authentication control point and its implications for secure processor design
DESCRIPTION
Authentication Control Point and Its Implications For Secure Processor Design. Weidong ShiMotorola Labs Hsien-Hsin S. LeeGeorgia Tech. Problem Statement. Excerpt From SOD Public Document - PowerPoint PPT PresentationTRANSCRIPT
Authentication Control Point and Its Implications For Secure
Processor Design
Weidong Shi Motorola LabsHsien-Hsin S. Lee Georgia Tech
2
Problem StatementExcerpt From SOD Public Document
“ Studies indicate that approximately 80% of all CPI (Critical Program Information ) is contained in software/firmware. A broader range of robust techniques or technologies that protect software, data, and firmware is essential and will have a broad impact on protecting CPI. Secure programmable logic devices and secure processors are needed. “
3
Layered Security ArchitectureLayered Security ArchitectureLayer Exploits Solution
Application software patching/amputation, de-compilation, worm,
virus
application signing, access
control, …
OS rootkit, system call tampering
kernel space eavesdrop
OS signing, virtualization,
…
Firmware/Boot image
BIOS spoof/hijack,boot image virus
TCG/TPM (trusted platform module)
PlatformLevel
chip interconnect/bus snoop, eavesdrop,
device spoof
secure processor,
memory encryption
Sub PlatformLevel (side-channels)
power analysis,timing analysis, etc
self-timed circuit,
obfuscated power footprint
Package & Circuit Level
de-packaging, micro-probing, optical reverse engineer
secure packaging,
private circuit
chip interconnect/bus snoop, eavesdrop, device spoof
secure processor,memory encryption
4
Architecture Overview
Processor Core
L1/L2 $
Memory Enc/Dec,Integrity Verification Engine
Trusted Secure Proc Encrypted Memory
MICRO 2003, PACT 2004/2006, ASPLOS 2002/2004, ISCA 2005/2006, HPCA 2003.
5
Integrity Check vs. Superscalar Processor
• Issue of implementing integrity verification in superscalar processor• Decryption is faster than authentication
• Great temptation to issue decrypted instructions/data before authentication
Wait for integrity verification
Encrypted Memory Line
Integrity Verification
Decryption
Processor Pipeline
•Disassociation of decryption and authentication
•Memory fetch side-channel
•Disclose information through fetch address
•Confidentiality violations
6
Decryption and Integrity Verification
Memory FetchDecryption Pad Computation
PlaintxtBlock
PlaintxtBlock
PlaintxtBlock
PlaintxtBlock
DecryptionPad
DecryptionPad
DecryptionPad
DecryptionPad
CipherBlock
CipherBlock
CipherBlock
CipherBlock
MAC
CipherBlock Cipher
Block CipherBlock Cipher
Block
MAC= =?
7
Integrity Verification and Stall
Integrity Veri
WriteBack Buffer
Instruction Fetch
Rename File
ReorderBuffer
Issue Queue
Reservation Station
FU
Issue Queue
Reservation Station
LQ SQ
dL1$
L 2 $
Memory Enc/Dec
iL1$
Veri Request FIFO
Front Side Bus Control
Authentication-then-commit
Authentication-then-issue
Authentication-then-write
Authentication-then-fetch
8
Write/Fetch Stall Due to Integrity Veri
R1<-[R3]
BEQ Addr2
TEST R1, R5
R2<-[R1]R3<-R1+4
R1<-[R3] R4<-R4+R2
NO
[Addr1]<-R4
R4<-[Add1]
R1<-[R3]
[Addr1]<-R4
• Authentication-then-fetch Stall external Mem fetch• Authentication-then-write
Stall external Mem write
9
Pitfall of Speculative Fetches
Data
Next
Data
Next
Data
NULL
Secret
1 1 1 0 0 1 0 1
0 0 0 0 1 1 0 0addr =
0 0 0 0 1 1 0 0
Cipher text of NULL Pointer
Target Address
XOR
1 1 1 0 1 0 0 1
1 0 1 1 0 1 0 1 0 1 0 1 0 0 1 1
ciphertext
plaintext
Bit Flipping Attack• Fetches not considered as state changes.• Fetch is launched speculatively to improve performance.
Why?
• Fetch as a result of malicioustampering.
1 0
10
Pitfall of Speculative FetchesInt* p;Sum = 0;while (p){ Sum += *p; p++;}
R1<-[R3]
JMPAdd1
TEST R1, R5
R4<-R4+R2 R1<-[R3]
R2<-[R1] R3<-R1+4
BEQ Addr2NO
Data
Tampered Pointer
Secret
Load Tampered Pointer
Load Secret
JMPAdd1
TEST R1, R5
R2<-[R1]
BEQ Addr2NO
Disclose Secret
11
Comparison of Different Schemes
Authen-then-Issue
Precise Interrupt
Uncorrupted Memory State
Uncorrupted Proc State
Risk of TamperedSpeculative Fetch
Yes Yes Yes No
Authen-then-Commit Yes Yes Yes Yes
Authen-then-Write No Yes No Yes
Authen-then-Fetch No No No No
Authen-then-Commit+ Fetch Yes Yes Yes No
Authen-then-Commit+ Addr Obfuscation Yes Yes Yes No
12
Simplified Implementation
MAC Veri ReqsTagLine X4Line Y5Line Z6
Integrity Verification Logic
AddrTag Line AddrTag
Write Line Read Line
Memory Line Authentication Request FIFO
ID, Enc Line, MAC
Verified Integrity of Line (Tag = 6)
0xff06 0xdeadbeef 0x1208
Line U7Line V8
Line X4Line Y5Line Z6Line U7Line V8
Verified Integrity of Line (Tag = 8)
13
Experimental Setup
Parameters Value
L1 I/D Cache DM, 16KB
L2 Cache 4way, unified, 256KB/1M
Memory Bus 200MHz, 8B wide
CPU Clock 1GHz
L1 Latency 1 cycle
L2 Latency 4 cycles (256KB), 8 cycles (1MB)
Decryption Latency 80ns
RUU 64, 128 entries
• Simplescalar 3.0• SPEC2000 INT/FP
14
ResultsNormalized IPC (256K)
0
0.2
0.4
0.6
0.8
1
1.2
authen_then_issue authen_then_commitauthen_then_write authen_then_fetchauthen_then_commit+fetch authen_then_commit+addr_obfuscation
Performance Rankingwrite > commit > fetch > commit+fetch > issue > commit + addr obfuscation
15
ResultsIPC Improvement (256K)
0
0.1
0.2
0.3
0.4
0.5
0.6
commit_over_issue commit+fetch_over_issuewrite_over_issue
• Significant Advantage of Write, Commit Over Issue• Commit + Fetch 5-10% Faster Than Issue
16
Results
• Write > Fetch > Commit > Commit+Fetch > Issue
Hash Tree
0
0.2
0.4
0.6
0.8
1
1.2
authen_then_issue authen_then_commitauthen_then_write authen_then_fetchauthen_then_commit_fetch
17
Results
• Significant Advantage of Commit, Commit+Fetch Over Issue
IPC Improvement (Hash Tree)
0
0.05
0.1
0.15
0.2
0.25
0.3
0.35
0.4
commit_over_issue commit+fetch_over_issue
18
Conclusions
• The bottleneck is not decryption speed but authentication and integrity verification performance.
• To prevent memory fetch address side-channel exploits, authen-then-issue and authen-then-fetch+commit are recommended.
• Authen-then-issue is favored for design simplicity and security. Only 5-10% performance advantage for design that is equally secure.
• Authen-then-commit and authen-then-write may be appealing when physical attack is less a concern.
19
Thank you
http://arch.ece.gatech.eduhttp://arch.ece.gatech.edu
Georgia Tech MARS Labshttp://arch.ece.gatech.edu
21
Much Simplified Exploits Look for Invariant
Prologue or Epilogue orPredicable Code Sequence
(e.g., NOPs)
Replace the Victim CodeSequence with Disclosing
Kernel
Run the TamperedCode
Recover Secret fromLogical Analyzer
SP, -16(SP)STQ Zero, 8(SP)
…
Invariant Prologue
R1<-[addr]
Load Secret
R2<-[R1]Disclose Secret
R1<-[addr]R2<-[R1]
…
After Step 2
R1<-[addr]R2<-[R1]
…
Runtime IssuedExecutedVerified
X X XX X X
22
Timing Analysis
Frequent Values
Time Line
Frequent Values
Issue decrypted inst/operand
Issue decrypted inst/operand
Issue new fetch
external memory fetch
external memory fetch
Frequent Values Frequent Values Frequent Values Frequent Values Frequent Values
Frequent Values Frequent Values Frequent Values Frequent Values Frequent Values
Latency of new fetch address from the previous fetch
decryption
decryption
authentication
authentication
authentication
authentication
external memory fetch
external memory fetch
decryption
decryption
Issue new fetch
Latency of new fetch address from the previous fetch
Stall Issue decrypted inst/operand
Issue decrypted inst/operand
Authentication-then-issue
Authentication-then-fetch