PHMon: A Programmable Hardware Monitor and Its Security Use Cases
Leila Delshadtehrani, Sadullah Canakci, Boyou Zhou, Schuyler Eldridge, Ajay Joshi, and Manuel Egele
Boston University
August 12, 2020 MPX SafeCWhat if Softbound Available we could2008 have a flexible2013 hardware2018-2019 implementation that could enhance and enforce a variety of security policies1994 as security2009 threats evolve?!2015 Hardbound MPX MPX Announced Disabled
[AUSTIN, PLDI’94] [DEVIETTI, ASPLOS’08] [NAGARAKATTE, PLDI’09]
Introduction Motivation PHMon Overview Conclusion Motivation
Current Trend Growing demand to enforce security policies in hardware
Intel MPX ARM TrustZone AMD SVM Intel SGX Intel TXT ARM PA Intel CET ...
Boston University August 12, 2020 2/10
What if we could have a flexible hardware implementation that could enhance and enforce a variety of security policies as security threats evolve?!
Introduction Motivation PHMon Overview Conclusion Motivation
Current Trend Growing demand to enforce security policies in hardware MPX SafeC Softbound Available Intel MPX ARM 2008 2013 2018-2019 TrustZone AMD SVM Intel SGX 1994 2009 2015 Hardbound MPX MPX Intel TXT ARM PA Announced Disabled Intel CET ...
[AUSTIN, PLDI’94] [DEVIETTI, ASPLOS’08] [NAGARAKATTE, PLDI’09]
Boston University August 12, 2020 2/10 MPX SafeC Softbound Available 2008 2013 2018-2019
1994 2009 2015 Hardbound MPX MPX Announced Disabled
[AUSTIN, PLDI’94] [DEVIETTI, ASPLOS’08] [NAGARAKATTE, PLDI’09]
Introduction Motivation PHMon Overview Conclusion Motivation
Current Trend Growing demand to enforce security policies in hardware
What if Intel MPX ARM we could have a flexible hardware TrustZone implementation that could enhance AMD SVM and enforce a variety of security Intel SGX policies as security threats evolve?! Intel TXT ARM PA Intel CET ...
Boston University August 12, 2020 2/10 Introduction Motivation PHMon Overview Conclusion Our Proposal - PHMon
Application PHMon API A hardware monitor and the full OS Hardware software stack around it A programmable hardware monitor Full SW Stack interfaced with a RISC-V Rocket processor on an FPGA OS support Software API User/Admin Event/Action Security use cases Specification Using PHMon API Monitor Events
How Does It Work? Program PHMon PHMon Monitor the
execution A user/admin configures the hardware
monitor Take Actions The hardware monitor collects the Is process Is PHMon runtime execution information Terminated? Disabled? N N Checks for the specified events, e.g., detects Y Y branch instructions PHMon Performs follow-up actions, e.g., an ALU Stop operation Monitoring
Boston University August 12, 2020 3/10 Hardware Introduction Software PHMon Implementation Conclusion Use Cases Hardware Overview
RISC-V Rocket RoCC Interface Microprocessor Pipelined Commit Log Processor Core TU Command Response PHMon
WB Exe Dec Mem Interrupt
PC_GEN /Fetch HW Functionality L1 Memory Request Data Cache Memory Response Collect the instruction Commit Log trace - inst PHMon - pc_src Action Unit (AU) Find matches with - pc_dst Match Unit-0 (MU-0) - addr Predicate: Config Unit-0 (CFU-0) programmed events - data - inst = *8067 MU_id Action Config Table - pc_src = * - pc_dst = * Type In1 In2 Fn Out Data - addr = * 2b 3b 3b 4b 3b 64b Take follow-up actions Comparator - data = * ... MU_addr ... Match Queue Cmd/Resp Counter Threshold conf_ptr conf_ctr =? MU_data Control Unit Local ALU Register Match Packet (CU) File
Interrupt Memory
Boston University August 12, 2020 4/10 Hardware Introduction Software PHMon Implementation Conclusion Use Cases Software Overview
Software Interface OS Support A list of functions that use RISC-V’s Per process OS support standard ISA extension Maintain PHMon Configure PHMon information during Communicate with PHMon context switches Interrupt handling OS Reset MU-0 and configure the match pattern support phmon_reset_val(0); Delegate interrupt to phmon_pattern(0, &mask_inst0) OS Compare pc_dst and pc_src, and trigger an interrupt Terminate the action_mu0.op_type = e_OP_ALU; //ALU operation violating process action_mu0.in1 = e_IN_DATA_RESP; //MU_resp action_mu0.in2 = e_IN_LOC3; //Local3 action_mu0.fn = e_ALU_SEQ; //Set Equal action_mu0.out = e_OUT_INTR; //Interrupt reg phmon_action_config(0, &action_mu0);
Boston University August 12, 2020 5/10 Hardware Introduction Software PHMon Implementation Conclusion Use Cases Implementation and Evaluation Framework
Implementation PHMon as a RoCC, written in Chisel HDL Interfaced with the in-order RISC-V Rocket core Linux kernel v4.15 RISC-V gnu toolchain for cross-compilation
Evaluation Prototyped on Xilinx Zynq Zedboard Rocket core + PHMon Open-sourced at https://github.com/bu-icsg/PHMon
Boston University August 12, 2020 6/10 Hardware Accelerated Shadow Stack Fuzzing
https://security.googleblog.com/2019/10/protecting-against-code-reuse-in-linux30.html, https://medium.com/@dieswaytoofast/fuzzing-and-deep-learning-5aae84c20303,
Hardware Introduction Software PHMon Implementation Conclusion Use Cases Use Cases
Preventing Information Shadow Stack Shadow Stack Leakage
Hardware Accelerated Watchpoints and Fuzzing Accelerated Debugger
https://security.googleblog.com/2019/10/protecting-against-code-reuse-in-linux30.html, https://www.darkreading.com/attacks-breaches/heartbleed-attack-targeted-enterprise-vpn-/d/d-id/1204592, https://medium.com/@dieswaytoofast/fuzzing-and-deep-learning-5aae84c20303, https://hackernoon.com/professional-debugging-in-rails-1yr2bnz
Boston University August 12, 2020 7/10 Preventing Information Shadow Stack Shadow Stack Leakage
Hardware Accelerated Watchpoints and Fuzzing Accelerated Debugger
https://security.googleblog.com/2019/10/protecting-against-code-reuse-in-linux30.html, https://www.darkreading.com/attacks-breaches/heartbleed-attack-targeted-enterprise-vpn-/d/d-id/1204592, https://medium.com/@dieswaytoofast/fuzzing-and-deep-learning-5aae84c20303, https://hackernoon.com/professional-debugging-in-rails-1yr2bnz
Hardware Introduction Software PHMon Implementation Conclusion Use Cases Use Cases
Hardware Accelerated Shadow Stack Fuzzing
https://security.googleblog.com/2019/10/protecting-against-code-reuse-in-linux30.html, https://medium.com/@dieswaytoofast/fuzzing-and-deep-learning-5aae84c20303,
Boston University August 12, 2020 7/10
Hardware Introduction Software PHMon Implementation Conclusion Use Cases Use Cases: Shadow Stack
Main Stack Shadow Stack
PHMon-based Shadow Stack Return Address Return Address Argument Return Address Registers Simple and flexible Saved Two MUs Registers Local ... Shared memory space Variables Return Address
Allocated by OS as a ... user-space memory
3.5 Secure 3.4 3.0 2.7 2.6 Efficient 2.5 For SPECint2000, 2.0 1.5 SPECint2006, and MiBench 1.2 1.1 1.1 1.2 benchmarks, on average, 1.0 0.5 0.9% performance overhead 0.5 0.3 Performance Overhead (%) 0.0 gcc bzip2 astar gobmk hmmer h264ref GeoMean libquantum xalancbmk SPECint2006
Boston University August 12, 2020 8/10 Program Execution On RISC-V Processor Monitoring (2)/ Updating the Child Process branch coverage (3) (The Fuzzed Program) QEMU Process Fork+Execv terminates (1) (4) Parent Process (AFL)
Reading the branch coverage (5) Memory Shared Memory Region
QEMU-based AFL
Memory Shared Memory Region
PHMon-based AFL
Hardware Introduction Software PHMon Implementation Conclusion Use Cases Use Cases: Hardware Accelerated Fuzzing
American Fuzzy Lop (AFL) [Zalewski, 2013] A state-of-the-art fuzzer Two main units The fuzzing logic The instrumentation suite Compiler-based QEMU-based
https://rabbitbreeders.us/american-fuzzy-lop-rabbits/
Boston University August 12, 2020 9/10 Hardware Introduction Software PHMon Implementation Conclusion Use Cases Use Cases: Hardware Accelerated Fuzzing
Program Execution American Fuzzy Lop (AFL) On RISC-V Processor Monitoring (2)/ Updating the [Zalewski, 2013] Child Process branch coverage (3) (The Fuzzed Program) QEMU Process Fork+Execv terminates A state-of-the-art fuzzer (1) (4) Two main units Parent Process (AFL) Reading the branch coverage (5) The fuzzing logic Memory The instrumentation suite Shared Memory Region Compiler-based QEMU-based QEMU-based AFL
Memory Shared Memory Region
PHMon-based AFL https://rabbitbreeders.us/american-fuzzy-lop-rabbits/
Boston University August 12, 2020 9/10 American Fuzzy Lop (AFL) [Zalewski, 2013] A state-of-the-art fuzzer Two main units The fuzzing logic The instrumentation suite Compiler-based QEMU-based
https://rabbitbreeders.us/american-fuzzy-lop-rabbits/
Hardware Introduction Software PHMon Implementation Conclusion Use Cases Use Cases: Hardware Accelerated Fuzzing
Program Execution On RISC-V Processor Monitoring (2)/ Updating the 25 Child Process branch coverage (3) (The Fuzzed Program) Baseline AFL Fork Server 20.6 QEMU 20 18.9 Process PHMon 17.8 Fork+Execv 16.4 16.1 terminates (1) (4) 15 13.7 11.3 Parent Process (AFL)
10 7.6 Reading the 6.3 6.1 5.4 branch coverage (5) 5.2 Memory Performance 5 3.7 4.2 Shared Memory Region improvement (X) 1.0 1.0 1.0 1.0 1.0 1.0 1.0 0 zstd pcre Geo
nasm QEMU-based AFL Mean unace indent sleuthkit Benchmarks
PHMon improves AFL’s performance by 16× over the baseline Power overhead: 5% Area overhead: 13.5% Memory Shared Memory Region
PHMon-based AFL
Boston University August 12, 2020 9/10 Introduction PHMon Conclusion Conclusion
Ref: https://www.linux-apps.com/p/1082429/
A hardware monitor with full software stack FPGA prototype
ARTIFACT EVALUATED https://www.usenix.org/system/files/ sec20spring_delshadtehrani_prepub.pdf PASSED
Preventing Information Shadow Stack Shadow Stack Leakage
https://github.com/bu-icsg/PHMon
Thanks! You can reach me at
Hardware Accelerated Watchpoints and [email protected] for follow-up questions. Fuzzing Accelerated Debugger ?
Versatile and easily adopted More information
Boston University August 12, 2020 10/10