&HPRISC:32è64– Intelx86;16è32è64(48used)
• Itanium64– IBMPower:32è64– ARM:32è64
• MemorymanagementandprotecConareintermingled
32016_NOV_RISCV_WORKSHOP
Background
• Other’s(pioneer’s)didnotsimplyaddmorebits
– IBM–FS(Ref:[13])–1976• Tagged16bytepointers
(CapabiliCes)• System/38isthediminuCveofFS
– DataGeneral-FHP(Ref:[3,4,17])-1980
• Ref:hgp://people.cs.clemson.edu/~mark/ip.html
– trueobjectorientaConwithone-leveladdressingacrossanetwork(128bitpointers!)
– Intel432iMAXOS–(Ref:[16])–1980• 24bitpassiveaddress• 80bitUID(16bitchecksum)
42016_NOV_RISCV_WORKSHOP
WhatHappened
• MulCcsatMIT– UNIXisthediminuCveof
MulCcs
• ProjectGenieatUCBerkeley
• InfluencedIndustry– Graduates– AneweraofcompuCng– Technologywasnotready
52016_NOV_RISCV_WORKSHOP
ARCHITECTUREOBJECTIVES
• ProgramminggeneralityistheabilitytomoveaprogrambetweencomputerinstallaCons;theabilitytomaintainaprogramwithinchanginghardware;theabilitytouseaprogramintheconstrucConofanother-withoutalteringtheprogramdescripConinanyway.
[9]Dennis,J.,“PROGRAMMINGGENERALITY,PARALLELISMandCOMPUTERARCHITECTURE”, MAC-M-409,MEMONO.32,MIT.
62016_NOV_RISCV_WORKSHOP
GoingForward• Timetodefinea128bitspacewithouttheneedfor128address
arithmeCc– Whatis“i”inA[i]?– AVirtualAddressgreaterthan64bits
• Timetocorrectandincorporateappropriatesecurityandaccessmechanisms– NetworkWideSecurityModel
• Noweachnodehasitsownsecuritymodel(client/server/network/server)
– Accesstothewebisassumedandrequired• PrivateCloud
RISCVISASPEC(page105–v2.1)
72016_NOV_RISCV_WORKSHOP
Thereisonlyonemistakethatcanbemadeincomputerdesignthatisdifficulttorecoverfrom—nothavingenoughaddressbitsformemoryaddressingandmemorymanagement.”BellandStrecker,ISCA-3,1976.
(v2.1,page105)
Security&Facts• ComputerVirtualAddress’s(VA)spantolocaldiskonly
– DiskAccessisnowGlobal(InpracCce)– RememberaVAreferencesDISKexplicitlyNOTmainmemory(CS101)
• NetworkAddressing(IPv4&IPv6spantheenCrenetwork)– IPv6createda128bitnetworkaddressspace.Uniquenames
• MACandURL’saddressesareunique• EMAILaddressesareunique• Phonenumbersareglobal;countrycode,citycode,localcode• Twodifferent(webandlocal)addressstructures
– TwodifferentprotecConandaddressingsystems– TwodifferentauthenCcaConsystems
• Soxwareneededtobridgethesetwodomains(toomuchsoxware)• Whatifoneunifiednamestructurecouldbedeveloped?
82016_NOV_RISCV_WORKSHOP
ProtecConObjecCves• TheoriginalmoCvaConforpuyng
protecConmechanismsintocomputersystemswastokeeponeuser’s(program)maliceorerrorfromharmingotherusers(program).Harmcanbeinflictedinseveralways:– a)Bydestroyingormodifyinganother
user’s(program)data.– b)Byreadingorcopyinganotheruser’s
(program)datawithoutpermission.– c)Bydegradingtheserviceanotheruser
(program)gets,forexample,usingupallthediskspaceorgeyngmorethanafairshareoftheprocessingCme
2016_NOV_RISCV_WORKSHOP 9
[1]Lampson,ProtecCon.Proc.5thPrincetonConf.onInforma2onSciencesandSystems,Princeton,1971
SomeFoundaConalBasis
• OneshouldrecognizethatconcentraCononprotecConandauthenCcaConmechanismsprovidesanarrowviewofinformaConsecurity,andthatanarrowviewisdangerous.TheobjecRveofasecuresystemistopreventallunauthorizeduseofinformaRon,anegaRvekindofrequirement.
• Everyaccesstoeveryobjectmustbecheckedforauthority.Thisprinciple,whensystemaCcallyapplied,istheprimaryunderpinningoftheprotecConsystem
• Validity/AuthenRcityisaREQUIREMENT(RefD.Clark,personalcommunicaRons)
[2]Schroder&Saltzer,“TheprotecConofinformaConincomputersystems”,PROCEEDINGSOFTHEIEEE,VOL.63,NO.9,SEPTEMBER1975
102016_NOV_RISCV_WORKSHOP
PreviousEfforts
• AnothersoluConistoaddresseachsegmentwithauniqueintegerwhichisassignedattheCmethesegmentiscreated,neverchanged,andnotreusedevenaxerthesegmenthasdisappearedfromthesystem.CallthistheuniqueintegersoluCon.([3,4,5]&[13]Radin’sH–Handle)
[3]USPatent,4,525,780,“DATAPROCESSINGSYSTEMHAVINGAMEMORYUSINGOBJECT-BASEDINFORMATIONANDAPROTECTIONSCHEME…”,1985[4]USPatent,4,821,184,”UNIVERSALADDRESSINGSYSTEMFORADIGITALDATAPROCESSINGSYSTEM”,1989[5]Fabry,“Capability-BasedAddressing”,CACM,July1974[13]Radin,Schneider,“AnArchitectureforanExtendedMachineWithProtectedAddressing”,Radin,Schneider,TR00.2757,IBMMay21,1976
2016_NOV_RISCV_WORKSHOP 11
OPAL
• SingleAddressSpaceforallapplicaCons
• PersistentPointers
• “Afull64-bitaddressspacewilllastfor500yearsifallocatedattherateofonegigabytepersecond.Webelievethat64bitsisenough"forallCme"onasinglecomputer,enoughforalongCmeonasmallnetwork,andnotenoughforverylongatallontheglobalnetwork.”
[14]J.Chase,H.Levy,et.al,“SharingandprotecRoninasingleaddressspaceoperaRngsystem”“JournalACMTransacConsonComputerSystems(TOCS)-Specialissueoncomputerarchitecture,Volume12Issue4,Nov.1994,Pages271-307
122016_NOV_RISCV_WORKSHOP
Strawman–RV128I
• 128Bits• ObjectID–UniqueIdenCfier
– asoxware(orhardware)structurethatisconsideredtobeworthyofadisCnctname.• Indexingis64bits–A[i]
– ProgramCounter– StackPointer(CIformat-LoadsandStores)
• ISAindependent– LikerouCngIPpackets(VendorIndependent)
• PersistentacrossCmeandspace• ProtecConandmemorymanagementareindependent
OBJECTID ByteOffset
64 64
132016_NOV_RISCV_WORKSHOP
Why?
• Weneedbegersecurity• Weneedcomputervirtual
addressingtoreflectthecontemporaryuses
– NetworkWide• WedoNOTwant128bitflat
addressing• Weneedpointerinteroperability
betweencomputersystems(maybe)
• Weneedasimplifiedsharingmechanism
• WeneedaauthenCcaCon,revocaConandprotecConagainmalware/virus’s
142016_NOV_RISCV_WORKSHOP
WhatisaObject?
• AObjectisaunique64bitnumber.• AnObjectcanspecify
– LocaConandprotecConmechanisms– LanguageSpecific/Architectureagributes
• E.G.,PGASNODE• DataEncrypted• Blockchain
• ThecreaConofaObjectisviaacentralnameserver.
– Justlike:IPv6,MACaddresses,ICANN• CentralNAMEserverInvolvement
– JustlikeaDNSserver– JustlikeApple’siCloud– OnlymanagesObject’s,NOTDATA/
APPLICATIONS• ShouldanObjectbeaIPv6address
– Usebit63ofoffsettoselect;IPv6orObjectUID?
152016_NOV_RISCV_WORKSHOP
AccessControl/Domains
• DefinesasphereofprotecConanduse• Non-Hierarchical• Permissionbitsdefinewhatis
permiged– LOCAL(Rd,Wr,Ex)– GlobalNetwork(Rd,Wr,Ex)– Extendedprivileged– ClassicalPrivileged– SystemCalls
• Explicit• Mediated
– ShadowStack• DomainCrossingandReturn
– ProtectedStack(HWmaintained)– GateEntry– MediatedNumberofGates– StackSwitching
162016_NOV_RISCV_WORKSHOP
AuthenCcaCon• TheaddressspaceisuniqueoverCmeandspace.Anycomputer
supporCngthisaddressspaceisaddressablebythenameserver.• AccessinganobjectforthefirstCmerequires
– Permissiontoaccess(i.e.,downloadA.OUTor.EXEfile,entrywithinanACL)– Accessprivilegesfortheobject
• LocalandNetworkread/write/execute• Accessonlythruaprotectedsub-object • ExecuConDomain
• DomainofexecuCon– Levelofuser(e.g.,gold,plaCnum,execuCveplaCnum)– Admin(Level1,2,orn)
• Inessencewehaveaglobalaccesscontrollist– Wehavethattoday,butdon’trealizeit– Itisdistributed(e.g.,ADOBEmaintainsit2Dsliceofthematrix)– EachVendorhastheirownaccesscontrollist
172016_NOV_RISCV_WORKSHOP
ExampleusingAnApplicaCon
• CanExecuteinMyDomain– Canreadandwritemyfilesystem
• Canexecuteindifferentdomain– Determineleveloftrust– Canreadmydata,butnotwrite– Can’tsenddatabacktoADOBE(networkpermissions)
• AdobeFLASH-NOACCESS
SteveWallach–OBJECT AdobePDFReader-OBJECT
182016_NOV_RISCV_WORKSHOP
MemoryManagement
• EachobjectcanhaveitsOWNmemorymanagementstructure– PageTables– HashedIndices– PGASlike
• ThereisNOACCESSbitsassociatedwiththemanagementofstorage(e.g.,read,write,execute,etc..)– Managementisseparatefrom
protecRon• Eachobjectcanchoosetohave
objectsizeforconstraintaccesschecking(boundscheck).
192016_NOV_RISCV_WORKSHOP
64BITLINUXMachineStateModel
ProcessSpecific(task_struct)-Uniqueforeachprocess-HashedProc_ID
Proc_ID(pid_t)
KernelMaintained.PageframeCache.DiskCache.DirectoryCache.LowerlevelofNetworkStack
SystemWideResources
FileObject
ProcessAddressSpaceObject
ProcessCommunicaCons
202016_NOV_RISCV_WORKSHOP
64BITLINUX-MemoryManagement
Proc_ID32BITS
VIRTUALADDRESS(VA)64BITS
LINUXNAMESPACE
TLBASSOCIATESONA96BITNAMESPACE.implementaCondependent
PageTableBase
ProcessObjectAddressSpace
BASE
PageTableperProc_ID
PageBaseCAT
PhysicalByteAddress
PageOffsetHash F(VA)
212016_NOV_RISCV_WORKSHOP
128-BITVIRTUALADDRESSING-MemoryManagement
OBJECTID64 64
BYTEOFFSET
HASHBASE
AddressSpaceObject
CATF(ID)
PAGEBASE
PhysicalByteAddress
ControlLocalPageTablePGASLocalNodeObjectLengthLookup(hash/trees)CommunicaCons
TLBASSOCIATESONA128BITNAMESPACE.implementaCondependent
222016_NOV_RISCV_WORKSHOP
ExascaleIssues
• SubjecttocostandpowercriCcalappsdesire– Onebyteperpeakflop(DOE
ASC)– Asmuchasyoucan
• 2^64_bitwordsdesirable(globalaccess)
• MemcachedConfiguraCons[7]– FronCngLARGEDiskFarms
• BigDataandCompute.• BTW:AnExaByterequires60
bitsofaddress
2016_NOV_RISCV_WORKSHOP 23
ExascaleProgrammingModel
242016_NOV_RISCV_WORKSHOP
ThemachinethatissimplesttoprogramWINS.UsercyclesaremoreImportantthatcpucycles
128-BITVIRTUALADDRESSING-ProtecCon/DataReference
BYTEOFFSETOBJECTID6464
CurrentDomain
Principal
ProtecConAgributes-Read/Write/Execute-SystemCalls-ExternalReferences-ProtectedSub-Objects
AccessControlLists
FUNCT
CacheLast#ofEntriesValidateReferencebeforeDataReference
252016_NOV_RISCV_WORKSHOP
ProtecCon-ACL(matrix)–usesOBJECTnames-maintainedbyNameServer-
SourceName|Object(Principal)
TargetN
ame|Object
Note:DomainandProcessAreNOTunique
Permissions
PSOPointer
ObjectLength
262016_NOV_RISCV_WORKSHOP
ACL(AccessControlList)-ENTRY
PERMISSIONS(LocalandGlobal)
OBJECTLENGTH-BYTES
PROTECEDSUB-OBJECT(PSO)POINTER
64
PrincipalUIDisappendedtothePSOpointer,essenCalwhichvirtualmachinetouse
272016_NOV_RISCV_WORKSHOP
PROTECTION-ACLEntry
• PSO–ProtectedSub-Object(Sandbox–[11])– VirtualMachine– Requiressoxware
interpretaCon• AddressofSandbox
– Mediatedaccess– PartofObjectcreaCon
• Themetadataoftheobject– …theconceptofconfininga
helperapplicaContoarestrictedenvironment,withinwhichithasfreereign
282016_NOV_RISCV_WORKSHOP
REFERENCEMONITOR• Itmustvalidate
enforcementofthesecuritypolicyforeveryreferencetoinformaCon.
• Second,itmustbetamper-proof,thatis,itcannotbesubverted.
• Lastly,itmustbeverifiable,sowehavehighassuranceitalwaysworkscorrectly.
2016_NOV_RISCV_WORKSHOP 29
[18]RogerSchell,”PrivacyandSecurityCyberDefenseTriadforWhereSecurityMagers“NOVEMBER2016|VOL.59|NO.11|CACM
Summary
• DealwithVirtualAddress(andphysicaladdress)rangesfrom2020andbeyond
• IncorporateContemporaryProtecConMechanismsthatfuncConin:– WebandCloudbased
configuraCons– TheobjecCveofasecure
systemistopreventallunauthorizeduseofinformaCon,anegaCvekindofrequirement.
302016_NOV_RISCV_WORKSHOP
Summary• ComparetoCHERI[12]
– CapabilitySystem• GoodsummaryofsingleaddressspaceOperaCngSystems:J.Case,
H.Levy,“SharingandProtecConinaSingle-Address-SpaceOperaCngSystem”[14]
• ShouldInternetaddressingbebyaUIDandNOTIPaddress.– FacilitateprotecConandauthenCcaCon(Ref:[15])
• NamedDataNetworkProposal
• Whatnext??– Proposal
• BuildaprototypewithFPGA’s/Simulate
312016_NOV_RISCV_WORKSHOP
References• [1]Lampson,ProtecCon.Proc.5thPrincetonConf.onInforma2onSciencesandSystems,
Princeton,1971• [2]Schroder&Saltzer,“TheprotecConofinformaConincomputersystems”,PROCEEDINGS
OFTHEIEEE,VOL.63,NO.9,SEPTEMBER1975• [3]USPatent,4,525,780,“DATAPROCESSINGSYSTEMHAVINGAMEMORYUSINGOBJECT-
BASEDINFORMATIONANDAPROTECTIONSCHEMEFORDETERMININGACCESSRIGHTSTOSUCHINFORMATION”
• [4]USPatent,4,821,184,”UNIVERSALADDRESSINGSYSTEMFORADIGITALDATAPROCESSINGSYSTEM”• [5]Fabry,“Capability-BasedAddressing”,CommunicaConsoftheACM,July1974,Volume
17,Number7• [6]hgp://en.wikipedia.org/wiki/Domain_Name_System• [7]hgp://en.wikipedia.org/wiki/Memcached• [8]hgp://en.wikipedia.org/wiki/Heap_feng_shui• [9]Dennis,J.,“PROGRAMMINGGENERALITY,PARALLELISMandCOMPUTER
ARCHITECTURE”, MAC-M-409,MEMONO.32,MIT.• hgp://csg.csail.mit.edu/CSGArchives/memos/Memo-32.pdf• [10]hgp://code.google.com/p/google-safe-browsing/wiki/SafeBrowsingDesign• [11]IanGoldberg,DavidWagner,RandiThomas,andEricBrewer(1996).
"ASecureEnvironmentforUntrustedHelperApplicaCons(ConfiningtheWilyHacker)".ProceedingsoftheSixthUSENIXUNIXSecuritySymposium.
322016_NOV_RISCV_WORKSHOP
References• [12]RobertN.M.Watson,PeterG.NeumannJonathanWoodruff,JonathanAnderson,Ross
Anderson,NiravDave,BenLaurie,SimonW.Moore,StevenJ.Murdoch,PhilipPaeps,MichaelRoe,andHassenSaidi.CHERI:aresearchpla�ormdeconflaCnghardwarevirtualizaConandprotecCon.Workshoppaper,RunCmeEnvironments,Systems,LayeringandVirtualizedEnvironments(RESoLVE2012),March,2012.
• [13]Radin,Schneider,“AnArchitectureforanExtendedMachineWithProtectedAddressing”,TR00.2757,IBMMay21,1976.
• [14]J.Chase,H.Levy,et.al,“SharingandprotecRoninasingleaddressspaceoperaRngsystem”“JournalACMTransacConsonComputerSystems(TOCS)-Specialissueoncomputerarchitecture,Volume12Issue4,Nov.1994,Pages271-307
• [15]Zhang,Estrin,et.al,“NamedDataNetworking(NDN)Project,NDN-0001,October,31,2010.
• [16]F.Pollack,et.al.,“TheiMAX-432objectfilingsystem”ProceedingSOSP'81ProceedingsoftheeighthACMsymposiumonOperaCngsystemsprinciplesPages137-147
• [17]hlp://people.cs.clemson.edu/~mark/op.html• [18]RogerSchell,”PrivacyandSecurityCyberDefenseTriadforWhereSecurityMagers“
NOVEMBER2016|VOL.59|NO.11|CACM
332016_NOV_RISCV_WORKSHOP
BACKUPSLIDES
• Thefollowingslidesdiscuss– RevocaCons– ShadowStack– ETC
342016_NOV_RISCV_WORKSHOP
RevocaCon
• Everyclienthasa“KILLSWITCH”
• Thecentralnameserverisaccessedandeachobjecthasakillcapability(onlyiniCatedbytheowner)
• WhatiftheunifiednameserverisNEVERaccessedagain??– WatchDogTimer?
• Comparetoacapabilitybasedsystem([5]Fabry&[12]Watson,et.al,CHERI)
352016_NOV_RISCV_WORKSHOP
SandboxParCculars• SysCallsMediatedtoDefinedDomainServer
– (Frameworkof[11])• DispatchTableWithinDomainServertraversedtotodecideallowordenythecall.– Ifdenied–Kill
• TrustedAppscanbypasstheframework– PartofACLentry
• Ifnosyscallsandonlyreads/writestopermigeddata– TimerresoluConorothermeans
362016_NOV_RISCV_WORKSHOP
SomeObjectUIDMath
• 60secondsinaminute• 60minutesinahour• 24hourinaday• 365daysinayear• Yields31,536000seconds
inayear• 30yearsoflifeè
946,080,000or2^30• 2^34clients(16billion)
372016_NOV_RISCV_WORKSHOP
What if processors like this win? (A number of vendors like this model)
CourtesyofStevePoole
hgp://www.wired.com/2014/08/datacenter-of-the-future/
hgp://www.wired.com/2013/05/google-jason-mars/
382016_NOV_RISCV_WORKSHOP
ProtecConinUnifiedNameSpace
• ACL–accesscontrolmatrix• ProtecConDomains• RevocaCon
2016_NOV_RISCV_WORKSHOP 39
ShadowStack
• Independent,somewhatofaddressproposal
• Solvesclassicalvirus/malwareagacks– HeapOverflow
• Changereturnaddress– WriCngoverStack– HeapFungHuiAgacks[8]
• HardwareprotectedSP,AP,FP– Akintodomaincrossing– Returnviashadowstack
2016_NOV_RISCV_WORKSHOP 40
ShadowStack-Architecture
UserVisibleStackCannotwrite/readShadowStack
ReturnBlock
StackPointer
FP
AP
ReturnBlock
StackPointer
FP
AP
ShadowStack(HardwareMaintained)DifferentDomain,SamevirtualaddressReturnviaTHISSTACK 2016_NOV_RISCV_WORKSHOP 41