Pioneer (and a few digressions) CMU CyLab Your Humble Presenter: Anthony Cozzie
Why Pioneer Secure Boot, Terra – Both bootstrap trust – Need small trusted piece Goal of Pioneer: get that single small piece of trusted code and build from there – In software
Some Old History - Genuinity Establishing the Genuinity of Remote Computer Systems, Usenix Security 2003 – Rick Kennell & Leah H. Jamieson [Purdue] Same goal as Pioneer: establish the identity of a remote system Computes a checksum over its code Presumably it is “difficult” to do this fast
Pseudorandom memory traversal Compute over various blocks Select next block based on current checksum Check TLB miss rate; add to checksum
Simulation Attack Turing: all computers are equal – Universal Turing Machine Claim to be a 8088, then simulate on a 3GHz Xeon Like Pioneer, relies on speed – Theory is that side effects are difficult to simulate – Binary rewriting difficult because of the extra work – Genuinity paper claims a 5X window of safety due to simulation overhead
Digression on a word
Round II Side effects are not sufficient to authenticate software, Usenix Security 2004 Umesh Shankar, Monica Chew, J. D. Tygar, UC Berkeley Introduced the dreaded memory copy attack – Have correct program somewhere else in memory – Fix-up memory accesses – Claims that the whole problem is basically impossible
Genuinity: KO’d ? Genuinity and Genuinity-like software is vulnerable to specific attacks (which we have implemented, simulated, and made public) Genuinity cannot easily be repaired and any software- only solution to software authentication faces numerous challenges, making success unlikely Proposed applications of Genuinity for Sun Network File System authentication and AOL Instant Messenger client authentication will not work Even in best-case special purpose applications (such as networked “game boxes” like the Playstation 2 or the Xbox) the Genuinity approach fails.
Memory Copy Attack
Memory Copy Attack Details Simply insert a check in the code and return 0 – Slowdown is 35% [can do better] Intel Performance counters aren’t even 100% accurate Small aside: the original example use of Genuinity was for NFS – But it only checks the kernel & CPU version Pray you stay on Doug Tygar’s good side
Round III: Ghost of Christmas Past Pioneer! Rather than rely on processor side effects, make the code use the CPU completely and use wall clock time – Fill pipeline 100% – Very fast implementation – A single hand-optimized assembly program Key: Error margin is much smaller
Time Optimality of Pioneer Not proven to be optimal No free ALUs Strongly ordered checksum Small, simple instructions No place for MMX/SSE uops vs. instructions In other words, Pioneer is all that is slow
Pioneer vs the Memory Copy Attack MCA is extremely powerful on x86 due to segment registers, offset modes – Can simply specify that an instruction uses a different segment, or add an immediate, etc Pioneer places the jump target on or directly after a 3 byte [4 byte in MCA] instruction – They claim cleaning this up requires 1-2 cycles – Which is multiplied by the number of times the loop is executed
Some Big Assumptions Remote platform’s CPU is known Remote platform cannot communicate with anything other than the dispatcher Remote platform is not SMT/SMP/multicore Strong assumptions – you can’t just run Pioneer over the Internet – but also a pretty difficult problem
Experimental Results Several false positives Difference between threshold and detection is 0.4 milliseconds!
Discussion: Does Pioneer Work Is Pioneer really time-optimal? Can you fix Pioneer to work with SMT? Is there a situation where Pioneer would work? Is Pioneer better than Genuinity? Is this problem simply impossible in the useful case? If you crossed the international date line on your birthday, would you still get presents?