skip to main content
research-article
Open Access

SPECS: A Lightweight Runtime Mechanism for Protecting Software from Security-Critical Processor Bugs

Published:14 March 2015Publication History
Skip Abstract Section

Abstract

Processor implementation errata remain a problem, and worse, a subset of these bugs are security-critical. We classified 7 years of errata from recent commercial processors to understand the magnitude and severity of this problem, and found that of 301 errata analyzed, 28 are security-critical. We propose the SECURITY-CRITICAL PROCESSOR ER- RATA CATCHING SYSTEM (SPECS) as a low-overhead solution to this problem. SPECS employs a dynamic verification strategy that is made lightweight by limiting protection to only security-critical processor state. As a proof-of- concept, we implement a hardware prototype of SPECS in an open source processor. Using this prototype, we evaluate SPECS against a set of 14 bugs inspired by the types of security-critical errata we discovered in the classification phase. The evaluation shows that SPECS is 86% effective as a defense when deployed using only ISA-level state; incurs less than 5% area and power overhead; and has no software run-time overhead.

References

  1. T. M. Austin, "DIVA: a reliable substrate for deep submicron microarchitecture design," in International Symposium on Microarchitecture, 1999. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. Beyond Semiconductor, "Beyond BA22 Embedded Processor," http://www.beyondsemi.com/25/beyond-ba22-embedded-processor.Google ScholarGoogle Scholar
  3. E. Biham, Y. Carmeli, and A. Shamir, "Bug attacks," in Conference on Cryptology: Advances in Cryptology, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. bjornstar. (2011) nacl cpuid.c uses vendor string in features check. NativeClient Bug Tracker. Google. {Online}. Available: https://code.google.com/p/nativeclient/issues/detail?id=2508Google ScholarGoogle Scholar
  5. [email protected]. (2010) Nacl should accept x86 'int3' instruction or offer a plausible alternative. NativeClient Bug Tracker. Google. {Online}. Available:https://code.google.com/p/nativeclient/issues/detail?id=645Google ScholarGoogle Scholar
  6. J. Chang, G. A. Reis, and D. I. August, "Automatic Instruction-Level Software-Only Recovery," in International Conference on Dependable Systems and Networks, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. K. Constantinides, O. Mutlu, and T. Austin, "Online Design Bug Detection: RTL Analysis, Flexible Mechanisms, and Evaluation," in International Symposium on Microarchitecture, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. K. Constantinides, O. Mutlu, T. Austin, and V. Bertacco, "Software-Based Online Detection of Hardware Defects: Mechanisms, Architectural Support, and Evaluation," in International Symposium on Microarchitecture, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. M. L. Corliss, E. C. Lewis, and A. Roth, "DISE: a programmable macro engine for customizing applications," in International Symposium on Computer Architecture, 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. M. de Kruijf, S. Nomura, and K. Sankaralingam, "Relax: An Architectural Framework for Software Recovery of Hardware Faults," in International Symposium on Computer Architecture, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. T. de Raadt. (2007) Intel Core 2. openbsd-misc mailing list. openbsd-misc mailing list. {Online}. Available: http://marc.info/?l-openbsd-isc&m=118296441702631Google ScholarGoogle Scholar
  12. L. Duflot, "CPU Bugs, CPU Backdoors and Consequences on Security," in European Symposium on Research in Computer Security, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. S. Feng, S. Gupta, A. Ansari, S. A. Mahlke, and D. I. August, "Encore: Low-cost, Fine-grained Transient Fault Recovery," in International Symposium on Microarchitecture, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. H. Foster, K. Larsen, and M. Turpin, "Introduction to the new accellera open verification library," 2006.Google ScholarGoogle Scholar
  15. M. R. Guthaus, J. S. Ringenberg, D. Ernst, T. M. Austin, T. Mudge, and R. B. Brown, "MiBench: A free, commercially representative embedded benchmark suite," in Workshop on Workload Characterization, 2001. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. L. C. Heller and M. S. Farrell, "Millicode in an IBM zSeries processor," IBM Journal of Research and Development, vol. 48, pp. 425--434, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. M. Hicks, "Practical systems for overcoming processor imperfections," Ph.D. dissertation, University of Illinois Urbana-Champaign, 2013.Google ScholarGoogle Scholar
  18. M. Hicks, M. Finnicum, S. T. King, M. M. K. Martin, and J. M. Smith, "Overcoming an Untrusted Computing Base: Detecting and Removing Malicious Hardware Automatically," in Symposium on Security and Privacy, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. M. Hicks, C. Sturton, S. T. King, and J. M. Smith. Specs public repository. {Online}. Available: https://github.com/impedimentToProgress/specsGoogle ScholarGoogle Scholar
  20. Intel Corporation, "Intel Core 2 Extreme Processor X6800 and Intel Core 2 Duo Desktop Processor E6000 and E4000 Sequence -- Specification Update," 2008.Google ScholarGoogle Scholar
  21. Jennic Limited, "JN5148 Wireless Microcontroller Modules."Google ScholarGoogle Scholar
  22. Jon Stokes, "Two billion-transistor beasts: POWER7 and Niagara 3," http://arstechnica.com/business/2010/02/two-billion-transistor-beasts-power7-and-niagara-3/.Google ScholarGoogle Scholar
  23. S. Lemon. (2008) Researcher to Demonstrate Attack Code for Intel Chips. PCWorld. {Online}. Available: http://www.pcworld.com/article/148353/security.htmlGoogle ScholarGoogle Scholar
  24. Advanced Micro Devices, "Revision Guide for AMD Athlon 64 and AMD Opteron Processors," 2005.Google ScholarGoogle Scholar
  25. ARM, "ARMv4 Instruction Set, Issue C," 1998.Google ScholarGoogle Scholar
  26. MIPS Technologies, "MIPS R4000PC/SC errata, processor rev. 2.2 and 3.0," 1994.Google ScholarGoogle Scholar
  27. A. Meixner, M. E. Bauer, and D. Sorin, "Argus: Low-Cost, Comprehensive Error Detection in Simple Cores," in International Symposium on Microarchitecture, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. A. Meixner and D. J. Sorin, "Detouring: Translating Software to Circumvent Hard Faults in SimpleCores," in International Conference on Dependable Systems and Networks, 2008.Google ScholarGoogle Scholar
  29. [email protected]. (2009) Check for trailing HLT in x86 is unnecessary. NativeClient Bug Tracker. Google. {Online}. Available: https://code.google.com/p/nativeclient/issues/detail?id=155Google ScholarGoogle Scholar
  30. [email protected]. (2010) Dynamic loading syscall insists on a trailing HLT on x86-32. NativeClient Bug Tracker. Google. {Online}. Available: https://code.google.com/p/nativeclient/issues/detail?id=585Google ScholarGoogle Scholar
  31. [email protected]. (2011) Escape from x86-64 inner sandbox using BSF instruction. NativeClient Bug Tracker. Google. {Online}. Available: https://code.google.com/p/nativeclient/issues/detail?id=2010Google ScholarGoogle Scholar
  32. [email protected]. (2012) x86-64: DATA16 prefix on direct jumps allows sandbox escape on AMD CPUs. NativeClient Bug Tracker. Google. {Online}. Available: https://code.google.com/p/nativeclient/issues/detail?id=2578Google ScholarGoogle Scholar
  33. S. Narayanasamy, B. Carneal, and B. Calder, "Patching Processor Design Errors," in International Conference on Computer Design, 2006.Google ScholarGoogle Scholar
  34. OpenCores.org, "OpenRISC OR1200 processor," http://opencores.org/or1k/OR1200OpenRISCProcessor.Google ScholarGoogle Scholar
  35. G. A. Reis, J. Chang, D. I. August, R. Cohn, and S. S. Mukherjee, "Configurable Transient Fault Detection via Dynamic Binary Translation," in Workshop on Architectural Reliability, 2006.Google ScholarGoogle Scholar
  36. R. Rubenstein, "Open Source MCU core steps in to power third generation chip," 2014, http://www.newelectronics.co.uk/electronics-technology/open-source-mcu-core-steps-in-to-power-third-generation-chip/59110/.Google ScholarGoogle Scholar
  37. S. R. Sarangi, A. Tiwari, and J. Torrellas, "Phoenix: Detecting and Recovering from Permanent Processor Design Bugs with Programmable Hardware," in International Symposium on Microarchitecture, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. S. Shebs, "GDB tracepoints, redux," in GCC Developer's Summit, 2009.Google ScholarGoogle Scholar
  39. A. L. Shimpi. (2008) AMD's B3 Stepping Phenom Previewed, TLB Hardware Fix Tested. AnandTech. AnandTech. {Online}. Available: http://anadtech.com/show/2477/2Google ScholarGoogle Scholar
  40. S. Shyam, K. Constantinides, S. Phadke, V. Bertacco, and T. Austin, "Ultra Low-Cost Defect Protection for Microprocessor Pipelines," in International Conference on Architectural Support for Programming Languages and Operating Systems, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  41. D. J. Sorin, M. M. K. Martin, M. D. Hill, and D. A. Wood, "SafetyNet: Improving the Availability of Shared Memory Multiprocessors with Global Checkpoint/Recovery," in International Symposium on Computer Architecture, 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  42. Sun, "OpenSPARC T2 Source Code," http://www.opensparc.net/opensparc-t2/download.html.Google ScholarGoogle Scholar
  43. S. G. Tucker, "Microprogram control for System/360," IBM Syst. J., vol. 6, pp. 222--241, 1967. Google ScholarGoogle ScholarDigital LibraryDigital Library
  44. I. Wagner and V. Bertacco, "Engineering Trust with Semantic Guardians," in Conference on Design, Automation and Test in Europe, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  45. Xen.org security team. {Xen-announce} Xen Security Advisory 7 (CVE-2012-0217) - PV. {Online}. Available: http://lists.xen.org/archives/html/xen-announce/2012-06/msg00001.htmlGoogle ScholarGoogle Scholar

Index Terms

  1. SPECS: A Lightweight Runtime Mechanism for Protecting Software from Security-Critical Processor Bugs

          Recommendations

          Comments

          Login options

          Check if you have access through your login credentials or your institution to get full access on this article.

          Sign in

          Full Access

          • Published in

            cover image ACM SIGPLAN Notices
            ACM SIGPLAN Notices  Volume 50, Issue 4
            ASPLOS '15
            April 2015
            676 pages
            ISSN:0362-1340
            EISSN:1558-1160
            DOI:10.1145/2775054
            • Editor:
            • Andy Gill
            Issue’s Table of Contents
            • cover image ACM Conferences
              ASPLOS '15: Proceedings of the Twentieth International Conference on Architectural Support for Programming Languages and Operating Systems
              March 2015
              720 pages
              ISBN:9781450328357
              DOI:10.1145/2694344

            Copyright © 2015 Owner/Author

            Publisher

            Association for Computing Machinery

            New York, NY, United States

            Publication History

            • Published: 14 March 2015

            Check for updates

            Qualifiers

            • research-article

          PDF Format

          View or Download as a PDF file.

          PDF

          eReader

          View online with eReader.

          eReader
          About Cookies On This Site

          We use cookies to ensure that we give you the best experience on our website.

          Learn more

          Got it!