SHAKTI-MS: a RISC-V processor for memory safety in C
23 Jun 2019-pp 19-32
TL;DR: The proposal is to use stack-based cookies for crafting fat-pointers instead of having object-based identifiers, which eliminates the use of shadow memory space, or any table to store the pointer metadata, and reduces the storage overheads by a great extent.
Abstract: In this era of IoT devices, security is very often traded off for smaller device footprint and low power consumption. Considering the exponentially growing security threats of IoT and cyber-physical systems, it is important that these devices have built-in features that enhance security. In this paper, we present Shakti-MS, a lightweight RISC-V processor with built-in support for both temporal and spatial memory protection. At run time, Shakti-MS can detect and stymie memory misuse in C and C++ programs, with minimum runtime overheads. The solution uses a novel implementation of fat-pointers to efficiently detect misuse of pointers at runtime. Our proposal is to use stack-based cookies for crafting fat-pointers instead of having object-based identifiers. We store the fat-pointer on the stack, which eliminates the use of shadow memory space, or any table to store the pointer metadata. This reduces the storage overheads by a great extent. The cookie also helps to preserve control flow of the program by ensuring that the return address never gets modified by vulnerabilities like buffer overflows. Shakti-MS introduces new instructions in the microprocessor hardware, and also a modified compiler that automatically inserts these new instructions to enable memory protection. This co-design approach is intended to reduce runtime and area overheads, and also provides an end-to-end solution. The hardware has an area overhead of 700 LUTs on a Xilinx Virtex Ultrascale FPGA and 4100 cells on an open 55nm technology node. The clock frequency of the processor is not affected by the security extensions, while there is a marginal increase in the code size by 11% with an average runtime overhead of 13%.
Citations
More filters
15 Jul 2012
419 citations
19 Apr 2021
TL;DR: In-Fat Pointer as mentioned in this paper improves the protection granularity of tagged-pointer schemes using object metadata, which is efficient and binary-compatible for object-bound spatial safety, and uses three complementary object metadata schemes to reduce the number of pointer tag bits needed for metadata lookup.
Abstract: Programming languages like C and C++ are not memory-safe because they provide programmers with low-level pointer manipulation primitives. The incorrect use of these primitives can result in bugs and security vulnerabilities: for example, spatial memory safety errors can be caused by dereferencing pointers outside the legitimate address range belonging to the corresponding object. While a range of schemes to provide protection against these vulnerabilities have been proposed, they all suffer from the lack of one or more of low performance overhead, compatibility with legacy code, or comprehensive protection for all objects and subobjects. We present In-Fat Pointer, the first hardware-assisted defense that can achieve spatial memory safety at subobject granularity while maintaining compatibility with legacy code and low overhead. In-Fat Pointer improves the protection granularity of tagged-pointer schemes using object metadata, which is efficient and binary-compatible for object-bound spatial safety. Unlike previous work that devotes all pointer tag bits to object metadata lookup, In-Fat Pointer uses three complementary object metadata schemes to reduce the number pointer tag bits needed for metadata lookup, allowing it to use the left-over bits, along with in-memory type metadata, to refine the object bounds to subobject granularity. We show that this approach provides practical protection of fine-grained spatial memory safety.
14 citations
24 May 2021
TL;DR: In this paper, the authors present the potential of RISC-V in security research, the way in which RISCv can be hardened against power analysis attacks, how to implement, using RISCV, software and hardware/software solutions for dual core lock step, and how to perform system-level testing in the RISC V ecosystem.
Abstract: RISC-V has emerged as a viable solution on academia and industry. However, to use open source hardware for safety-critical applications, we need a deep understanding of the way in which well established mechanisms for testing and reliability could be integrated and deployed on the RISC-V ecosystem, and we need a clear knowledge on how such an ecosystem can be leveraged to improve security. This paper includes four contributions presenting the potential of RISC-V in security research, the way in which RISC-V can be hardened against power analysis attacks, how to implement, using RISC-V, software and hardware/software solutions for dual core lock step, and how to perform system-level testing in the RISC-V ecosystem.
2 citations
TL;DR: In this paper , the authors provide a comprehensive survey on existing works about RISC-V ISA extensions, and highlight some possible future research opportunities on the RISCv ISA extension.
Abstract: RISC-V is an open-source and royalty-free instruction set architecture (ISA), which opens up a new era of processor innovation. RISC-V has the characteristics of modularization and extensibility, and explicitly supports domain-specific custom extensions. Nowadays, RISC-V is a popular ISA for embedded processors. However, there is still a gap between the capabilities of RISC-V and the requirements of various emerging computing scenarios (e.g., artificial intelligence, cloud computing). Recently, the RISC-V standards organization has continuously introduced new ISA extensions to meet the needs of advanced computing. There are also a variety of novel research proposed customized extensions of RISC-V for certain scenarios. As far as we know, there is a lack of a survey to systematically present the research progress of RISC-V ISA extensions. The goal of this paper is to provide a comprehensive survey on existing works about RISC-V ISA extensions. First, the application scenarios of RISC-V are introduced, and the requirements for ISA extensions are analyzed. Then, we survey the progress of official RISC-V ISA extension specification and recent research on RISC-V ISA extension. Finally, we highlight some possible future research opportunities on the RISC-V ISA extension.
1 citations
01 Sep 2019
TL;DR: It is shown that there is a fundamental design flaw in Intel MPX and all other hardware enforced pointer protection schemes that were surveyed, making all of them vulnerable to Meltdown, and a design strategy is suggested, called MSMPX, that provides hardware enforced pointers protection, while at the same time being immune to meltdown.
Abstract: In recent years several hardware enforced pointer protection schemes have been proposed. The most notable amongst them is the Intel MPX, which can identify spatial violations at run time. Recently, it is shown that Intel MPX is vulnerable to a potent attack called Meltdown, which exploits the processor’s transient behavior during speculative execution.In this paper, we show that there is a fundamental design flaw in Intel MPX and all other hardware enforced pointer protection schemes that we surveyed, making all of them vulnerable to Meltdown. We then suggest a design strategy called MSMPX, that provides hardware enforced pointer protection, while at the same time being immune to Meltdown. We compare the hardware overheads on an OpenRISC processor and the performance overheads with respect to Intel MPX.
1 citations
Cites background from "SHAKTI-MS: a RISC-V processor for m..."
...However, while there is no change in processor clock frequency in [21], MSMPX reduced the maximum clock frequency of the processor by around 6....
[...]
...hardware based solutions [21], where the hardware overhead...
[...]
References
More filters
10 Jun 2007
TL;DR: Valgrind is described, a DBI framework designed for building heavyweight DBA tools that can be used to build more interesting, heavyweight tools that are difficult or impossible to build with other DBI frameworks such as Pin and DynamoRIO.
Abstract: Dynamic binary instrumentation (DBI) frameworks make it easy to build dynamic binary analysis (DBA) tools such as checkers and profilers. Much of the focus on DBI frameworks has been on performance; little attention has been paid to their capabilities. As a result, we believe the potential of DBI has not been fully exploited.In this paper we describe Valgrind, a DBI framework designed for building heavyweight DBA tools. We focus on its unique support for shadow values-a powerful but previously little-studied and difficult-to-implement DBA technique, which requires a tool to shadow every register and memory value with another value that describes it. This support accounts for several crucial design features that distinguish Valgrind from other DBI frameworks. Because of these features, lightweight tools built with Valgrind run comparatively slowly, but Valgrind can be used to build more interesting, heavyweight tools that are difficult or impossible to build with other DBI frameworks such as Pin and DynamoRIO.
2,540 citations
"SHAKTI-MS: a RISC-V processor for m..." refers background or methods in this paper
...Location based [15, 17, 31, 41] approaches use an extra data structure such as a tree or it uses a hashtable/trie-based implementation of shadow memory space to keep track of the allocated and deallocated memory regions....
[...]
...There have been many solutions proposed to mitigate temporal attacks [2, 3, 9, 10, 15, 29, 31, 32, 35, 41, 42]....
[...]
Proceedings Article•
26 Jan 1998TL;DR: StackGuard is described: a simple compiler technique that virtually eliminates buffer overflow vulnerabilities with only modest performance penalties, and a set of variations on the technique that trade-off between penetration resistance and performance.
Abstract: This paper presents a systematic solution to the persistent problem of buffer overflow attacks. Buffer overflow attacks gained notoriety in 1988 as part of the Morris Worm incident on the Internet. While it is fairly simple to fix individual buffer overflow vulnerabilities, buffer overflow attacks continue to this day. Hundreds of attacks have been discovered, and while most of the obvious vulnerabilities have now been patched, more sophisticated buffer overflow attacks continue to emerge.
We describe StackGuard: a simple compiler technique that virtually eliminates buffer overflow vulnerabilities with only modest performance penalties. Privileged programs that are recompiled with the StackGuard compiler extension no longer yield control to the attacker, but rather enter a fail-safe state. These programs require no source code changes at all, and are binary-compatible with existing operating systems and libraries. We describe the compiler technique (a simple patch to gcc), as well as a set of variations on the technique that trade-off between penetration resistance and performance. We present experimental results of both the penetration resistance and the performance impact of this technique.
1,536 citations
"SHAKTI-MS: a RISC-V processor for m..." refers background in this paper
...Many of these attacks have mitigations in place, such as making the stack non-executable [40] or adding stack canaries [11] to detect tampering of return address....
[...]
28 Oct 2007
TL;DR: A return-into-libc attack to be mounted on x86 executables that calls no functions at all is presented, and how to discover such instruction sequences by means of static analysis is shown.
Abstract: We present new techniques that allow a return-into-libc attack to be mounted on x86 executables that calls no functions at all. Our attack combines a large number of short instruction sequences to build gadgets that allow arbitrary computation. We show how to discover such instruction sequences by means of static analysis. We make use, in an essential way, of the properties of the x86 instruction set.
1,367 citations
"SHAKTI-MS: a RISC-V processor for m..." refers background in this paper
...Moreover, spatial attacks like buffer overflow have evolved over time and given rise to more sophisticated techniques like return-to-libc [38] or Return Oriented Programming (ROP) [37]....
[...]
Proceedings Article•
16 Aug 2017
TL;DR: It is argued that Mirai may represent a sea change in the evolutionary development of botnets--the simplicity through which devices were infected and its precipitous growth, and that novice malicious techniques can compromise enough low-end devices to threaten even some of the best-defended targets.
Abstract: The Mirai botnet, composed primarily of embedded and IoT devices, took the Internet by storm in late 2016 when it overwhelmed several high-profile targets with massive distributed denial-of-service (DDoS) attacks. In this paper, we provide a seven-month retrospective analysis of Mirai's growth to a peak of 600k infections and a history of its DDoS victims. By combining a variety of measurement perspectives, we analyze how the botnet emerged, what classes of devices were affected, and how Mirai variants evolved and competed for vulnerable hosts. Our measurements serve as a lens into the fragile ecosystem of IoT devices. We argue that Mirai may represent a sea change in the evolutionary development of botnets--the simplicity through which devices were infected and its precipitous growth, demonstrate that novice malicious techniques can compromise enough low-end devices to threaten even some of the best-defended targets. To address this risk, we recommend technical and nontechnical interventions, as well as propose future research directions.
1,236 citations
"SHAKTI-MS: a RISC-V processor for m..." refers background in this paper
...While these devices are becoming more pervasive, large scale attacks involving compromised embedded devices such as the Mirai botnet [21] are becoming commonplace....
[...]