Abstract

Optimized hardware for propagating and checking software-programmable metadata tags can achieve low runtime overhead. We generalize prior work on hardware tagging by considering a generic architecture that supports software-defined policies over metadata of arbitrary size and complexity; we introduce several novel microarchitectural optimizations that keep the overhead of this rich processing low. Our model thus achieves the efficiency of previous hardware-based approaches with the flexibility of the software-based ones. We demonstrate this by using it to enforce four diverse safety and security policies---spatial and temporal memory safety, taint tracking, control-flow integrity, and code and data separation---plus a composite policy that enforces all of them simultaneously. Experiments on SPEC CPU2006 benchmarks with a PUMP-enhanced RISC processor show modest impact on runtime (typically under 10%) and power ceiling (less than 10%), in return for some increase in energy usage (typically under 60%) and area for on-chip memory structures (110%).
- Alpha Architecture Handbook. Digital Equipment Corporation, 1992.Google Scholar
- M. Abadi, M. Budiu, Ú. Erlingsson, and J. Ligatti. Control-flow integrity. In 12th ACM Conference on Computer and Communications Security, pages 340--353. ACM, 2005. Google Scholar
Digital Library
- M. Abadi, M. Budiu, Ú. Erlingsson, and J. Ligatti. Control-flow integrity principles, implementations, and applications. ACM Transactions on Information System Security, 13(1), 2009. Google Scholar
Digital Library
- M. Abadi and C. Fournet. Access control based on execution history. In Proceedings of the 10th Annual Network and Distributed System Security Symposium, pages 107--121. The Internet Society, 2003.Google Scholar
- D. Arora, S. Ravi, A. Raghunathan, and N. K. Jha. Architectural support for run-time validation of program data properties. IEEE Transactions on Very Large Scale Integration (VLSI) Systems, 15(5):546--559, May 2007. Google Scholar
Digital Library
- Arvind, R. S. Nikhil, and K. K. Pingali. I-structures: Data structures for parallel computing. In Proceedings of the Workshop on Graph Reduction (Springer-Verlag Lecture Notes in Computer Science 279), Sept. 1986. Google Scholar
Digital Library
- T. H. Austin and C. Flanagan. Efficient purely-dynamic information flow analysis. In Workshop on Programming Languages and Analysis for Security (PLAS), PLAS, pages 113--124. ACM, 2009. Google Scholar
Digital Library
- A. Bichhawat, V. Rajani, D. Garg, and C. Hammer. Information flow control in WebKit's JavaScript bytecode. In 3rd International Conference on Principles of Security and Trust, volume 8414 of Lecture Notes in Computer Science, pages 159--178. Springer, 2014.Google Scholar
Cross Ref
- N. Binkert, B. Beckmann, G. Black, S. K. Reinhardt, A. Saidi, A. Basu, J. Hestness, D. R. Hower, T. Krishna, S. Sardashti, R. Sen, K. Sewell, M. Shoaib, N. Vaish, M. D. Hill, and D. A. Wood. The gem5 simulator. SIGARCH Comput. Archit. News, 39(2):1--7, Aug. 2011. Google Scholar
Digital Library
- E. Blem, J. Menon, and K. Sankaralingam. Power Struggles: Revisiting the RISC vs. CISC Debate on Contemporary ARM and x86 Architectures. In Proc. HPCA, pages 1--12, 2013. Google Scholar
Digital Library
- J. Brown and T. F. Knight, Jr. A minimally trusted computing base for dynamically ensuring secure information flow. Technical Report 5, MIT CSAIL, November 2001. Aries Memo No. 15.Google Scholar
- J. M. Chambers, W. S. Cleveland, B. Kleiner, and P. A. Tukey. Graphical Methods for Data Analysis. Wadsworth Statistics/Probability Series. Duxbury Press, 1983.Google Scholar
- S. Chen, B. Falsafi, P. B. Gibbons, M. Kozuch, T. C. Mowry, R. Teodorescu, A. Ailamaki, L. Fix, G. R. Ganger, B. Lin, and S. W. Schlosser. Log-based architectures for general-purpose monitoring of deployed code. In 1st Workshop on Architectural and System Support for Improving Software Dependability (ASID), pages 63--65. ACM, 2006. Google Scholar
Digital Library
- S. Chen, M. Kozuch, T. Strigkos, B. Falsafi, P. B. Gibbons, T. C. Mowry, V. Ramachandran, O. Ruwase, M. P. Ryan, and E. Vlachos. Flexible hardware acceleration for instruction-grain program monitoring. In 35th International Symposium on Computer Architecture (ISCA), pages 377--388. IEEE, 2008. Google Scholar
Digital Library
- S. Chen, J. Xu, N. Nakka, Z. Kalbarczyk, and R. Iyer. Defeating memory corruption attacks via pointer taintedness detection. In International Conference on Dependable Systems and Networks (DSN), pages 378--387, 2005. Google Scholar
Digital Library
- Y.-Y. Chen, P. A. Jamkhedkar, and R. B. Lee. A software- hardware architecture for self-protecting data. In ACM Conference on Computer and Communications Security, pages 14--27. ACM, 2012. Google Scholar
Digital Library
- J. A. Clause, I. Doudalis, A. Orso, and M. Prvulovic. Effective memory protection using dynamic tainting. In 22nd IEEE/ACM International Conference on Automated Software Engineering (ASE), pages 284--292. ACM, 2007. Google Scholar
Digital Library
- M. L. Corliss, E. C. Lewis, and A. Roth. DISE: a programmable macro engine for customizing applications. SIGARCH Comput. Archit. News, 31(2):362--373, May 2003. Google Scholar
Digital Library
- J. R. Crandall, F. T. Chong, and S. F. Wu. Minos: Architectural support for protecting control data. ACM Transactions on Architecture and Code Optimization, 5:359--389, December 2006. Google Scholar
Digital Library
- J. Criswell, N. Dautenhahn, and V. Adve. KCoFI: Complete control-flow integrity for commodity operating system kernels. In IEEE Security and Privacy Symposium, 2014. Google Scholar
Digital Library
- W. J. Dally, J. Balfour, D. Black-Shaffer, J. Chen, R. C. Harting, V. Parikh, J. Park, and D. Sheffield. Efficient embedded computing. IEEE Computer, 41(7):27--32, July 2008. Google Scholar
Digital Library
- M. Dalton, H. Kannan, and C. Kozyrakis. Raksha: a flexible information flow architecture for software security. In International Symposium on Computer Architecture (ISCA), pages 482--493, 2007. Google Scholar
Digital Library
- L. Davi, A. Sadeghi, D. Lehmann, and F. Monrose. Stitching the gadgets: On the ineffectiveness of coarse-grained control-flow integrity protection. In 23rd USENIX Security Symposium, pages 401--416, 2014. Google Scholar
Digital Library
- D. Y. Deng and G. E. Suh. High-performance parallel accelerator for flexible and efficient run-time monitoring. In IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pages 1--12. IEEE Computer Society, 2012. Google Scholar
Digital Library
- J. Devietti, C. Blundell, M. M. K. Martin, and S. Zdancewic. HardBound: Architectural support for spatial safety of the C programming language. In 13th International Conference on Architectural Support for Programming Languages and Operating Systems, pages 103--114, 2008. Google Scholar
Digital Library
- U. Dhawan and A. DeHon. Area-efficient near-associative memories on FPGAs. In Proceedings of the International Symposium on Field-Programmable Gate Arrays, pages 191--200, 2013. Google Scholar
Digital Library
- U. Dhawan, C. Hriţcu, R. Rubin, N. Vasilakis, S. Chiricescu, J. M. Smith, T. F. Knight, Jr., B. C. Pierce, and A. DeHon. Online appendix to Architectural support for software-defined metadata processing. Available from http://ic.ese.upenn.edu/abstracts/sdmp_asplos2015.html, January 2015. Google Scholar
Digital Library
- Ú. Erlingsson, M. Abadi, M. Vrable, M. Budiu, and G. C. Necula. XFI: Software guards for system address spaces. In 7th Symposium on Operating Systems Design and Implementation, pages 75--88. USENIX Association, 2006. Google Scholar
Digital Library
- E. A. Feustel. On the advantages of tagged architectures. IEEE Transactions on Computers, 22:644--652, July 1973. Google Scholar
Digital Library
- S. Fytraki, E. Vlachos, Y. O. Koçberber, B. Falsafi, and B. Grot. FADE: A programmable filtering accelerator for instruction-grain monitoring. In 20th IEEE International Symposium on High Performance Computer Architecture, pages 108--119, 2014.Google Scholar
Cross Ref
- E. Göktaş, E. Athanasopoulos, H. Bos, and G. Portokalidis. Out of control: Overcoming control-flow integrity. In IEEE Symposium on Security and Privacy, 2014. Google Scholar
Digital Library
- D. Hedin and A. Sabelfeld. Information-flow security for a core of JavaScript. In 25th IEEE Computer Security Foundations Symposium (CSF), CSF, pages 3--18. IEEE, 2012. Google Scholar
Digital Library
- J. L. Henning. SPEC CPU2006 benchmark descriptions. SIGARCH Comput. Archit. News, 34(4):1--17, Sept. 2006. Google Scholar
Digital Library
- M. E. Houdek, F. G. Soltis, and R. L. Hoffman. IBM System/38 Support for Capability-based Addressing. In Proceedings of the Eighth Annual Symposium on Computer Architecture, pages 341--348, 1981. Google Scholar
Digital Library
- C. Hriţtcu, M. Greenberg, B. Karel, B. C. Pierce, and G. Morrisett. All your IFCException are belong to us. In 34th IEEE Symposium on Security and Privacy, pages 3--17. IEEE Computer Society Press, May 2013. Google Scholar
Digital Library
- Introduction to Intel Memory Protection extensions. http://software.intel.com/en-us/articles/introduction-to-intel-memory-protection-extensions. Accessed: 2014-05-24.Google Scholar
- M. G. Kang, S. McCamant, P. Poosankam, and D. Song. DTA++: Dynamic taint analysis with targeted control-flow propagation. In Network and Distributed System Security Symposium (NDSS). The Internet Society, 2011.Google Scholar
- H. Kannan. Ordering decoupled metadata accesses in multi-processors. In Proceedings of IEEE/ACM International Symposium on Microarchitecture, MICRO 42, pages 381--390, 2009. Google Scholar
Digital Library
- D. King, B. Hicks, M. Hicks, and T. Jaeger. Implicit flows: Can't live with 'em, can't live without 'em. In 4th International Conference on Information Systems Security, ICISS, pages 56--70, 2008. Google Scholar
Digital Library
- A. Kwon, U. Dhawan, J. M. Smith, T. F. Knight, Jr., and A. DeHon. Low-fat pointers: compact encoding and efficient gate-level implementation of fat pointers for spatial safety and capability-based security. In ACM SIGSAC Conference on Computer and Communications Security (CCS), pages 721--732. ACM, 2013. Google Scholar
Digital Library
- K. Mai, R. Ho, E. Alon, D. Liu, Y. Kim, D. Patil, and M. Horowitz. Architecture and Circuit Techniques for a 1.1GHz 16-kb Reconfigurable Memory in 0.18um-CMOS. IEEE J. Solid-State Circuits, 40(1):261--275, January 2005.Google Scholar
Cross Ref
- F. McKeen, I. Alexandrovich, A. Berenzon, C. V. Rozas, H. Shafi, V. Shanbhogue, and U. R. Savagaonkar. Innovative instructions and software model for isolated execution. In Workshop on Hardware and Architectural Support for Security and Privacy, pages 10:1--10:1, 2013. Google Scholar
Digital Library
- M. S. Miller, K.-P. Yee, and J. Shapiro. Capability myths demolished. Version submitted to Usenix Security 2003., 2003.Google Scholar
- D. A. Moon. Architecture of the Symbolics 3600. In Proceedings of the 12th Annual International Symposium on Computer Architecture, ISCA, pages 76--83, Los Alamitos, CA, USA, 1985. IEEE Computer Society. Google Scholar
Digital Library
- N. Muralimanohar, R. Balasubramonian, and N. P. Jouppi. CACTI 6.0: A tool to model large caches. HPL 2009-85, HP Labs, Palo Alto, CA, April 2009. Latest code release for CACTI 6 is 6.5.Google Scholar
- S. Nagarakatte, M. M. K. Martin, and S. Zdancewic. Hardware-Enforced Comprehensive Memory Safety. IEEE Micro, 33(3):38--47, May-June 2013. Google Scholar
Digital Library
- S. Nagarakatte, M. M. K. Martin, and S. Zdancewic. Watch- dogLite: Hardware-accelerated compiler-based pointer checking. In 12th Annual IEEE/ACM International Symposium on Code Generation and Optimization, page 175. ACM, 2014. Google Scholar
Digital Library
- S. Nagarakatte, J. Zhao, M. M. K. Martin, and S. Zdancewic. CETS: compiler enforced temporal safety for C. In 9th International Symposium on Memory Management, pages 31--40. ACM, 2010. Google Scholar
Digital Library
- J. Newsome and D. X. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In the Network and Distributed System Security Symposium (NDSS). The Internet Society, 2005.Google Scholar
- B. Niu and G. Tan. Modular control-flow integrity. In ACM SIGPLAN Conference on Programming Language Design and Implementation, page 58. ACM, 2014. Google Scholar
Digital Library
- E. I. Organick. Computer System Organization: The B5700/B6700 Series. Academic Press, 1973. Google Scholar
Digital Library
- D. A. Patterson and C. H. Sequin. RISC I: A Reduced Instruction Set VLSI Computer. In Proceedings of the 8th Annual Symposium on Computer Architecture, ISCA '81, pages 443--457, 1981. Google Scholar
Digital Library
- F. Qin, C. Wang, Z. Li, H. Kim, Y. Zhou, and Y. Wu. LIFT: A low-overhead practical information flow tracking system for detecting security attacks. In 39th IEEE/ACM International Symposium on Microarchitecture (MICRO-39), pages 135--148, 2006. Google Scholar
Digital Library
- M. Rinard, C. Cadar, D. Dumitran, D. M. Roy, T. Leu, and W. S. Beebee, Jr. Enhancing Server Availability and Security Through Failure-Oblivious Computing. In Proceedings of the Symposium on Operating Systems Design and Implementation (OSDI), December 2004. Google Scholar
Digital Library
- D. Ritchie and K. Thompson. The UNIX Time-Sharing System. Bell System Technical Journal, 57(6):1905--1930, 1978.Google Scholar
Cross Ref
- A. Russo and A. Sabelfeld. Dynamic vs. static flow-sensitive security analysis. In 23rd Computer Security Foundations Symposium (CSF), CSF, pages 186--199. IEEE Computer Society, 2010. Google Scholar
Digital Library
- O. Ruwase and M. S. Lam. A Practical Dynamic Buffer Overflow Detector. In Proc. NDSS, pages 159--169, 2004.Google Scholar
- S. Savage, M. Burrows, G. Nelson, P. Sobalvarro, and T. Anderson. Eraser: A dynamic race detector for multi-threaded programs. ACM Transactions on Computer Systems, 15(4), 1997. Google Scholar
Digital Library
- H. Shacham. The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86). In Proc. ACM CCS, pages 552--561, Oct. 2007. Google Scholar
Digital Library
- R. Shioya, D. Kim, K. Horio, M. Goshima, and S. Sakai. Low- overhead architecture for security tag. In Proceedings of the 2009 15th IEEE Pacific Rim International Symposium on Dependable Computing, PRDC '09, pages 135--142, Washington, DC, USA, 2009. IEEE Computer Society. Google Scholar
Digital Library
- B. J. Smith. A pipelined, shared-resource MIMD computer. In Proc. ICPP, pages 6--8, 1978.Google Scholar
- D. Stefan, A. Russo, J. C. Mitchell, and D. Mazières. Flexible dynamic information flow control in Haskell. In 4th Symposium on Haskell, pages 95--106. ACM, 2011. Google Scholar
Digital Library
- G. E. Suh, J. W. Lee, D. Zhang, and S. Devadas. Secure program execution via dynamic information flow tracking. In International Conference on Architectural Support for Programming Languages and Operating Systems, pages 85--96, 2004. Google Scholar
Digital Library
- G. S. Taylor, P. N. Hilfinger, J. R. Larus, D. A. Patterson, and B. G. Zorn. Evaluation of the SPUR lisp architecture. In Proceedings of the 13th annual International Symposium on Computer architecture, ISCA, pages 444--452, 1986. Google Scholar
Digital Library
- M. Tiwari, B. Agrawal, S. Mysore, J. Valamehr, and T. Sherwood. A Small Cache of Large Ranges: Hardware Methods for Efficiently Searching, Storing, and Updating Big Dataflow Tags. In Proc. MICRO, pages 94--105, 2008. Google Scholar
Digital Library
- G. Venkataramani, I. Doudalis, Y. Solihin, and M. Prvulovic. FlexiTaint: A programmable accelerator for dynamic taint propagation. In 14th International Symposium on High Performance Computer Architecture (HPCA), pages 173--184, Feb. 2008.Google Scholar
Cross Ref
- E. Witchel, J. Cates, and K. Asanovic. Mondrian memory protection. In 10th International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS X, pages 304--316, New York, NY, USA, 2002. ACM. Google Scholar
Digital Library
- J. Woodruff, R. N. Watson, D. Chisnall, S. W. Moore, J. Anderson, B. Davis, B. Laurie, P. G. Neumann, R. Norton, and M. Roe. The CHERI capability model: Revisiting RISC in an age of risk. In Proc. of the International Symposium on Computer Architecture (ISCA), pages 457--468, June 2014. Google Scholar
Digital Library
- B. Yee, D. Sehr, G. Dardyk, J. B. Chen, R. Muth, T. Ormandy, S. Okasaka, N. Narula, and N. Fullagar. Native Client: a sandbox for portable, untrusted x86 native code. Communications of the ACM, 53(1):91--99, 2010. Google Scholar
Digital Library
- A. Yip, X. Wang, N. Zeldovich, and M. F. Kaashoek. Improving application security with data flow assertions. In Proceedings of the Symposium on Operating Systems Principles, Big Sky, MT, USA, October 2009. Google Scholar
Digital Library
- N. Zeldovich, H. Kannan, M. Dalton, and C. Kozyrakis. Hardware enforcement of application security policies using tagged memory. In Proceedings of the 8th USENIX Conference on Operating Systems Design and Implementation, OSDI, pages 225--240. USENIX Association, 2008. Google Scholar
Digital Library
- C. Zhang, T. Wei, Z. Chen, L. Duan, L. Szekeres, S. McCamant, D. Song, and W. Zou. Practical Control Flow Integrity & Randomization for Binary Executables. In IEEE Symposium on Security and Privacy, 2013. Google Scholar
Digital Library
- P. Zhou, R. Teodorescu, and Y. Zhou. HARD: Hardware-assisted lockset-based race recording. In Proc. HPCA, 2007. Google Scholar
Digital Library
Index Terms
Architectural Support for Software-Defined Metadata Processing
Recommendations
Architectural Support for Software-Defined Metadata Processing
ASPLOS '15: Proceedings of the Twentieth International Conference on Architectural Support for Programming Languages and Operating SystemsOptimized hardware for propagating and checking software-programmable metadata tags can achieve low runtime overhead. We generalize prior work on hardware tagging by considering a generic architecture that supports software-defined policies over ...
Architectural Support for Software-Defined Metadata Processing
ASPLOS'15Optimized hardware for propagating and checking software-programmable metadata tags can achieve low runtime overhead. We generalize prior work on hardware tagging by considering a generic architecture that supports software-defined policies over ...
PUMP: a programmable unit for metadata processing
HASP '14: Proceedings of the Third Workshop on Hardware and Architectural Support for Security and PrivacyWe introduce the Programmable Unit for Metadata Processing (PUMP), a novel software-hardware element that allows flexible computation with uninterpreted metadata alongside the main computation with modest impact on runtime performance (typically 10--40% ...







Comments