PHMon: A Programmable Hardware Monitor and Its Security Use Cases Leila Delshadtehrani, Sadullah Canakci, Boyou Zhou, Schuyler Eldridge, Ajay Joshi, and Manuel Egele [email protected] Boston University August 12, 2020 MPX SafeCWhat if Softbound Available we could2008 have a flexible2013 hardware2018-2019 implementation that could enhance and enforce a variety of security policies1994 as security2009 threats evolve?!2015 Hardbound MPX MPX Announced Disabled [AUSTIN, PLDI'94] [DEVIETTI, ASPLOS'08] [NAGARAKATTE, PLDI'09] Introduction Motivation PHMon Overview Conclusion Motivation Current Trend Growing demand to enforce security policies in hardware Intel MPX ARM TrustZone AMD SVM Intel SGX Intel TXT ARM PA Intel CET ... Boston University August 12, 2020 2/10 MPX SafeCWhat if Softbound Available we could2008 have a flexible2013 hardware2018-2019 implementation that could enhance and enforce a variety of security policies1994 as security2009 threats evolve?!2015 Hardbound MPX MPX Announced Disabled Introduction Motivation PHMon Overview Conclusion Motivation Current Trend Growing demand to enforce security policies in hardware Intel MPX ARM TrustZone AMD SVM Intel SGX Intel TXT ARM PA Intel CET ... [AUSTIN, PLDI'94] [DEVIETTI, ASPLOS'08] [NAGARAKATTE, PLDI'09] Boston University August 12, 2020 2/10 MPX SafeCWhat if Softbound Available we could2008 have a flexible2013 hardware2018-2019 implementation that could enhance and enforce a variety of security policies1994 as security2009 threats evolve?!2015 Hardbound MPX MPX Announced Disabled [AUSTIN, PLDI'94] [DEVIETTI, ASPLOS'08] [NAGARAKATTE, PLDI'09] Introduction Motivation PHMon Overview Conclusion Motivation Current Trend Growing demand to enforce security policies in hardware Intel MPX ARM TrustZone AMD SVM Intel SGX Intel TXT ARM PA Intel CET ... Boston University August 12, 2020 2/10 Introduction Motivation PHMon Overview Conclusion Our Proposal - PHMon Application PHMon API A hardware monitor and the full OS Hardware software stack around it A programmable hardware monitor Full SW Stack interfaced with a RISC-V Rocket processor on an FPGA OS support Software API User/Admin Event/Action Security use cases Specification Using PHMon API Monitor Events How Does It Work? Program PHMon PHMon Monitor the execution A user/admin configures the hardware monitor Take Actions The hardware monitor collects the Is process Is PHMon runtime execution information Terminated? Disabled? N N Checks for the specified events, e.g., detects Y Y branch instructions PHMon Performs follow-up actions, e.g., an ALU Stop operation Monitoring Boston University August 12, 2020 3/10 Hardware Introduction Software PHMon Implementation Conclusion Use Cases Hardware Overview RISC-V Rocket RoCC Interface Microprocessor Pipelined Commit Log Processor Core TU Command Response PHMon WB Exe Dec Mem Interrupt PC_GEN /Fetch HW Functionality L1 Memory Request Data Cache Memory Response Collect the instruction Commit Log trace - inst PHMon - pc_src Action Unit (AU) Find matches with - pc_dst Match Unit-0 (MU-0) - addr Predicate: Config Unit-0 (CFU-0) programmed events - data - inst = *8067 MU_id Action Config Table - pc_src = * - pc_dst = * Type In1 In2 Fn Out Data - addr = * 2b 3b 3b 4b 3b 64b Take follow-up actions Comparator - data = * ... MU_addr ... Match Queue Cmd/Resp Counter Threshold conf_ptr conf_ctr =? MU_data Control Unit Local ALU Register Match Packet (CU) File Interrupt Memory Boston University August 12, 2020 4/10 Hardware Introduction Software PHMon Implementation Conclusion Use Cases Software Overview Software Interface OS Support A list of functions that use RISC-V's Per process OS support standard ISA extension Maintain PHMon Configure PHMon information during Communicate with PHMon context switches Interrupt handling OS Reset MU-0 and configure the match pattern support phmon_reset_val(0); Delegate interrupt to phmon_pattern(0, &mask_inst0) OS Compare pc_dst and pc_src, and trigger an interrupt Terminate the action_mu0.op_type = e_OP_ALU; //ALU operation violating process action_mu0.in1 = e_IN_DATA_RESP; //MU_resp action_mu0.in2 = e_IN_LOC3; //Local3 action_mu0.fn = e_ALU_SEQ; //Set Equal action_mu0.out = e_OUT_INTR; //Interrupt reg phmon_action_config(0, &action_mu0); Boston University August 12, 2020 5/10 Hardware Introduction Software PHMon Implementation Conclusion Use Cases Implementation and Evaluation Framework Implementation PHMon as a RoCC, written in Chisel HDL Interfaced with the in-order RISC-V Rocket core Linux kernel v4.15 RISC-V gnu toolchain for cross-compilation Evaluation Prototyped on Xilinx Zynq Zedboard Rocket core + PHMon Open-sourced at https://github.com/bu-icsg/PHMon Boston University August 12, 2020 6/10 Hardware Accelerated Shadow Stack Fuzzing https://security.googleblog.com/2019/10/protecting-against-code-reuse-in-linux30.html, https://medium.com/@dieswaytoofast/fuzzing-and-deep-learning-5aae84c20303, Hardware Introduction Software PHMon Implementation Conclusion Use Cases Use Cases Preventing Information Shadow Stack Shadow Stack Leakage Hardware Accelerated Watchpoints and Fuzzing Accelerated Debugger https://security.googleblog.com/2019/10/protecting-against-code-reuse-in-linux30.html, https://www.darkreading.com/attacks-breaches/heartbleed-attack-targeted-enterprise-vpn-/d/d-id/1204592, https://medium.com/@dieswaytoofast/fuzzing-and-deep-learning-5aae84c20303, https://hackernoon.com/professional-debugging-in-rails-1yr2bnz Boston University August 12, 2020 7/10 Hardware Accelerated Shadow Stack Fuzzing https://security.googleblog.com/2019/10/protecting-against-code-reuse-in-linux30.html, https://medium.com/@dieswaytoofast/fuzzing-and-deep-learning-5aae84c20303, Hardware Introduction Software PHMon Implementation Conclusion Use Cases Use Cases Preventing Information Shadow Stack Shadow Stack Leakage Hardware Accelerated Watchpoints and Fuzzing Accelerated Debugger https://security.googleblog.com/2019/10/protecting-against-code-reuse-in-linux30.html, https://www.darkreading.com/attacks-breaches/heartbleed-attack-targeted-enterprise-vpn-/d/d-id/1204592, https://medium.com/@dieswaytoofast/fuzzing-and-deep-learning-5aae84c20303, https://hackernoon.com/professional-debugging-in-rails-1yr2bnz Boston University August 12, 2020 7/10 Hardware Introduction Software PHMon Implementation Conclusion Use Cases Use Cases: Shadow Stack Main Stack Shadow Stack PHMon-based Shadow Stack Return Address Return Address Argument Return Address Registers Simple and flexible Saved Two MUs Registers Local ... Shared memory space Variables Return Address Allocated by OS as a ... user-space memory 3.5 Secure 3.4 3.0 2.7 2.6 Efficient 2.5 For SPECint2000, 2.0 1.5 SPECint2006, and MiBench 1.2 1.1 1.1 1.2 benchmarks, on average, 1.0 0.5 0.9% performance overhead 0.5 0.3 Performance Overhead (%) 0.0 gcc bzip2 astar gobmk hmmer h264ref GeoMean libquantum xalancbmk SPECint2006 Boston University August 12, 2020 8/10 Program Execution On RISC-V Processor Monitoring (2)/ Updating the Child Process branch coverage (3) (The Fuzzed Program) QEMU Process Fork+Execv terminates (1) (4) Parent Process (AFL) Reading the branch coverage (5) Memory Shared Memory Region QEMU-based AFL Memory Shared Memory Region PHMon-based AFL Hardware Introduction Software PHMon Implementation Conclusion Use Cases Use Cases: Hardware Accelerated Fuzzing American Fuzzy Lop (AFL) [Zalewski, 2013] A state-of-the-art fuzzer Two main units The fuzzing logic The instrumentation suite Compiler-based QEMU-based https://rabbitbreeders.us/american-fuzzy-lop-rabbits/ Boston University August 12, 2020 9/10 Program Execution On RISC-V Processor Monitoring (2)/ Updating the Child Process branch coverage (3) (The Fuzzed Program) QEMU Process Fork+Execv terminates (1) (4) Parent Process (AFL) Reading the branch coverage (5) Memory Shared Memory Region Memory Shared Memory Region Hardware Introduction Software PHMon Implementation Conclusion Use Cases Use Cases: Hardware Accelerated Fuzzing American Fuzzy Lop (AFL) [Zalewski, 2013] A state-of-the-art fuzzer Two main units The fuzzing logic The instrumentation suite Compiler-based QEMU-based QEMU-based AFL PHMon-based AFL https://rabbitbreeders.us/american-fuzzy-lop-rabbits/ Boston University August 12, 2020 9/10 Program Execution American Fuzzy Lop (AFL) On RISC-V Processor Monitoring (2)/ Updating the [Zalewski, 2013] Child Process branch coverage (3) (The Fuzzed Program) QEMU Process Fork+Execv terminates A state-of-the-art fuzzer (1) (4) Two main units Parent Process (AFL) Reading the branch coverage (5) The fuzzing logic Memory The instrumentation suite Shared Memory Region Compiler-based QEMU-based Memory Shared Memory Region https://rabbitbreeders.us/american-fuzzy-lop-rabbits/ Hardware Introduction Software PHMon Implementation Conclusion Use Cases Use Cases: Hardware Accelerated Fuzzing 25 Baseline AFL Fork Server 20.6 18.9 20 PHMon 17.8 16.4 16.1 15 13.7 11.3 10 7.6 6.1 6.3 5.2 5.4 Performance 5 3.7 4.2 improvement (X) 1.0 1.0 1.0 1.0 1.0 1.0 1.0 0 zstd pcre Geo nasm QEMU-based AFL Mean unace indent sleuthkit Benchmarks PHMon improves AFL's performance by 16× over the baseline Power overhead: 5% Area overhead: 13.5% PHMon-based AFL Boston University August 12, 2020 9/10 Introduction PHMon Conclusion Conclusion Ref: https://www.linux-apps.com/p/1082429/ A hardware monitor with full software stack FPGA prototype ARTIFACT EVALUATED https://www.usenix.org/system/files/ sec20spring_delshadtehrani_prepub.pdf PASSED Preventing Information Shadow Stack Shadow Stack Leakage https://github.com/bu-icsg/PHMon Thanks! You can reach me at Hardware Accelerated Watchpoints and [email protected] for follow-up questions. Fuzzing Accelerated Debugger ? Versatile and easily adopted More information Boston University August 12, 2020 10/10.