View metadata, citation and similar papers at core.ac.uk brought to you by CORE provided by Texas A&M University EVALUATION OF HARDWARE-BASED DATA FLOW INTEGRITY A Thesis by ABHIJITH REDDY RACHALA Submitted to the Office of Graduate and Professional Studies of Texas A&M University in partial fulfillment of the requirements for the degree of MASTER OF SCIENCE Chair of Committee, Jiang Hu Co-Chair of Committee, Shaoming Huang Committee Member, Narasimha Annapareddy Head of Department, Miroslav M. Begovic August 2019 Major Subject: Computer Engineering Copyright 2019 Abhijith Reddy Rachala ABSTRACT Computer security is a very critical problem these days, as it has widespread consequences in case of a failure of computer systems security, like desktop machines, mobile phones, tablets and Internet of Things (IoT) devices. Usually, attackers try to find vulnerabilities in the target systems and by exploiting these vulnerabilities, they launch an attack, thereby achieving their malicious goal.Software data attacks modify the intended control/data flow in a program that is unprotected. Control data attacks are executed by exploiting buffer overflows or string vulnerabilities to over- write a return address, a function pointer or some other information about control data. Non-control data attacks exploit similar vulnerabilities to overwrite security critical data without changing the intended control-flow in the program. Data flow integrity ensures that the flow of data in a program at runtime is permitted by the data flow graph. The main objective of the thesis is to implement a hardware-based data flow integrity technique and check for vulnerabilities on a target application. This implementation is achieved by referenc- ing a data flow graph against which the runtime data flow of a program is checked. DFI checking is integrated into existing processor with most changes in hardware going to the load/store unit and the arithmetic unit. In gem5, this is realised by modifying source code of the simulator at instruction level to monitor each load/store instruction on the target application and check if there are any data flow violations and check the overhead caused by the modification of gem5 source code to integrate DFI checking with existing CPU models on gem5. From experiments results, we measured the performance overhead to be up to 14.5%. We also roughly estimate the extra hardware required for this implementation on real hardware. ii DEDICATION To my parents iii ACKNOWLEDGMENTS It is my honor and privilege to have pursued my graduate studies at Texas A&M University. I am grateful to many people for their support during this journey. Firstly, I would like to express my sincere gratitude to my advisor, Dr. Jiang Hu for steering my endeavor in academic research through his guidance, patience and understanding. His trust and encouragement helped me to think beyond the normal conventions from time to time and to gave me the freedom to experiment with different ideas, which proved very beneficial in carrying out my research. I would sincerely thank my co-advisor, Dr. Jeff Huang, for his persistent optimism and motivation. I feel fortunate to receive directions from both of my advisors without which this thesis would be impossible. It was truly an honor to have research advisors and mentors like them. I would like to thank Dr. Narasimha Reddy for being a part of my thesis committee and providing continuous constructive feedback on my thesis. I am very thankful to my colleague in the project, Lang Feng, for sharing his knowledge and ideas for my project. His constant inputs and feedback helped me whenever I was stuck in the project. I am also grateful to Erick Carvajal and Gino Chacon for assisting me when I started off with gem5 and sharing their experiences working with gem5, this helped me grasp the gem5 environment quicker. I wish to thank the Department of Electronics and Computer Engineering at Texas A&M Uni- versity for providing the opportunity and resources to fulfill my academic ambition. I am obliged to all my friends for helping me keep my life in context. I would like to thank my family for their undetering support, encouragement and faith in me. iv CONTRIBUTORS AND FUNDING SOURCES Contributors This work was supported by a thesis committee consisting of Professor Jiang Hu, and Profes- sor Narasimha Reddy from the Department of Electrical and Computer Engineering (ECE), and Professor Jeff Huang of the Department of Computer Science and Engineering (CSE). Tools used in the research, namely gem5 and SVF tools are open source tools developed by third parties. Usage of these tools have been duly cited in the thesis. All other work conducted for the thesis was completed by the student independently. Funding Sources Graduate study was partly supported by a scholarship from the ECE department at Texas A&M University. v NOMENCLATURE DFI Data Flow Integrity CFI Control Flow Integrity SVF Static Value Flow CDI Core Debug Interface CPU Central Processing Unit ISA Instruction Set Architecture CPI Cycles Per Instruction DFG Data Flow Graph CFG Control Flow Graph RDS Reaching Definition Set RDT Reaching Definition Table TPIU Trace Port Interface Unit PC Program Counter LUT Look Up Table HDFI Hardware-Assisted Data Flow Isolation ALM Adaptive Logic Module vi TABLE OF CONTENTS Page ABSTRACT ......................................................................................... ii DEDICATION....................................................................................... iii ACKNOWLEDGMENTS .......................................................................... iv CONTRIBUTORS AND FUNDING SOURCES ................................................. v NOMENCLATURE ................................................................................. vi TABLE OF CONTENTS ........................................................................... vii LIST OF FIGURES ................................................................................. ix LISTOFTABLES................................................................................... x 1. INTRODUCTION .............................................................................. 1 1.1 Runtime Verification ...................................................................... 2 1.2 Security .................................................................................... 3 1.3 Monitoring Techniques ................................................................... 4 2. RELATEDWORK.............................................................................. 8 3. BACKGROUND ................................................................................ 10 3.1 Software data flow integrity .............................................................. 10 3.2 About gem5 ............................................................................... 11 3.2.1 MemObjects ...................................................................... 11 3.2.2 Ports ............................................................................... 12 3.2.2.1 Atomic/Timing/Functional accesses.................................. 12 3.2.3 Packets ............................................................................ 12 3.3 Static Value Flow (SVF) ................................................................. 13 3.4 Instrumentation............................................................................ 14 4. IDEA & IMPLEMENTATION ................................................................. 16 4.1 Objective................................................................................... 16 4.2 Idea ........................................................................................ 16 4.3 Static Analysis............................................................................. 17 vii 4.4 Detailed DFI Explanation................................................................. 19 4.5 Hardware-based DFI Checking........................................................... 22 5. EXPERIMENTAL SETUP & RESULTS ...................................................... 25 5.1 Experimental Setup ....................................................................... 25 5.2 Results ..................................................................................... 27 6. CONCLUSION ................................................................................. 37 REFERENCES ...................................................................................... 38 viii LIST OF FIGURES FIGURE Page 4.1 Flow Chart for obtaining instrumented binary ........................................... 18 4.2 Sample code ............................................................................... 20 4.3 Data Flow Graph for the sample code.................................................... 20 4.4 Enforced (allowed) Data Flow for each variable ........................................ 21 4.5 Execution Path 1 for sample code ........................................................ 21 4.6 Execution Path 2 for sample code ........................................................ 22 4.7 Simulation environment for gem5........................................................ 23 5.1 gem5 configuration used .................................................................. 26 5.2 Simulated time comparison for 1 million instructions .................................. 28 5.3 Simulated time comparison for 10 million instructions ................................. 28 5.4 Simulated time comparison for 50 million instructions ................................