Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Back End Front End

advertisement 
Tamper Evident Microprocessors
Adam Waksman
Simha Sethumadhavan
Computer Architecture & Security Technologies Lab (CASTL)
Department of Computer Science
Columbia University
1
Modern Hardware is Complex
• Modern systems built on layers of hardware
Applications
OS
Hypervisor
Motherboard/
Slave Chips
CPU
• Complexity increases risk of backdoors
• More hands
• Easier to hide
• A significant vulnerability
• Hardware is the root of trust
• All hardware and software controlled by microprocessors
Prior Work and Scope
• Microprocessor design stages
Front End
Specification
Back End
High Level
Design
Design
Validation
Physical
Design
Tapeout/
Fabrication
• Prior work focuses on back end
• More immediate threat
• Example: IC fingerprinting [Agrawal et al., 2007]
• Front end is the extreme root
• Common assumption: golden model from front end
• Focus of this work
Deployment
Key Idea: Use Inherent Division of Work
• Bob
Thank you, Bob, for your $90
• Nice Guy
• Donates $100
• Eric
• Evil Accountant
• Steals $10
• Alice
• Charity President
• Receives $90
Microprocessor Pipeline Stages Analogue
Fetch
(Bob)
Decode
(Eric)
Execute
(Alice)
Outline
• Taxonomy
• Ticking Timebombs, Cheat Codes, Emitters, Corrupters
• Solutions
• TrustNet and DataWatch
• Results
• Correctness, Coverage and Costs
• Future Work
Taxonomy of Attacks
• Backdoor = Trigger + Payload
• Trigger: Turns on an attack
• Payload: Malicious, illegal action
Triggers
Data
Time
Payloads
Emitter
Corrupter
Taxonomy of Attacks: Triggers
Triggers
Data
Time
Taxonomy of Attacks: Payloads
Payloads
Emitter
• Emitter Attacks
• Extra malicious events
• Separate from normal events
Corrupter
• Corrupter Attacks
• No extra malicious events
• Normal instructions altered
Taxonomy of Attacks: Summary
Emitter
Timebomb
Corrupter
Timebomb
Emitter
Cheatcode
Corrupter
Cheatcode
Assumptions
• Large design team
• Each designer works on one unit or part of one
• Security add-ons cannot be done by one member
• Full knowledge
• Attacker has complete access to all design specifications
• Attacker also knows about additional security mechanism
• Equal distrust
• Any one designer/unit may be evil
• Security add-ons may contain backdoors
Outline
• Taxonomy
• Ticking Timebombs, Cheat Codes, Emitters, Corrupters
• Solutions
• TrustNet and DataWatch
• Results
• Correctness, Coverage and Costs
• Future Work
Sample Emitter Backdoor
• Consider a malicious instruction decoder
• Decoder emits instructions not in the original program
• Execution unit faithfully executes them
Spurious Output
Fetch
Decode
Execute
TrustNet
Predictor
Fetch
Execute
Reactor
add $r1, $r2, $r3
Decode
Target
• Predictor and Reactor monitor the Target
• Division of work prevents one bad guy from breaking two units
• Scaling to larger number increases design complexity
Corrupter Backdoors
• Bob
• Still nice
• Donates $100
• Eric
• Evil (and smarter)
• Converts to Canadian $
• Alice
• Still president
• Fooled by Eric’s C$100
Thank you, Bob, for your C$100
DataWatch
STOP
Predictor
Fetch
Execute
Reactor
add $r1, $r2, $r3
Decode
Target
SUB $r1, $r2, $r3
• Scaled up version of TrustNet
• Multiple bit messages
• Confirms types of messages (instead of just yes/no)
Outline
• Taxonomy
• Ticking Timebombs, Cheat Codes, Emitters, Corrupters
• Solutions
• TrustNet and DataWatch
• Results
• Correctness, Coverage and Costs
• Future Work
Experimental Context, Correctness, Costs
• Context
• Simplified OpenSPARC T2
• Correctness
• Designed attacks
• No false positives or negatives
• Costs
• Low area overhead (2 KB per core)
• No performance impact
• How to measure coverage?
Coverage: Vulnerability Space
Units with a core
Units with a core
Paper has plots for other units at a chip level
18
Coverage Visualization
WARNING:
This is an approximate
vizualization
1919
Summary and Future Work
• Strengthen root of trust: microprocessors
• Hardware-only solution. No perf impact, low area overhead
• Security add-on highly resilient to corruption
• Provided attack taxonomy, method to characterize attack space
• Applicability of TrustNet & DataWatch
• Covered: pipelines, caches and content associative memory
• Not covered: ALU, microcode, power mgmt., side-channels
• Moving Forward
• Expand coverage
• Out-of-order processors
• Motherboard components
✔
• Design automation tools
• Reaction to errors
• Applying techniques for reliable execution
• First steps toward a secure trusted hardware w/ untrusted units
Thank You! and Questions?
Related documents
Taxonomies in the Public Sector
Taxonomies in the Public Sector
LeAD 2014 Presentation
LeAD 2014 Presentation
SLO 1 What are LO? Why LO?
SLO 1 What are LO? Why LO?
Bloom - Learning in the News
Bloom - Learning in the News
Tamper Evident Microprocessors - About CASTL
Tamper Evident Microprocessors - About CASTL
Password Breaches - OWASP Appsec USA 2013
Password Breaches - OWASP Appsec USA 2013
Chapter 10 Bipolar Junction Transistor Fundamentals
Chapter 10 Bipolar Junction Transistor Fundamentals
Datawatch Announces Analytics for EMC's Documentum Content
Datawatch Announces Analytics for EMC's Documentum Content
CASRAI Introduction - David Baker
CASRAI Introduction - David Baker
Managing Threats in a Changing World
Managing Threats in a Changing World
Evaluating Taxonomies
Evaluating Taxonomies
grp-5-1
grp-5-1
Download
advertisement