-
8/6/2019 Conf Micro 2006
1/26
Authentication Control Point and Its
Implications For Secure Processor Design
Weidong Shi Motorola Labs
Hsien-Hsin S. Lee Georgia Tech
-
8/6/2019 Conf Micro 2006
2/26
2
Problem Statement
Excerpt From SOD Public Document
Studies indicate that approximately 80% of all CPI (Critical
Program Information ) is contained in software/firmware. A
broader range of robust techniques or technologies that
protect
software, data, and firmware is essential and will have a
broadimpact on protecting CPI. Secure programmable logic
devices
and secure processors are needed.
In secure systems, particularly weapon systems,
criticaltechnology may be available to an enemy if access is
acquired to
the system software. In case of capture of a system intact,
this
information may be available to an adversary by reading the
system memory.
-
8/6/2019 Conf Micro 2006
3/26
3
Layered Security Architecture
Layer Exploits Solution
Application software patching/amputation,
de-compilation, worm, virus
application signing,
access control,
OS rootkit, system call tampering
kernel space eavesdrop
OS signing,
virtualization,
Firmware/
Boot image
BIOS spoof/hijack,boot imagevirus
TCG/TPM (trustedplatform module)
Platform
Level
chip interconnect/bus
snoop, eavesdrop, device spoof
secure processor,
memory encryption
Sub PlatformLevel (side-
channels)
power analysis,timing analysis,etc
self-timed circuit,obfuscated power
footprint
Package &
Circuit Level
de-packaging, micro-probing,
optical reverse engineer
secure packaging,
private circuit
chip interconnect/bus
snoop, eavesdrop, device spoof
secure processor,
memory encryption
-
8/6/2019 Conf Micro 2006
4/26
-
8/6/2019 Conf Micro 2006
5/26
5
Integrity Check vs. Superscalar Processor
Issue of implementing integrity
verification in superscalarprocessor
Decryption is faster thanauthentication
Great temptation to issuedecrypted instructions/databefore
authentication
Wait for integrity
verification
Encrypted Memory Line
Integrity
Verification
Decryption
Processor Pipeline
Disassociation of decryption andauthentication
Memory fetch side-channel
Disclose information throughfetch address
Confidentiality violations
-
8/6/2019 Conf Micro 2006
6/26
6
Decryption and Integrity Verification
Memory FetchDecryption Pad
Computation
Clear
Block
Clear
Block
Clear
Block
Clear
Block
Pad Pad Pad PadCipher
Block
Cipher
Block
Cipher
Block
Cipher
BlockMAC
Cipher
Block Cipher
Block Cipher
Block Cipher
Block
MAC= =?
-
8/6/2019 Conf Micro 2006
7/267
Integrity Verification and Stall
Integrity Veri
WriteBackBuffer
Instruction Fetch
Rename File
Reorder
Buffer
Issue Queue Reservation Station
FU
Issue Queue Reservation Station
LQ SQ
dL1$
L 2 $
MemoryEnc/Dec
iL1$
Veri Request FIFO
Front Side Bus Control
Authentication-then-commit
Authentication-then-issue
Authentication-then-write
Authentication-then-fetch
-
8/6/2019 Conf Micro 2006
8/268
Write/Fetch Stall Due to Integrity Veri
R1
-
8/6/2019 Conf Micro 2006
9/269
Dangerous of Speculative Fetches
Data
Next
Data
Next
Data
NULL
Secret
1 1 1 0 0 1 0 1
0 0 0 0 1 1 0 0addr =
0 0 0 0 1 1 0 0
Cipher text of NULL Pointer
Target Address XOR
1 1 1 0 1 0 0 1
1 0 1 1 0 1 0 1 0 1 0 1 0 0 1 1
ciphertext plaintext
Bit Flipping Attack
Fetches not considered as
state changes.
Fetch is launched
speculatively to improve
performance.
Why?
Fetch as a result of malicious
tampering.
1 0
-
8/6/2019 Conf Micro 2006
10/2610
Dangerous of Speculative FetchesInt* p;
Sum = 0;while (p)
{
Sum += *p;
p++;
}
R1
-
8/6/2019 Conf Micro 2006
11/2611
Compare of Different Schemes
Authenticate-then-Issue
Precise
Interrupt
Uncorrupted
Memory State
Uncorrupted
Arch State
Disclose Secret Through
Memory Fetch Address
Yes Yes Yes No
Authenticate-then-Commit Yes Yes Yes Yes
Authenticate-then-Write No Yes No Yes
Authenticate-then-Fetch No No No No
Authenticate-then-Commit
+ FetchYes Yes Yes No
Authenticate-then-Commit
+ Addr ObfuscationYes Yes Yes No
-
8/6/2019 Conf Micro 2006
12/26
-
8/6/2019 Conf Micro 2006
13/2613
Experiment Setup
Parameters Value
L1 I/D Cache DM, 16KB
L2 Cache 4way, unified, 256KB/1M
Memory Bus 200MHz, 8B wide
CPU Clock 1GHz
L1 Latency 1 cycle
L2 Latency 4 cycles (256KB), 8 cycles (1MB)
Decryption Latency 80ns
RUU 64, 128 entries
Simplescalar 3.0
SPEC2000 INT/FP
-
8/6/2019 Conf Micro 2006
14/2614
ResultsNormalized IPC (256K)
0
0.2
0.4
0.6
0.8
1
1.2
ammp
applu
apsi ar
t
bzip2
gap
gcc
gzip m
cf
mesa
mgrid
parse
rpe
rl
swim
twolf
vo
rtex vp
r
wupw
ise
ave
rage
authen_then_issue authen_then_commit
authen_then_write authen_then_fetch
authen_then_commit+fetch authen_then_commit+addr_obfuscation
Performance Ranking
write > commit > fetch > commit+fetch > issue >
commit + addr obfuscation
-
8/6/2019 Conf Micro 2006
15/2615
Results
Normalized IPC (1M)
0
0.2
0.4
0.6
0.8
1
1.2
a
mmp
applu
apsi
art
bzip2
gap
gcc
gzip m
cf
mes
a
m
grid
parse
rpe
rl
swim
twolf
vo
rtex vp
r
wupw
ise
average
authen_then_issue authen_then_commit
authen_then_write authen_then_fetch
authen_then_commit+fetch authen_then_commit+addr_obfuscation
Performance Ranking
write > commit > fetch > commit+fetch > issue >
commit + addr obfuscation
-
8/6/2019 Conf Micro 2006
16/2616
Results
IPC Improvement (256K)
0
0.1
0.2
0.3
0.4
0.5
0.6
ammp
applu
apsi
art
bzip2
gap
gcc
gzip m
cf
mesa
mgrid
parser pe
rl
swim
twolf
vortex vp
r
wupwise
averag
e
commit_over_issue commit+fetch_over_issue
write_over_issue
Significant Advantage of Write, Commit Over Issue
Commit + Fetch 5-10% Faster Than Issue
-
8/6/2019 Conf Micro 2006
17/2617
Results
IPC Improvement (1M)
0
0.05
0.1
0.15
0.2
0.25
0.3
0.35
ammp
applu
apsi
art
bzip2
gap
gcc
gzip m
cf
mes
a
mgrid
parser pe
rl
swim
twolf
vortex vp
r
wupwise
averag
e
commit_over_issue commit+fetch_over_issue
write_over_issue
Significant Advantage of Write, Commit Over Issue
Commit + Fetch Marginal Averaged Improvement, mgrid, vpr,
5-10%
-
8/6/2019 Conf Micro 2006
18/2618
Results
Hash Tree
0
0.2
0.4
0.6
0.8
1
1.2
ammp
applu
apsi
art
bzip2
gap
gcc
gzip m
cf
mes
a
mgrid
p
arser
perl
swim
twolf
vorte
xvp
r
wupw
ise
averag
e
authen_then_issue authen_then_commit
authen_then_write authen_then_fetch
authen_then_commit_fetch
Write > Fetch > Commit > Commit+Fetch > Issue
-
8/6/2019 Conf Micro 2006
19/2619
Results
IPC Improvement (Hash Tree)
0
0.05
0.1
0.15
0.2
0.25
0.3
0.35
0.4
am
mp
ap
plu
apsi
art
bzip2
gap
gcc
gzip
mcf
mesa
mg
rid
parse
r
p
erl
sw
im
tw
olf
vortex vp
r
wupw
ise
avera
ge
commit_over_issue commit+fetch_over_issue
Significant Advantage of Commit, Commit+Fetch Over Issue
-
8/6/2019 Conf Micro 2006
20/2620
Results
Normalized IPC (64 RUU)
0
0.2
0.4
0.6
0.8
1
1.2
ammp
applu
apsi
art
bzip2
gap
gcc
gzip m
cf
mes
a
mgrid
parse
rpe
rl
swim
twolf
vo
rtex vp
r
wupw
ise
ave
rage
authen_then_issue authen_then_commit
authen_then_write authen_then_commit_fetch
Performance Ranking
write > commit > fetch > commit+fetch > issue >
commit + addr obfuscation
-
8/6/2019 Conf Micro 2006
21/26
21
Results
IPC Improvement (64 RUU)
0
0.1
0.2
0.3
0.4
0.5
0.6
ammp
applu
aps
i
art
bzip2
gap
gcc
gzip
mc
f
mesa
mgrid
parse
rpe
rl
swim twolf
vortex vp
r
wupwis
e
average
commit_over_issue commit+fetch_over_issue
-
8/6/2019 Conf Micro 2006
22/26
-
8/6/2019 Conf Micro 2006
23/26
23
Questions
-
8/6/2019 Conf Micro 2006
24/26
Georgia Tech MARS Labs
http://arch.ece.gatech.edu
-
8/6/2019 Conf Micro 2006
25/26
25
Much Simplified Exploits
Look for Invariant
Prologue or Epilogue orPredicable Code Sequence
(e.g., NOPs)
Replace the Victim CodeSequence with Disclosing
Kernel
Run the TamperedCode
Recover Secret from
Logical Analyzer
SP, -16(SP)STQ Zero, 8(SP)
Invariant Prologue
R1
-
8/6/2019 Conf Micro 2006
26/26
Timing Analysis
Frequent Values
Time Line
Frequent Values
Issue decryptedinst/operand
Issue decrypted
inst/operand
Issue new fetch
externalmemory fetch
externalmemory fetch
Frequent Values Frequent Values Frequent Values Frequent Values
Frequent Values
Frequent Values Frequent Values Frequent Values Frequent Values
Frequent Values
Latency of new fetch address from the previous fetch
decryption
decryption
authentication
authentication
authentication
authentication
externalmemory fetch
externalmemory fetch
decryption
decryption
Issue new fetch
Latency of new fetch address from the previous fetch
Stall Issue decryptedinst/operand
Issue decrypted
inst/operand
Authentication-then-issue
Authentication-then-fetch
