Abstract
Processor implementation errata remain a problem, and worse, a subset of these bugs are security-critical. We classified 7 years of errata from recent commercial processors to understand the magnitude and severity of this problem, and found that of 301 errata analyzed, 28 are security-critical. We propose the SECURITY-CRITICAL PROCESSOR ER- RATA CATCHING SYSTEM (SPECS) as a low-overhead solution to this problem. SPECS employs a dynamic verification strategy that is made lightweight by limiting protection to only security-critical processor state. As a proof-of- concept, we implement a hardware prototype of SPECS in an open source processor. Using this prototype, we evaluate SPECS against a set of 14 bugs inspired by the types of security-critical errata we discovered in the classification phase. The evaluation shows that SPECS is 86% effective as a defense when deployed using only ISA-level state; incurs less than 5% area and power overhead; and has no software run-time overhead.
- T. M. Austin, "DIVA: a reliable substrate for deep submicron microarchitecture design," in International Symposium on Microarchitecture, 1999. Google Scholar
Digital Library
- Beyond Semiconductor, "Beyond BA22 Embedded Processor," http://www.beyondsemi.com/25/beyond-ba22-embedded-processor.Google Scholar
- E. Biham, Y. Carmeli, and A. Shamir, "Bug attacks," in Conference on Cryptology: Advances in Cryptology, 2008. Google Scholar
Digital Library
- bjornstar. (2011) nacl cpuid.c uses vendor string in features check. NativeClient Bug Tracker. Google. {Online}. Available: https://code.google.com/p/nativeclient/issues/detail?id=2508Google Scholar
- [email protected]. (2010) Nacl should accept x86 'int3' instruction or offer a plausible alternative. NativeClient Bug Tracker. Google. {Online}. Available:https://code.google.com/p/nativeclient/issues/detail?id=645Google Scholar
- J. Chang, G. A. Reis, and D. I. August, "Automatic Instruction-Level Software-Only Recovery," in International Conference on Dependable Systems and Networks, 2006. Google Scholar
Digital Library
- K. Constantinides, O. Mutlu, and T. Austin, "Online Design Bug Detection: RTL Analysis, Flexible Mechanisms, and Evaluation," in International Symposium on Microarchitecture, 2008. Google Scholar
Digital Library
- K. Constantinides, O. Mutlu, T. Austin, and V. Bertacco, "Software-Based Online Detection of Hardware Defects: Mechanisms, Architectural Support, and Evaluation," in International Symposium on Microarchitecture, 2007. Google Scholar
Digital Library
- M. L. Corliss, E. C. Lewis, and A. Roth, "DISE: a programmable macro engine for customizing applications," in International Symposium on Computer Architecture, 2003. Google Scholar
Digital Library
- M. de Kruijf, S. Nomura, and K. Sankaralingam, "Relax: An Architectural Framework for Software Recovery of Hardware Faults," in International Symposium on Computer Architecture, 2010. Google Scholar
Digital Library
- T. de Raadt. (2007) Intel Core 2. openbsd-misc mailing list. openbsd-misc mailing list. {Online}. Available: http://marc.info/?l-openbsd-isc&m=118296441702631Google Scholar
- L. Duflot, "CPU Bugs, CPU Backdoors and Consequences on Security," in European Symposium on Research in Computer Security, 2008. Google Scholar
Digital Library
- S. Feng, S. Gupta, A. Ansari, S. A. Mahlke, and D. I. August, "Encore: Low-cost, Fine-grained Transient Fault Recovery," in International Symposium on Microarchitecture, 2011. Google Scholar
Digital Library
- H. Foster, K. Larsen, and M. Turpin, "Introduction to the new accellera open verification library," 2006.Google Scholar
- M. R. Guthaus, J. S. Ringenberg, D. Ernst, T. M. Austin, T. Mudge, and R. B. Brown, "MiBench: A free, commercially representative embedded benchmark suite," in Workshop on Workload Characterization, 2001. Google Scholar
Digital Library
- L. C. Heller and M. S. Farrell, "Millicode in an IBM zSeries processor," IBM Journal of Research and Development, vol. 48, pp. 425--434, 2004. Google Scholar
Digital Library
- M. Hicks, "Practical systems for overcoming processor imperfections," Ph.D. dissertation, University of Illinois Urbana-Champaign, 2013.Google Scholar
- M. Hicks, M. Finnicum, S. T. King, M. M. K. Martin, and J. M. Smith, "Overcoming an Untrusted Computing Base: Detecting and Removing Malicious Hardware Automatically," in Symposium on Security and Privacy, 2010. Google Scholar
Digital Library
- M. Hicks, C. Sturton, S. T. King, and J. M. Smith. Specs public repository. {Online}. Available: https://github.com/impedimentToProgress/specsGoogle Scholar
- Intel Corporation, "Intel Core 2 Extreme Processor X6800 and Intel Core 2 Duo Desktop Processor E6000 and E4000 Sequence -- Specification Update," 2008.Google Scholar
- Jennic Limited, "JN5148 Wireless Microcontroller Modules."Google Scholar
- Jon Stokes, "Two billion-transistor beasts: POWER7 and Niagara 3," http://arstechnica.com/business/2010/02/two-billion-transistor-beasts-power7-and-niagara-3/.Google Scholar
- S. Lemon. (2008) Researcher to Demonstrate Attack Code for Intel Chips. PCWorld. {Online}. Available: http://www.pcworld.com/article/148353/security.htmlGoogle Scholar
- Advanced Micro Devices, "Revision Guide for AMD Athlon 64 and AMD Opteron Processors," 2005.Google Scholar
- ARM, "ARMv4 Instruction Set, Issue C," 1998.Google Scholar
- MIPS Technologies, "MIPS R4000PC/SC errata, processor rev. 2.2 and 3.0," 1994.Google Scholar
- A. Meixner, M. E. Bauer, and D. Sorin, "Argus: Low-Cost, Comprehensive Error Detection in Simple Cores," in International Symposium on Microarchitecture, 2007. Google Scholar
Digital Library
- A. Meixner and D. J. Sorin, "Detouring: Translating Software to Circumvent Hard Faults in SimpleCores," in International Conference on Dependable Systems and Networks, 2008.Google Scholar
- [email protected]. (2009) Check for trailing HLT in x86 is unnecessary. NativeClient Bug Tracker. Google. {Online}. Available: https://code.google.com/p/nativeclient/issues/detail?id=155Google Scholar
- [email protected]. (2010) Dynamic loading syscall insists on a trailing HLT on x86-32. NativeClient Bug Tracker. Google. {Online}. Available: https://code.google.com/p/nativeclient/issues/detail?id=585Google Scholar
- [email protected]. (2011) Escape from x86-64 inner sandbox using BSF instruction. NativeClient Bug Tracker. Google. {Online}. Available: https://code.google.com/p/nativeclient/issues/detail?id=2010Google Scholar
- [email protected]. (2012) x86-64: DATA16 prefix on direct jumps allows sandbox escape on AMD CPUs. NativeClient Bug Tracker. Google. {Online}. Available: https://code.google.com/p/nativeclient/issues/detail?id=2578Google Scholar
- S. Narayanasamy, B. Carneal, and B. Calder, "Patching Processor Design Errors," in International Conference on Computer Design, 2006.Google Scholar
- OpenCores.org, "OpenRISC OR1200 processor," http://opencores.org/or1k/OR1200OpenRISCProcessor.Google Scholar
- G. A. Reis, J. Chang, D. I. August, R. Cohn, and S. S. Mukherjee, "Configurable Transient Fault Detection via Dynamic Binary Translation," in Workshop on Architectural Reliability, 2006.Google Scholar
- R. Rubenstein, "Open Source MCU core steps in to power third generation chip," 2014, http://www.newelectronics.co.uk/electronics-technology/open-source-mcu-core-steps-in-to-power-third-generation-chip/59110/.Google Scholar
- S. R. Sarangi, A. Tiwari, and J. Torrellas, "Phoenix: Detecting and Recovering from Permanent Processor Design Bugs with Programmable Hardware," in International Symposium on Microarchitecture, 2006. Google Scholar
Digital Library
- S. Shebs, "GDB tracepoints, redux," in GCC Developer's Summit, 2009.Google Scholar
- A. L. Shimpi. (2008) AMD's B3 Stepping Phenom Previewed, TLB Hardware Fix Tested. AnandTech. AnandTech. {Online}. Available: http://anadtech.com/show/2477/2Google Scholar
- S. Shyam, K. Constantinides, S. Phadke, V. Bertacco, and T. Austin, "Ultra Low-Cost Defect Protection for Microprocessor Pipelines," in International Conference on Architectural Support for Programming Languages and Operating Systems, 2006. Google Scholar
Digital Library
- D. J. Sorin, M. M. K. Martin, M. D. Hill, and D. A. Wood, "SafetyNet: Improving the Availability of Shared Memory Multiprocessors with Global Checkpoint/Recovery," in International Symposium on Computer Architecture, 2002. Google Scholar
Digital Library
- Sun, "OpenSPARC T2 Source Code," http://www.opensparc.net/opensparc-t2/download.html.Google Scholar
- S. G. Tucker, "Microprogram control for System/360," IBM Syst. J., vol. 6, pp. 222--241, 1967. Google Scholar
Digital Library
- I. Wagner and V. Bertacco, "Engineering Trust with Semantic Guardians," in Conference on Design, Automation and Test in Europe, 2007. Google Scholar
Digital Library
- Xen.org security team. {Xen-announce} Xen Security Advisory 7 (CVE-2012-0217) - PV. {Online}. Available: http://lists.xen.org/archives/html/xen-announce/2012-06/msg00001.htmlGoogle Scholar
Index Terms
SPECS: A Lightweight Runtime Mechanism for Protecting Software from Security-Critical Processor Bugs
Recommendations
SPECS: A Lightweight Runtime Mechanism for Protecting Software from Security-Critical Processor Bugs
ASPLOS '15: Proceedings of the Twentieth International Conference on Architectural Support for Programming Languages and Operating SystemsProcessor implementation errata remain a problem, and worse, a subset of these bugs are security-critical. We classified 7 years of errata from recent commercial processors to understand the magnitude and severity of this problem, and found that of 301 ...
Identifying Security Critical Properties for the Dynamic Verification of a Processor
ASPLOS '17: Proceedings of the Twenty-Second International Conference on Architectural Support for Programming Languages and Operating SystemsWe present a methodology for identifying security critical properties for use in the dynamic verification of a processor. Such verification has been shown to be an effective way to prevent exploits of vulnerabilities in the processor, given a meaningful ...
Identifying Security Critical Properties for the Dynamic Verification of a Processor
Asplos'17We present a methodology for identifying security critical properties for use in the dynamic verification of a processor. Such verification has been shown to be an effective way to prevent exploits of vulnerabilities in the processor, given a meaningful ...







Comments