HARDWARE SUPPORT FOR ENFORCING INFORMATION FLOW CONTROL ON MANYCORE SYSTEMSPARALLEL COMPUTING & THE FUTURESECURITYPROJECT GOALSRELATED WORKINFORMATION FLOW CONTROLHISTARMONDRIAN MEMORY PROTECTIONSlide 9OUR DESIGNRELABLINGPIPELINEMEMORY PROTECTION TABLEMETHODOLOGYOVERHEADSFUTURE/IN PROGRESS WORKUSES OF A TAGGED SYSTEMCONCLUSIONSREFERENCESHARDWARE SUPPORT FOR ENFORCING INFORMATION FLOW CONTROL ON MANYCORE SYSTEMSSarah BirdDavid McGroganPARALLEL COMPUTING & THE FUTUREParallel designs are emergingScaling increases transistor countsCannot extract any more ILP from programsSecurity is ImportantMobile DevicesEverything connected to the internetOpen Source CodeMore personal data on the netSECURITYCurrent Systems have only a couple rings of protectionAdding features to an application compromises the entire applicationPlug-ins in BrowsersDevice Drivers in Operating SystemsPROJECT GOALSProvide many levels of protectionReduce trusted codeMore easily verified Low Overhead in AreaCan’t afford to just tag everythingLow Overhead in PerformanceClients measure success in performance (security is still hard to quantify)Flexible SystemRELATED WORKFine-Grained ProtectionMondrian Memory Protection (MIT)Legba (New South Wales)Information Flow ControlHiStar (Stanford)Asbestos (UCLA, MIT, Stanford)Raksha (Stanford)Loki (Stanford)Dstar (Stanford)INFORMATION FLOW CONTROLProvide Labels on Processes, Data, Devices, etc.Restrict the flow of information from more secure labels to less labelsCan be done in hardware, software or bothHISTAROperating SystemUses Asbestos LabelsEnforces Information Flow Control in SoftwareMONDRIAN MEMORY PROTECTIONCompressed Protection Tables in MemoryProtection Check in Parallel with Standard PipelineProtection Lookaside Buffer functions caches protection resultsSidecars store protection for addressesPROJECT GOALSProvide many levels of protectionHiStar LabelsReduce trusted codeEnforce Protection in Hardware Low Overhead in AreaCompressed Protection Tables in MemoryLow Overhead in PerformanceCache Protection ChecksFlexible SystemPut Policies in SoftwareOUR DESIGNProtection TableMemoryNetwork InterfaceCache SystemTags Per Cache LinePipelineProtection CheckProtection Check CacheRELABLINGTwo Possible SolutionsLocal RelablingTakes advantage of localityGlobal RelablingDoesn’t need to be translated for different cpusReduces network trafficFinal Solution:Global Relabling with 16 bit tags16 extra bits for read requests and responses across the network16 extra bits per cache line in the cache systemPIPELINEProtection CheckCommitCommitTread ID Data Tag Protection Check1 57 1112 68 100Thread 1 PCThread 1 TagThread 2 PCThread 2 TagMEMORY PROTECTION TABLEFlat TableMore compressedInsert must slide down everythingCompletely flexible representationBinary Search to look upMultilevel TableSimple look up algorithmLess flexibleEasy insertMETHODOLOGYSimulate design using Simics with a simple memory hierarchyInsert delays in the memory hierarchy to represent the delays for protection lookupRun simple benchmarks to measure the worst case overheadOVERHEADS16 bits/read request = 33.3% overhead 16 bits/read response =1.56% overheadMemory Protection Table Lookup (3 extra memory accesses)/memory read = 300% overheadProtection Cache Miss (1 memory access)Protection Check Miss = runs the software handler (2000 cycles)Memory Overhead = ~6 %FUTURE/IN PROGRESS WORKCompare overheads with Original Histar System on a single coreDevelop a more realistic model of the protection system in SimicsAnalyze more realistic workloads for category usageUSES OF A TAGGED SYSTEMDebuggingDetecting wild writesArray bounds overflowsProfilingSecurityIsolate ProcessesProtect DataRestrict the flow of informationCONCLUSIONSSecurity is becoming increasingly importantEssential to reduce trusted code and isolate processes from each otherParallel is happeningLow over usage security systems are necessaryInformation Flow Control is a viable optionHardware support is necessary for performance Complex power may have negative power effectsREFERENCESNickolai Zeldovich, Silas Boyd-Wickizer, Eddie Kohler, and David Mazières. Making information flow explicit in HiStar. In Proceedings of the 7th Symposium on Operating Systems Design and Implementation, Seattle, WA, November 2006Nickolai Zeldovich, Silas Boyd-Wickizer, and David Mazières. Securing Distributed Systems with Information Flow Control. In Proceedings of the 5th Symposium on Networked Systems Design and Implementation, San Francisco, CA, April 2008Hari Kannan, Nickolai Zeldovich, Michael Dalton, Christos Kozyrakis. Architectural Support for Minimizing Trusted Code.Emmett Witchel, Junghwan Rhee, Krste Asanović, "Mondrix: Memory Isolation for Linux using Mondriaan Memory Protection", 20th ACM Symposium on Operating Systems Principles (SOSP-20) Brighton, UK, October 2005.Emmett Witchel, Josh Cates, and Krste Asanović, "Mondrian Memory Protection", Tenth International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS-X) , San Jose, CA, October 2002.Maxwell Krohn, Petros Efstathopoulos, Cliff Frey, Frans Kaashoek, Eddie Kohler, David Mazières, Robert Morris, Michelle Osborne, Steve VanDeBogart and David Ziegler. Make Least Privilege a Right (Not a Privilege). Proceedings of the 10th Workshop on Hot Topics in Operating Systems, Santa Fe, NM, June 2005.Petros Efstathopoulos, Maxwell Krohn, Steve VanDeBogart, Cliff Frey, David Ziegler, Eddie Kohler, David Mazières, Frans Kaashoek and Robert Morris. Labels and Event Processes in the Asbestos Operating System. Proceedings of the 20th Symposium on Operating Systems Principles, Brighton, United Kingdom, October 2005.Michael Dalton, Hari Kannan, Christos Kozyrakis, Raksha: A Flexible Information Flow Architecture for Software Security. Proceedings of the 34th Intl. Symposium on Computer Architecture (ISCA), San Diego, CA, June 2007.Adam Wiggins, Simon Winwood, Harvey Tuch and Gernot Hesier, Legba: Fast Hardware Support for Fine-Grained
View Full Document