Documente Academic
Documente Profesional
Documente Cultură
Security Processor
Processor/DSP Core Cache/ SRAM
Crypto Engine
Shared Memory
Example
Application Code
Add-on services, complete app Encrypted with Key chosen by Financial Modeling Library
System Libs (Dynamically Linked Code) OS Kernel (mapped to user space)
vendor
Threats
Secure Processor
Processor Core
Library OS App
Library
App
Library
App
RAM
Caches
Application Code
Security Attributes
Secure memory capsules Individually protected memory sub space A memory capsule may contain shared code or shared data Each memory capsule may have its own encryption key, root integrity
signature A processs memory space may contain multiple secure memory capsules 7
Code
Private Heap Private Stack Principle B function call
function call
Private Heap
Private Stack Principle A Memory Space
Principle C
function call
Access Requirement
Memory Capsule A (Principle A) Memory Capsule C (Shared data) Memory Capsule B (Principle B)
Application
Shared Middle-ware
A A A B B B
Access Control
Load/store address
ID of Active Principle (Memory Capsule ID)
ID ID ID
Cache
A memory capsule always allows its own code to access its own data.
11
Process Execution
Memory Capsule A (Principle A) Memory Capsule C (Shared data) Memory Capsule B (Principle B)
Application
A B
call
A
return
B A
return
Stack Security
Callers Stack Callees Stack
200000
800000
13
Callee
EBP ESP
200000 push_stack_ptr push_stack_ptr ebp = esp 199984 r1 = [ebp +4] esp = [ebp] swap_stack r1 return r1 0x10 Return addr 800000
800000
push ebp swap_stack foo push 0x10 call foo pop ebp
200000
Note: Caller allowed to push values to callees stack. Caller cannot read Callees stack after stack switch.
14
Pointer Passing
(Principle A)
P = malloc(20); Foo(p,20)
(Principle B)
Security Pointer
unsigned char *p; security void* sp;
Address
Range and ID Check ID==Fetch Insts Principle ID && addr>=low addr && addr<=high addr
Instrument register file with pointer ID Cache security pointer declarations in security pointer buffer
17
Testbed
A x86 system emulation (Bochs) + cycle-based architecture simulator (TAXI)
Protection Assumption
Separate protection of OS, system libraries, and applications
Dummy Library
Dummy Library
System Library
System Library
System Library
To keep track switch between protected software module, use API hijack, redirect system libraries function calls to dummy system libraries
Dummy libraries conduct switch between protected modules Dummy libraries created based on Wine Linux header files, +1000 19 functions
Experiment Setup
Parameters L1 I/D Cache L2 Cache Memory Bus CPU Clock AES Latency Authentication tree cache size SHA256 Latency Value DM, 8KB, 1cycle 4way, unified, 512KB, 8 cycles 200MHz, 8B wide 1GHz 80ns 32KB 80ns
1cycle
8KB, 32bit counter, 8 way
Counter mode encryption with counter cache MAC (message authentication code) tree for integrity verification with
tree cache.
20
Performance
1.2 1 0.8 0.6 0.4 0.2 0 acrobat reader media player msdev winzip MSword IExplorer pov-ray Average
XOM-like(AES) MC-XOM-like(AES)
Counter+MAC tree
MC-Counter+MAC tree
5% performance loss AES block cipher 13% performance loss Memory centric, additional 1.8% performance loss
21
Performance
1.2 1 0.8 0.6 0.4 0.2 0 acrobat reader media player msdev winzip MSword IExplorer pov-ray Average
XOM-like(AES) XOM-like-app
Counter+MAC tree
MC-Counter+MAC tree+app
Only application itself is encrypted. 1.5% - 5% increase of performance due to reduced decryption
overhead and workload
22
Conclusions
Memory centric protection facilitates secure sharing of software
and data.
23
Questions
24