Overcoming an UNTRUSTED COMPUTING BASE: Detecting and Removing Malicious Hardware Automatically Matthew Hicks Murph Finnicum Samuel T. King University.

Slides:

Advertisements

Similar presentations

Pipelining (Week 8).

Advertisements

Morgan Kaufmann Publishers The Processor

IMPACT Second Generation EPIC Architecture Wen-mei Hwu IMPACT Second Generation EPIC Architecture Wen-mei Hwu Department of Electrical and Computer Engineering.

RISC and Pipelining Prof. Sin-Min Lee Department of Computer Science.

1 Pipelining Part 2 CS Data Hazards Data hazards occur when the pipeline changes the order of read/write accesses to operands that differs from.

Control path Recall that the control path is the physical entity in a processor which: fetches instructions, fetches operands, decodes instructions, schedules.

Mehmet Can Vuran, Instructor University of Nebraska-Lincoln Acknowledgement: Overheads adapted from those provided by the authors of the textbook.

1 ITCS 3181 Logic and Computer Systems B. Wilkinson Slides9.ppt Modification date: March 30, 2015 Processor Design.

Pipeline Computer Organization II 1 Hazards Situations that prevent starting the next instruction in the next cycle Structural hazards – A required resource.

Zhiguo Ge, Weng-Fai Wong, and Hock-Beng Lim Proceedings of the Design, Automation, and Test in Europe Conference, 2007 (DATE’07) April /4/17.

1 Implementing an Untrusted Operating System on Trusted Hardware David Lie Chandramohan A. Thekkath Mark Horowitz University of Toronto, Microsoft Research,

9/20/6Lecture 3 - Instruction Set - Al1 Exception Handling (2)

Tamper Evident Microprocessors Adam Waksman Simha Sethumadhavan Computer Architecture & Security Technologies Lab (CASTL) Department of Computer Science.

1/1/ / faculty of Electrical Engineering eindhoven university of technology Architectures of Digital Information Systems Part 1: Interrupts and DMA dr.ir.

Lecture 2-Berkeley RISC Penghui Zhang Guanming Wang Hang Zhang.

Instruction-Level Parallelism (ILP)

Chapter 8. Pipelining. Instruction Hazards Overview Whenever the stream of instructions supplied by the instruction fetch unit is interrupted, the pipeline.

1/1/ / faculty of Electrical Engineering eindhoven university of technology Introduction Part 3: Input/output and co-processors dr.ir. A.C. Verschueren.

RUGRAT: Runtime Test Case Generation using Dynamic Compilers Ben Breech NASA Goddard Space Flight Center Lori Pollock John Cavazos University of Delaware.

Mary Jane Irwin ( ) [Adapted from Computer Organization and Design,

Architectural Support for Operating Systems. Announcements Most office hours are finalized Assignments up every Wednesday, due next week CS 415 section.

1 Lecture 5: Pipeline Wrap-up, Static ILP Basics Topics: loop unrolling, VLIW (Sections 2.1 – 2.2) Assignment 1 due at the start of class on Thursday.

PathExpander: Architectural Support for Increasing the Path Coverage of Dynamic Bug Detection S. Lu, P. Zhou, W. Liu, Y. Zhou, J. Torrellas University.

11/11/05ELEC CISC (Complex Instruction Set Computer) Veeraraghavan Ramamurthy ELEC 6200 Computer Architecture and Design Fall 2005.

7/2/ _23 1 Pipelining ECE-445 Computer Organization Dr. Ron Hayne Electrical and Computer Engineering.

From Essentials of Computer Architecture by Douglas E. Comer. ISBN © 2005 Pearson Education, Inc. All rights reserved. 7.2 A Central Processor.

The Processor Andreas Klappenecker CPSC321 Computer Architecture.

The Processor Data Path & Control Chapter 5 Part 1 - Introduction and Single Clock Cycle Design N. Guydosh 2/29/04.

Pipelining. Overview Pipelining is widely used in modern processors. Pipelining improves system performance in terms of throughput. Pipelined organization.

1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.

What are Exception and Interrupts? MIPS terminology Exception: any unexpected change in the internal control flow – Invoking an operating system service.

System Calls 1.

An Introduction Chapter Chapter 1 Introduction2 Computer Systems  Programmable machines  Hardware + Software (program) HardwareProgram.

Lecture 15: Pipelining and Hazards CS 2011 Fall 2014, Dr. Rozier.

15-740/ Oct. 17, 2012 Stefan Muller.  Problem: Software is buggy!  More specific problem: Want to make sure software doesn’t have bad property.

CHAPTER 3 TOP LEVEL VIEW OF COMPUTER FUNCTION AND INTERCONNECTION

CS533 Concepts of Operating Systems Jonathan Walpole.

Kyushu University Koji Inoue ICECS'061 Supporting A Dynamic Program Signature: An Intrusion Detection Framework for Microprocessors Koji Inoue Department.

1 Appendix A Pipeline implementation Pipeline hazards, detection and forwarding Multiple-cycle operations MIPS R4000 CDA5155 Spring, 2007, Peir / University.

CSE 340 Computer Architecture Summer 2014 Basic MIPS Pipelining Review.

CS.305 Computer Architecture Enhancing Performance with Pipelining Adapted from Computer Organization and Design, Patterson & Hennessy, © 2005, and from.

Computer Architecture CPSC 350

Processor Types and Instruction Sets CS 147 Presentation by Koichiro Hongo.

1 Control Unit Operation and Microprogramming Chap 16 & 17 of CO&A Dr. Farag.

Safe RTL Annotations for Low Power Microprocessor Design Vinod Viswanath Department of Electrical and Computer Engineering University of Texas at Austin.

Interrupt driven I/O. MIPS RISC Exception Mechanism The processor operates in The processor operates in user mode user mode kernel mode kernel mode Access.

Processor Architecture

CSIE30300 Computer Architecture Unit 04: Basic MIPS Pipelining Hsin-Chou Chi [Adapted from material by and

Using Dynamic Compilers for Software Testing Ben Breech Lori Pollock John Cavazos.

Exploiting Instruction Streams To Prevent Intrusion Milena Milenkovic.

Interrupt driven I/O Computer Organization and Assembly Language: Module 12.

A Survey on Runtime Smashed Stack Detection 坂井研究室 M 豊島隆志.

Architectures of Digital Information Systems Part 1: Interrupts and DMA dr.ir. A.C. Verschueren Eindhoven University of Technology Section of Digital.

Basic Computer Organization and Design

Basic Processor Structure/design

CSE 3322 Computer Architecture

Henk Corporaal TUEindhoven 2009

Computer Architecture CSCE 350

Defending against malicious hardware

Figure 8.1 Architecture of a Simple Computer System.

Computer Architecture

Seoul National University

Intro to Architecture & Organization

Bastion secure processor architecture

Control Unit Introduction Types Comparison Control Memory

Henk Corporaal TUEindhoven 2011

The Processor Lecture 3.1: Introduction & Logic Design Conventions

October 29 Review for 2nd Exam Ask Questions! 4/26/2019

Presentation transcript:

Overcoming an UNTRUSTED COMPUTING BASE: Detecting and Removing Malicious Hardware Automatically Matthew Hicks Murph Finnicum Samuel T. King University of Illinois Urbana-Champaign Milo M. K. Martin Jonathan M. Smith University of Pennsylvania

Hardware is too important to trust blindly

Hardware is as complex as software

Hardware complexity equals hardware vulnerability

Hardware must be defended against malicious designers

BlueChip looks for malicious insertions at design time and prevents them from affecting the system during runtime

BlueChip is both hardware and software, design time and run time Run time Design time Identify malicious circuits - UCI Disable malicious circuits – BlueChip hardware Original design Handle missing hardware – BlueChip software Software system

Design Implementation Experiments Conclusion Questions

BlueChip helps managers increase trust, without requiring them to know more

UCI highlights potentially malicious circuits automatically

Attackers must avoid impacting functionality during testing

UCI detects all circuits where the output value is identical to the input value, for all test cases

Data-flow triples generation start at output signals recurse_tuples for each item in the parents list generate a tuple for each driver add self to temp parents list if driver behind a flip-flop increase delay in temp parents list recurse on child

Triples: (good, m, 0)

Triples: (good, m, 0) (good, out, 0)

Triples: (good, m, 0) (good, out, 0) (bad, m, 0)

Triples: (good, m, 0) (good, out, 0) (bad, m, 0) (bad, out, 0) (m, out, 0) (good, n, 0) (bad, n, 0) (n, out, 0)

UCI Analysis for each test case for each clock cycle for each dataflow triple remaining if target != driver(delay) remove triple

Triples: (good, m, 0) (good, out, 0) (bad, m, 0) (bad, out, 0) (m, out, 0) (good, n, 0) (bad, n, 0) (n, out, 0) Test cases: C1C

Test cases: C1C Triples: (good, m, 0) (good, out, 0) (bad, m, 0) (bad, out, 0) (m, out, 0) (good, n, 0) (bad, n, 0) (n, out, 0)

Test cases: C1C Triples: (good, m, 0) (good, out, 0) (bad, m, 0) (bad, out, 0) (m, out, 0) (good, n, 0) (bad, n, 0) (n, out, 0)

Test cases: C1C Triples: (good, m, 0) (good, out, 0) (bad, m, 0) (bad, out, 0) (m, out, 0) (good, n, 0) (bad, n, 0) (n, out, 0)

BlueChip is both hardware and software, design time and run time HW Test cases BlueChip Circuit designed Attack inserted Suspicious circuits identified and removed Hardware triggers emulation software OS Design TimeRun Time

BlueChip hardware alerts software when it attempts to use removed circuits

BlueChip software emulates the behavior of removed hardware 1.Receive BlueChip exception 2.Load state of processor 3.Fetch trapping instruction 4.Decode trapping instruction 5.Execute trapping instruction in emulator 6.Store updated state to hardware 7.Return from trap

BlueChip does NOT emulate the removed hardware

BlueChip DOES emulate the behavior of the hardware spec at a higher level of abstraction

Undefined state –Low visibility test cases –Architecturally undefined state Malicious test cases –ISA emulator also vettes test cases Control information –Implementation dependent BlueChip isn’t effective in certain situations

Design Implementation Experiments Conclusion Questions

Design Implementation Experiments Conclusion Questions

BlueChip successfully prevents malicious hardware

BlueChip handles UCI false positives

BlueChip has a low overhead

Design Implementation Experiments Conclusion Questions

BlueChip allows flexible handling of untrusted hardware

Design Implementation Experiments Conclusion Questions

UCI isn’t as complex as it seems

Code coverage is deficient in both time and space

It Can Happen IF ( r.d.inst ( conv_integer ( r.d.set ) ) = X" " ) THEN hackStateM1 <= '1'; ELSE hackStateM1 <= '0'; END IF; IF ( r.d.inst ( conv_integer ( r.d.set ) ) = X" " ) THEN r.w.s.s <= hackStateM1 OR rin.w.s.s; ELSE r.w.s.s <= rin.w.s.s; END IF; Hardware attacks can be trivial to implement, but hard to detect

Sometimes BlueChip software must emulate around instructions … ORr3, r4, r3 … // Load regs[r3] and regs[r4] in l3 and l4 SUBg0, 1, l5 XORl3, l5, l3 XORl4, l5, l4 NANDl3, l4, l3 // Store l3 into regs[r3] …

Sometimes BlueChip software must emulate around instructions … STHr3, [r4] … // Load regs[r3] and regs[r4] in l3 and l4 LD[l4-2], l5 ANDl3, 0xffff, l3 SRLl5, 16, l5 SLLl5, 16, l5 ORl5, l3, l3 STl3, [l4-2] … Assumes r4 is not word aligned

Sometimes BlueChip software fails to make forward progress … STHr3, [r4] … // Load regs[r3] and regs[r4] in l3 and l4 LD[l4-2], l5 ANDl3, 0xffff, l3 SRLl5, 16, l5 SLLl5, 16, l5 ORl5, l3, l3 STl3, [l4-2] … What happens when the attack triggers on 0x = 0x4000AAAA When r4 = 0x40005CCE