Post on 25-Aug-2020
PHMon: A Programmable Hardware Monitorand Its Security Use Cases
Leila Delshadtehrani, Sadullah Canakci, Boyou Zhou,Schuyler Eldridge, Ajay Joshi, and Manuel Egele
delshad@bu.edu
Boston University
August 12, 2020
IntroductionPHMon
Conclusion
MotivationOverview
Motivation
Current Trend
Growing demand to enforcesecurity policies in hardware
Intel SGX
Intel TXT
Intel MPXARM
TrustZone
AMD SVM
Intel CET
ARM PA
...
1994
SafeC
2008
Hardbound2009
Softbound
2013
MPXAnnounced
2015
MPXAvailable
2018-2019
MPXDisabled
[AUSTIN, PLDI’94] [DEVIETTI, ASPLOS’08] [NAGARAKATTE, PLDI’09]
What ifwe could have a flexible hardwareimplementation that could enhanceand enforce a variety of securitypolicies as security threats evolve?!
Boston University August 12, 2020 2/10
IntroductionPHMon
Conclusion
MotivationOverview
Motivation
Current Trend
Growing demand to enforcesecurity policies in hardware
Intel SGX
Intel TXT
Intel MPXARM
TrustZone
AMD SVM
Intel CET
ARM PA
...
1994
SafeC
2008
Hardbound2009
Softbound
2013
MPXAnnounced
2015
MPXAvailable
2018-2019
MPXDisabled
[AUSTIN, PLDI’94] [DEVIETTI, ASPLOS’08] [NAGARAKATTE, PLDI’09]
What ifwe could have a flexible hardwareimplementation that could enhanceand enforce a variety of securitypolicies as security threats evolve?!
Boston University August 12, 2020 2/10
IntroductionPHMon
Conclusion
MotivationOverview
Motivation
Current Trend
Growing demand to enforcesecurity policies in hardware
Intel SGX
Intel TXT
Intel MPXARM
TrustZone
AMD SVM
Intel CET
ARM PA
...
1994
SafeC
2008
Hardbound2009
Softbound
2013
MPXAnnounced
2015
MPXAvailable
2018-2019
MPXDisabled
[AUSTIN, PLDI’94] [DEVIETTI, ASPLOS’08] [NAGARAKATTE, PLDI’09]
What ifwe could have a flexible hardwareimplementation that could enhanceand enforce a variety of securitypolicies as security threats evolve?!
Boston University August 12, 2020 2/10
IntroductionPHMon
Conclusion
MotivationOverview
Our Proposal - PHMon
PHMon
A hardware monitor and the full
software stack around it
A programmable hardware monitorinterfaced with a RISC-V Rocketprocessor on an FPGAOS supportSoftware APISecurity use cases
How Does It Work?
A user/admin configures the hardwaremonitor
The hardware monitor collects the
runtime execution informationChecks for the specified events, e.g., detectsbranch instructionsPerforms follow-up actions, e.g., an ALUoperation
Hardware
APIApplication
Full SW Stack
OS
N
User/AdminEvent/Action SpecificationUsing PHMon API
ProgramPHMon
PHMonMonitor theexecution
Is processTerminated?
Is PHMonDisabled?
PHMonStop
Monitoring
Take Actions
Monitor Events
Y YN
Boston University August 12, 2020 3/10
IntroductionPHMon
Conclusion
HardwareSoftwareImplementationUse Cases
Hardware Overview
HW Functionality
Collect the instructiontrace
Find matches withprogrammed events
Take follow-up actions
RISC-V RocketMicroprocessor
PipelinedProcessor Core
L1Data Cache
PC_GEN
/Fetch
Dec
Exe
Mem
WB
TU
PHMon
PHMon
ALULocal
RegisterFile
Control Unit (CU)
Matc
h Qu
eue
MU_d
ata
MU_a
ddr
MU_i
d...
Match Packet
conf_ptr
Config Unit-0 (CFU-0)
...Type2b
In13b
In23b
Fn4b
Out3b
Data64b
Action Config Table
conf_ctr
Action Unit (AU)
Commit Log- inst- pc_src- pc_dst- addr- data
Cmd/Resp
InterruptMemory
Match Unit-0 (MU-0)
Predicate:- inst = *8067- pc_src = *- pc_dst = *- addr = *- data = *
Counter Threshold
=?
Comparator
Commit Log
Memory Request
Command
Response
Interrupt
Memory Response
RoCC Interface
Boston University August 12, 2020 4/10
IntroductionPHMon
Conclusion
HardwareSoftwareImplementationUse Cases
Software Overview
Software Interface
A list of functions that use RISC-V’s
standard ISA extension
Configure PHMonCommunicate with PHMon
Reset MU-0 and configure the match pattern
phmon_reset_val(0);phmon_pattern(0, &mask_inst0)
Compare pc_dst and pc_src, and trigger an interrupt
action_mu0.op_type = e_OP_ALU; //ALU operationaction_mu0.in1 = e_IN_DATA_RESP; //MU_respaction_mu0.in2 = e_IN_LOC3; //Local3action_mu0.fn = e_ALU_SEQ; //Set Equalaction_mu0.out = e_OUT_INTR; //Interrupt regphmon_action_config(0, &action_mu0);
OS Support
Per process OS support
Maintain PHMoninformation duringcontext switches
Interrupt handling OS
support
Delegate interrupt toOSTerminate theviolating process
Boston University August 12, 2020 5/10
IntroductionPHMon
Conclusion
HardwareSoftwareImplementationUse Cases
Implementation and Evaluation Framework
Implementation
PHMon as a RoCC, written in Chisel HDL
Interfaced with the in-order RISC-V Rocket core
Linux kernel v4.15
RISC-V gnu toolchain for cross-compilation
Evaluation
Prototyped on Xilinx Zynq Zedboard
Rocket core + PHMon
Open-sourced at https://github.com/bu-icsg/PHMon
Boston University August 12, 2020 6/10
IntroductionPHMon
Conclusion
HardwareSoftwareImplementationUse Cases
Use Cases
Shadow Stack
Preventing InformationLeakage
Shadow Stack
Hardware AcceleratedFuzzing
Watchpoints andAccelerated Debugger
https://security.googleblog.com/2019/10/protecting-against-code-reuse-in-linux30.html,https://www.darkreading.com/attacks-breaches/heartbleed-attack-targeted-enterprise-vpn-/d/d-id/1204592,https://medium.com/@dieswaytoofast/fuzzing-and-deep-learning-5aae84c20303,https://hackernoon.com/professional-debugging-in-rails-1yr2bnz
Shadow StackHardware Accelerated
Fuzzing
https://security.googleblog.com/2019/10/protecting-against-code-reuse-in-linux30.html,https://medium.com/@dieswaytoofast/fuzzing-and-deep-learning-5aae84c20303,
Boston University August 12, 2020 7/10
IntroductionPHMon
Conclusion
HardwareSoftwareImplementationUse Cases
Use Cases
Shadow Stack
Preventing InformationLeakage
Shadow Stack
Hardware AcceleratedFuzzing
Watchpoints andAccelerated Debugger
https://security.googleblog.com/2019/10/protecting-against-code-reuse-in-linux30.html,https://www.darkreading.com/attacks-breaches/heartbleed-attack-targeted-enterprise-vpn-/d/d-id/1204592,https://medium.com/@dieswaytoofast/fuzzing-and-deep-learning-5aae84c20303,https://hackernoon.com/professional-debugging-in-rails-1yr2bnz
Shadow StackHardware Accelerated
Fuzzing
https://security.googleblog.com/2019/10/protecting-against-code-reuse-in-linux30.html,https://medium.com/@dieswaytoofast/fuzzing-and-deep-learning-5aae84c20303,
Boston University August 12, 2020 7/10
IntroductionPHMon
Conclusion
HardwareSoftwareImplementationUse Cases
Use Cases: Shadow Stack
PHMon-based Shadow Stack
Simple and flexible
Two MUs
Shared memory space
Allocated by OS as auser-space memory
Secure
Efficient
For SPECint2000,SPECint2006, and MiBenchbenchmarks, on average,0.9% performance overhead
Return Address
ArgumentRegistersSaved
RegistersLocal
Variables
...
Main Stack
Return Address
...
Shadow Stack
Return Address
Return Address
bzip2
libquantumgobmk
hmmerastar
h264ref
xalancbmk gccGeoMean
0.00.51.01.52.02.53.03.5
Perfo
rman
ce O
verh
ead
(%)
0.30.5
1.1 1.1 1.2
2.6 2.7
3.4
1.2
SPECint2006
Boston University August 12, 2020 8/10
IntroductionPHMon
Conclusion
HardwareSoftwareImplementationUse Cases
Use Cases: Hardware Accelerated Fuzzing
American Fuzzy Lop (AFL)[Zalewski, 2013]
A state-of-the-art fuzzer
Two main units
The fuzzing logic
The instrumentation suiteCompiler-basedQEMU-based
https://rabbitbreeders.us/american-fuzzy-lop-rabbits/
Parent Process (AFL)
Program ExecutionOn RISC-V Processor
Fork+Execv(1)
Processterminates
(4)
Monitoring (2)/Updating the
branch coverage (3)
Reading thebranch coverage (5)
Shared Memory Region
Memory
QEMU Child Process
(The Fuzzed Program)
QEMU-based AFL
Shared Memory Region
Memory
PHMon-based AFL
Boston University August 12, 2020 9/10
IntroductionPHMon
Conclusion
HardwareSoftwareImplementationUse Cases
Use Cases: Hardware Accelerated Fuzzing
American Fuzzy Lop (AFL)[Zalewski, 2013]
A state-of-the-art fuzzer
Two main units
The fuzzing logic
The instrumentation suiteCompiler-basedQEMU-based
https://rabbitbreeders.us/american-fuzzy-lop-rabbits/
Parent Process (AFL)
Program ExecutionOn RISC-V Processor
Fork+Execv(1)
Processterminates
(4)
Monitoring (2)/Updating the
branch coverage (3)
Reading thebranch coverage (5)
Shared Memory Region
Memory
QEMU Child Process
(The Fuzzed Program)
QEMU-based AFL
Shared Memory Region
Memory
PHMon-based AFL
Boston University August 12, 2020 9/10
IntroductionPHMon
Conclusion
HardwareSoftwareImplementationUse Cases
Use Cases: Hardware Accelerated Fuzzing
American Fuzzy Lop (AFL)[Zalewski, 2013]
A state-of-the-art fuzzer
Two main units
The fuzzing logic
The instrumentation suiteCompiler-basedQEMU-based
https://rabbitbreeders.us/american-fuzzy-lop-rabbits/
sleu
thki
t
zstd
unac
e
inde
nt
nasm
pcre
Geo
Mea
n
Benchmarks
0
5
10
15
20
25
Perf
orm
ance
impr
ovem
ent (
X)
11.313.7
16.417.8 18.9
20.6
16.1
3.7
7.6
4.26.1 5.2 6.3 5.4
1.0 1.0 1.0 1.0 1.0 1.0 1.0
Baseline AFLPHMon
Fork Server
PHMon improves AFL’s performanceby 16× over the baseline
Power overhead: 5%
Area overhead: 13.5%
Parent Process (AFL)
Program ExecutionOn RISC-V Processor
Fork+Execv(1)
Processterminates
(4)
Monitoring (2)/Updating the
branch coverage (3)
Reading thebranch coverage (5)
Shared Memory Region
Memory
QEMU Child Process
(The Fuzzed Program)
QEMU-based AFL
Shared Memory Region
Memory
PHMon-based AFL
Boston University August 12, 2020 9/10
IntroductionPHMon
Conclusion
Conclusion
Ref: https://www.linux-apps.com/p/1082429/
A hardware monitor with full software stack
Shadow Stack
Preventing InformationLeakage
Shadow Stack
Hardware AcceleratedFuzzing
Watchpoints andAccelerated Debugger
Versatile and easily adopted
FPGA prototype
ARTIFACTEVALUATED
PASSED
https://www.usenix.org/system/files/sec20spring_delshadtehrani_prepub.pdf
https://github.com/bu-icsg/PHMon
? Thanks! You can reach me atdelshad@bu.edu for follow-up questions.
More information
Boston University August 12, 2020 10/10