HPCA 2019 Keynote Towards Secure High- Performance ...people.csail.mit.edu/devadas/pubs/hpca.pdf ·...
Transcript of HPCA 2019 Keynote Towards Secure High- Performance ...people.csail.mit.edu/devadas/pubs/hpca.pdf ·...
![Page 1: HPCA 2019 Keynote Towards Secure High- Performance ...people.csail.mit.edu/devadas/pubs/hpca.pdf · HPCA 2019 Keynote Towards Secure High-Performance Computer Architectures. Architectural](https://reader033.fdocuments.net/reader033/viewer/2022041915/5e6976f0ebea6c0ef5573ad1/html5/thumbnails/1.jpg)
Srini DevadasMassachusetts Institute of Technology
HPCA 2019 Keynote
Towards Secure High-Performance Computer
Architectures
![Page 2: HPCA 2019 Keynote Towards Secure High- Performance ...people.csail.mit.edu/devadas/pubs/hpca.pdf · HPCA 2019 Keynote Towards Secure High-Performance Computer Architectures. Architectural](https://reader033.fdocuments.net/reader033/viewer/2022041915/5e6976f0ebea6c0ef5573ad1/html5/thumbnails/2.jpg)
Architectural Isolationof Processes
2
Fundamental to maintaining correctness and privacy!
![Page 3: HPCA 2019 Keynote Towards Secure High- Performance ...people.csail.mit.edu/devadas/pubs/hpca.pdf · HPCA 2019 Keynote Towards Secure High-Performance Computer Architectures. Architectural](https://reader033.fdocuments.net/reader033/viewer/2022041915/5e6976f0ebea6c0ef5573ad1/html5/thumbnails/3.jpg)
Performance Dictates Microarchitectural Optimization
3
Isolation Breaks Because of Shared Microarchitectural State!
![Page 4: HPCA 2019 Keynote Towards Secure High- Performance ...people.csail.mit.edu/devadas/pubs/hpca.pdf · HPCA 2019 Keynote Towards Secure High-Performance Computer Architectures. Architectural](https://reader033.fdocuments.net/reader033/viewer/2022041915/5e6976f0ebea6c0ef5573ad1/html5/thumbnails/4.jpg)
Shared Last Level Cache
4
Line Offsetl-1…0
Address Tagn-1…s+l
Set Indexs+l-1…l
Memory Address
…Set S-1, Way 1 Set S-1, Way W-1Set S-1, Way 0⋮ ⋱ ⋮⋮
Set i, Way 1 Set i, Way W-1…Set i, Way 0
⋮⋮ ⋮ ⋱
Set 1, Way W-1Set 1, Way 0 …Set 1, Way 1
Set 0, Way W-1…Set 0, Way 1Set 0, Way 0
Way W-1…Way 1Way 0
Tag Line Tag Line Tag Line
Matched Line
Tag Comparator
Match? Matched Word
Process 1
Process 2
![Page 5: HPCA 2019 Keynote Towards Secure High- Performance ...people.csail.mit.edu/devadas/pubs/hpca.pdf · HPCA 2019 Keynote Towards Secure High-Performance Computer Architectures. Architectural](https://reader033.fdocuments.net/reader033/viewer/2022041915/5e6976f0ebea6c0ef5573ad1/html5/thumbnails/5.jpg)
Control Flow Speculation for Performance
I: Compute
I+1: Compute
I+2: Compute
I+3: Compute
I: Control Flow
J: Compute
J+1: Compute
J+2: Compute
K: Compute
K+1: Compute
K+2: Compute
Correct direction
Mis-speculated direction
Sequential InstructionExecution
Non-Sequential InstructionExecution
5
![Page 6: HPCA 2019 Keynote Towards Secure High- Performance ...people.csail.mit.edu/devadas/pubs/hpca.pdf · HPCA 2019 Keynote Towards Secure High-Performance Computer Architectures. Architectural](https://reader033.fdocuments.net/reader033/viewer/2022041915/5e6976f0ebea6c0ef5573ad1/html5/thumbnails/6.jpg)
Control Flow Speculation is insecure
Speculative execution does not affect architectural state → “correct”… but can be observed via some “side channels” (primarily cache tag state)
… and attacker can influence (mis)speculation (branch predictor inputs not authenticated)
A huge, complex attack surface!6
![Page 7: HPCA 2019 Keynote Towards Secure High- Performance ...people.csail.mit.edu/devadas/pubs/hpca.pdf · HPCA 2019 Keynote Towards Secure High-Performance Computer Architectures. Architectural](https://reader033.fdocuments.net/reader033/viewer/2022041915/5e6976f0ebea6c0ef5573ad1/html5/thumbnails/7.jpg)
Domain of Victim
Transmitter
Secret
ReceiverChannelAccess
Secret
Attacker
Pre-existing (RSA conditional execution example)Written by attacker (Meltdown)Synthesized out of existing victim code by attacker (Spectre)
Building a Transmitter
7
![Page 8: HPCA 2019 Keynote Towards Secure High- Performance ...people.csail.mit.edu/devadas/pubs/hpca.pdf · HPCA 2019 Keynote Towards Secure High-Performance Computer Architectures. Architectural](https://reader033.fdocuments.net/reader033/viewer/2022041915/5e6976f0ebea6c0ef5573ad1/html5/thumbnails/8.jpg)
8
• Real systems: large, complex, cyberphysical(not secure)
•Introducing a spy:
Hypervisor,Bios
CPU
Side Channels Gone Wild!
DR
AMChipset
Network
Thread L1 $L2 $
L3 $DR
AM C
trl.
Disk
Mainboard
OS
sharing!
sharing!sharing!
App
admins! users!vendors!
users!
admins!
![Page 9: HPCA 2019 Keynote Towards Secure High- Performance ...people.csail.mit.edu/devadas/pubs/hpca.pdf · HPCA 2019 Keynote Towards Secure High-Performance Computer Architectures. Architectural](https://reader033.fdocuments.net/reader033/viewer/2022041915/5e6976f0ebea6c0ef5573ad1/html5/thumbnails/9.jpg)
Philosophy
Build enclaves on an enclave platform, not
just processes
9
![Page 10: HPCA 2019 Keynote Towards Secure High- Performance ...people.csail.mit.edu/devadas/pubs/hpca.pdf · HPCA 2019 Keynote Towards Secure High-Performance Computer Architectures. Architectural](https://reader033.fdocuments.net/reader033/viewer/2022041915/5e6976f0ebea6c0ef5573ad1/html5/thumbnails/10.jpg)
Enclaves strengthenthe process abstraction
• Processes guarantee isolation of memory• Enclaves provide a stronger guarantee
– No other program can infer anything private from the enclave program through its use of shared resources or shared microarchitectural state
• Largely decouple performance considerations from security
• Minimally invasive hardware changes• Provable security under chosen threat model
10
![Page 11: HPCA 2019 Keynote Towards Secure High- Performance ...people.csail.mit.edu/devadas/pubs/hpca.pdf · HPCA 2019 Keynote Towards Secure High-Performance Computer Architectures. Architectural](https://reader033.fdocuments.net/reader033/viewer/2022041915/5e6976f0ebea6c0ef5573ad1/html5/thumbnails/11.jpg)
A Typical ComputerTrusted Computing Base
TRUSTED!
TRUSTED!
CPU!!
DRAM
!Chipset!
Network!
Thread! L1 $!L2 $!
L3 $!DRAM
Ctrl
.!Disk!
Main!board!
Priv
eleg
e!
BIOS (SMM)!
Hypervisor (Ring 0, VMX root) !
OS Kernel (Ring 0) !
App! App!
(Ring 3) !
Software…!… Running on hardware!
Secure App!
![Page 12: HPCA 2019 Keynote Towards Secure High- Performance ...people.csail.mit.edu/devadas/pubs/hpca.pdf · HPCA 2019 Keynote Towards Secure High-Performance Computer Architectures. Architectural](https://reader033.fdocuments.net/reader033/viewer/2022041915/5e6976f0ebea6c0ef5573ad1/html5/thumbnails/12.jpg)
Single-Chip Secure Processor:Shrink the TCB
Protected Environment
Memory
I/O
TrustedSoftware
Protect
Identify
• Enclave assumes trusted hardware + trusted software “monitor”
• Operating system is untrusted 12
Edward Suh’s ICS 2003 Talk on Aegis processor
![Page 13: HPCA 2019 Keynote Towards Secure High- Performance ...people.csail.mit.edu/devadas/pubs/hpca.pdf · HPCA 2019 Keynote Towards Secure High-Performance Computer Architectures. Architectural](https://reader033.fdocuments.net/reader033/viewer/2022041915/5e6976f0ebea6c0ef5573ad1/html5/thumbnails/13.jpg)
Enclave Enclave
Enclave Lifecycle (simplified)
13
Enclave binary image
Untrusted software (OS)
Create enclave,Grant resources
Loadenclave
Sealenclave
Enclave
Enclave binary image
Enclave binary image
① ② ③
Enclave can no longer be modified from outside
Enclave has a measurement for attestation
![Page 14: HPCA 2019 Keynote Towards Secure High- Performance ...people.csail.mit.edu/devadas/pubs/hpca.pdf · HPCA 2019 Keynote Towards Secure High-Performance Computer Architectures. Architectural](https://reader033.fdocuments.net/reader033/viewer/2022041915/5e6976f0ebea6c0ef5573ad1/html5/thumbnails/14.jpg)
Enclave Lifecycle (simplified)
14
Untrusted software (OS)
Create enclave,Grant resources
Loadenclave
Sealenclave
Enterenclave
Exitenclave
Enclave binary image
④① ② ③
⑤
(enclave executes in a strongly isolated
environment)
Platform erases (flushes)
sensitive state
![Page 15: HPCA 2019 Keynote Towards Secure High- Performance ...people.csail.mit.edu/devadas/pubs/hpca.pdf · HPCA 2019 Keynote Towards Secure High-Performance Computer Architectures. Architectural](https://reader033.fdocuments.net/reader033/viewer/2022041915/5e6976f0ebea6c0ef5573ad1/html5/thumbnails/15.jpg)
Strong Isolation Goal
• Any attack by a privileged attacker on the same machine as the victim that can extract a secret inside the victim enclave, could also have been run successfully by an attacker on a different machine than the victim.– No protection against an enclave leaking its own
secrets through its public API.
• Three strategies for isolation: Spatial isolation, temporal isolation and cryptography 15
![Page 16: HPCA 2019 Keynote Towards Secure High- Performance ...people.csail.mit.edu/devadas/pubs/hpca.pdf · HPCA 2019 Keynote Towards Secure High-Performance Computer Architectures. Architectural](https://reader033.fdocuments.net/reader033/viewer/2022041915/5e6976f0ebea6c0ef5573ad1/html5/thumbnails/16.jpg)
Sanctum Design
Victor Costan, Ilia LebedevSanctum: Minimal Hardware Extensions
for Strong Software Isolation
![Page 17: HPCA 2019 Keynote Towards Secure High- Performance ...people.csail.mit.edu/devadas/pubs/hpca.pdf · HPCA 2019 Keynote Towards Secure High-Performance Computer Architectures. Architectural](https://reader033.fdocuments.net/reader033/viewer/2022041915/5e6976f0ebea6c0ef5573ad1/html5/thumbnails/17.jpg)
Software Stack
User
Supervisor
Hypervisor
Machine
Hypervisor
Host ApplicationEnclave
Security MonitorMeasurement Root
Enclave multiplexing
Operating System
Enclave management
Enclave syscall shims Sanctum-aware runtimeNon-sensitive code and data Sensitive code and data
Enclave setup
![Page 18: HPCA 2019 Keynote Towards Secure High- Performance ...people.csail.mit.edu/devadas/pubs/hpca.pdf · HPCA 2019 Keynote Towards Secure High-Performance Computer Architectures. Architectural](https://reader033.fdocuments.net/reader033/viewer/2022041915/5e6976f0ebea6c0ef5573ad1/html5/thumbnails/18.jpg)
User
Supervisor
Hypervisor
Machine
Hypervisor
Host ApplicationEnclave
Security MonitorMeasurement Root
Enclave multiplexing
Operating System
Enclave management
Enclave syscall shims Sanctum-aware runtimeNon-sensitive code and data Sensitive code and data
Enclave setup
Software Stack
![Page 19: HPCA 2019 Keynote Towards Secure High- Performance ...people.csail.mit.edu/devadas/pubs/hpca.pdf · HPCA 2019 Keynote Towards Secure High-Performance Computer Architectures. Architectural](https://reader033.fdocuments.net/reader033/viewer/2022041915/5e6976f0ebea6c0ef5573ad1/html5/thumbnails/19.jpg)
Target: multi-core processor(no hyperthreading, no speculation)
L3 C
ache
CBox
Core
L2 Cache
L3 CacheSlice
L3 CacheSlice
CBox
Core
L2 Cache
HomeAgent
CBox
Core
L2 Cache
L3 CacheSlice
L3 CacheSlice
CBox
Core
L2 Cache
QPIPacketizer
MemoryController
DDR3Channel
Ring toQPI
Ring toPCIeI/O Controller
UBox
QPI Link
PCIe Lanes
![Page 20: HPCA 2019 Keynote Towards Secure High- Performance ...people.csail.mit.edu/devadas/pubs/hpca.pdf · HPCA 2019 Keynote Towards Secure High-Performance Computer Architectures. Architectural](https://reader033.fdocuments.net/reader033/viewer/2022041915/5e6976f0ebea6c0ef5573ad1/html5/thumbnails/20.jpg)
Microarchitectural StateIsolation in Sanctum Enclaves
• Resources exclusively granted to an enclave, and scheduled at the granularity of process context switches are isolated temporally– Register files, branch predictors, private caches,
and private TLBs
• Resources shared between processes on-demand, with arbitrarily small granularity are isolated spatially by partitioning– Shared caches and shared TLBs
20
![Page 21: HPCA 2019 Keynote Towards Secure High- Performance ...people.csail.mit.edu/devadas/pubs/hpca.pdf · HPCA 2019 Keynote Towards Secure High-Performance Computer Architectures. Architectural](https://reader033.fdocuments.net/reader033/viewer/2022041915/5e6976f0ebea6c0ef5573ad1/html5/thumbnails/21.jpg)
Operating SystemManages Page Tables
VirtualAddress
Physical AddressMapping
PageTables
VirtualAddress Space
PhysicalAddress Space
Address Translation
Software DRAM
System bus
![Page 22: HPCA 2019 Keynote Towards Secure High- Performance ...people.csail.mit.edu/devadas/pubs/hpca.pdf · HPCA 2019 Keynote Towards Secure High-Performance Computer Architectures. Architectural](https://reader033.fdocuments.net/reader033/viewer/2022041915/5e6976f0ebea6c0ef5573ad1/html5/thumbnails/22.jpg)
Practical Software Attackon SGX “Simulators”
• Microsoft Research, IEEE S&P 2015: Exploit no-noise side channel due to page faults
22
![Page 23: HPCA 2019 Keynote Towards Secure High- Performance ...people.csail.mit.edu/devadas/pubs/hpca.pdf · HPCA 2019 Keynote Towards Secure High-Performance Computer Architectures. Architectural](https://reader033.fdocuments.net/reader033/viewer/2022041915/5e6976f0ebea6c0ef5573ad1/html5/thumbnails/23.jpg)
Page Table Isolation
Host applicationspace
Host applicationspace
EVRANGE A
Enclave A VirtualAddress Space
Physical Memory
Enclave A region
Enclave A page tables
Enclave A region
Enclave B region
Enclave B page tables
OS region
OS region
OS page tables
Host applicationspace
Host applicationspace
EVRANGE B
Enclave B VirtualAddress Space
![Page 24: HPCA 2019 Keynote Towards Secure High- Performance ...people.csail.mit.edu/devadas/pubs/hpca.pdf · HPCA 2019 Keynote Towards Secure High-Performance Computer Architectures. Architectural](https://reader033.fdocuments.net/reader033/viewer/2022041915/5e6976f0ebea6c0ef5573ad1/html5/thumbnails/24.jpg)
Partitioning to Prevent Timing Attacks
24
Line Offsetl-1…0
Address Tagn-1…s+l
Set Indexs+l-1…l
Memory Address
…Set S-1, Way 1 Set S-1, Way W-1Set S-1, Way 0⋮ ⋱ ⋮⋮
Set i, Way 1 Set i, Way W-1…Set i, Way 0
⋮⋮ ⋮ ⋱
Set 1, Way W-1Set 1, Way 0 …Set 1, Way 1
Set 0, Way W-1…Set 0, Way 1Set 0, Way 0
Way W-1…Way 1Way 0
Tag Line Tag Line Tag Line
Matched Line
Tag Comparator
Match? Matched Word
Enclave
OS
![Page 25: HPCA 2019 Keynote Towards Secure High- Performance ...people.csail.mit.edu/devadas/pubs/hpca.pdf · HPCA 2019 Keynote Towards Secure High-Performance Computer Architectures. Architectural](https://reader033.fdocuments.net/reader033/viewer/2022041915/5e6976f0ebea6c0ef5573ad1/html5/thumbnails/25.jpg)
Page Coloring
DRAM RegionIndex
CacheLine Offset
5 0611Page Offset
1214
Cache Set Index
DRAM StripeIndex
151720 18Cache Tag
Address bits used by 256 KB of DRAM
Address bits covering the maximum addressable physical space of 2 MB
Physical page number (PPN)
![Page 26: HPCA 2019 Keynote Towards Secure High- Performance ...people.csail.mit.edu/devadas/pubs/hpca.pdf · HPCA 2019 Keynote Towards Secure High-Performance Computer Architectures. Architectural](https://reader033.fdocuments.net/reader033/viewer/2022041915/5e6976f0ebea6c0ef5573ad1/html5/thumbnails/26.jpg)
Page Colors =
DRAM Regions
0
MEMTOP
Normal DRAMpage colors
Sanctum DRAMpage colors / regions
0
MEMTOP
Region 0 Region 1 Region 2 Region 3Region 4 Region 5 Region 6 Region 7
LLC set colors
![Page 27: HPCA 2019 Keynote Towards Secure High- Performance ...people.csail.mit.edu/devadas/pubs/hpca.pdf · HPCA 2019 Keynote Towards Secure High-Performance Computer Architectures. Architectural](https://reader033.fdocuments.net/reader033/viewer/2022041915/5e6976f0ebea6c0ef5573ad1/html5/thumbnails/27.jpg)
Page Colors =
DRAM Regions
0
MEMTOP
Normal DRAMpage colors
Sanctum DRAMpage colors / regions
0
MEMTOP
Region 0 Region 1 Region 2 Region 3Region 4 Region 5 Region 6 Region 7
LLC set colors
A little bit-shifting gets us a large contiguous DRAM region
![Page 28: HPCA 2019 Keynote Towards Secure High- Performance ...people.csail.mit.edu/devadas/pubs/hpca.pdf · HPCA 2019 Keynote Towards Secure High-Performance Computer Architectures. Architectural](https://reader033.fdocuments.net/reader033/viewer/2022041915/5e6976f0ebea6c0ef5573ad1/html5/thumbnails/28.jpg)
Sanctum Secure ProcessorNo Speculation, No Hyperthreading
RISCV Rocket Core, Changes required by Sanctum (+ ~2% of core)
Also requires 9 new config registers
![Page 29: HPCA 2019 Keynote Towards Secure High- Performance ...people.csail.mit.edu/devadas/pubs/hpca.pdf · HPCA 2019 Keynote Towards Secure High-Performance Computer Architectures. Architectural](https://reader033.fdocuments.net/reader033/viewer/2022041915/5e6976f0ebea6c0ef5573ad1/html5/thumbnails/29.jpg)
Sanctum Status andCurrent Limitations
• We have built an open-source Sanctum based on the RISC-V ISA– Low performance and area overhead to support
enclaves– Ongoing formal verification effort
• Sanctum is an academic, lightweight processor• Apply its design philosophy to speculative
out-of-order (OOO) processors, which need to protect against Spectre-style attacks
29
![Page 30: HPCA 2019 Keynote Towards Secure High- Performance ...people.csail.mit.edu/devadas/pubs/hpca.pdf · HPCA 2019 Keynote Towards Secure High-Performance Computer Architectures. Architectural](https://reader033.fdocuments.net/reader033/viewer/2022041915/5e6976f0ebea6c0ef5573ad1/html5/thumbnails/30.jpg)
MI6 Design
Thomas Bourgeat, Ilia Lebedev,Andrew Wright, Sizhuo Zhang, Arvind
MI6: Secure Enclaves in aSpeculative Out-of-Order Processor
![Page 31: HPCA 2019 Keynote Towards Secure High- Performance ...people.csail.mit.edu/devadas/pubs/hpca.pdf · HPCA 2019 Keynote Towards Secure High-Performance Computer Architectures. Architectural](https://reader033.fdocuments.net/reader033/viewer/2022041915/5e6976f0ebea6c0ef5573ad1/html5/thumbnails/31.jpg)
RiscyOO Processor
31
Rename
ROB
ALU IQ Issue RegRead Exec Reg
Write
MEM IQ Issue RegRead
AddrCalc
UpdateLSQ
Physical Reg File
L1 D TLB
LSQ (LQ + SQ)
Commit
IssueLd
Deq
StoreBuffer
L1 D$
RespLd
IssueSt
RespSt
RenameTable
SpeculationManager
EpochManager
Scoreboard
ALU pipeline
MEM pipeline
Load-Store Unit
Front-end
Fetch Bypass
Last Level Cache
![Page 32: HPCA 2019 Keynote Towards Secure High- Performance ...people.csail.mit.edu/devadas/pubs/hpca.pdf · HPCA 2019 Keynote Towards Secure High-Performance Computer Architectures. Architectural](https://reader033.fdocuments.net/reader033/viewer/2022041915/5e6976f0ebea6c0ef5573ad1/html5/thumbnails/32.jpg)
RiscyOO Processor
32
Rename
ROB
ALU IQ Issue RegRead Exec Reg
Write
MEM IQ Issue RegRead
AddrCalc
UpdateLSQ
Physical Reg File
L1 D TLB
LSQ (LQ + SQ)
Commit
IssueLd
Deq
StoreBuffer
L1 D$
RespLd
IssueSt
RespSt
RenameTable
SpeculationManager
EpochManager
Scoreboard
ALU pipeline
MEM pipeline
Load-Store Unit
Front-end
Fetch Bypass
Last Level Cache
Not speculating during entire program results in average 3X slowdown!
![Page 33: HPCA 2019 Keynote Towards Secure High- Performance ...people.csail.mit.edu/devadas/pubs/hpca.pdf · HPCA 2019 Keynote Towards Secure High-Performance Computer Architectures. Architectural](https://reader033.fdocuments.net/reader033/viewer/2022041915/5e6976f0ebea6c0ef5573ad1/html5/thumbnails/33.jpg)
MI6 Processor
33
Rename
ROB
ALU IQ Issue RegRead Exec Reg
Write
MEM IQ Issue RegRead
AddrCalc
UpdateLSQ
Physical Reg File
L1 D TLB
LSQ (LQ + SQ)
Commit
IssueLd
Deq
StoreBuffer
L1 D$
RespLd
IssueSt
RespSt
RenameTable
SpeculationManager
EpochManager
Scoreboard
ALU pipeline
MEM pipeline
Load-Store Unit
Front-end
Fetch Bypass
Last Level Cache
All modules with private state are flushed on enclave entry and exit.
Performance overhead ~ 5%.
![Page 34: HPCA 2019 Keynote Towards Secure High- Performance ...people.csail.mit.edu/devadas/pubs/hpca.pdf · HPCA 2019 Keynote Towards Secure High-Performance Computer Architectures. Architectural](https://reader033.fdocuments.net/reader033/viewer/2022041915/5e6976f0ebea6c0ef5573ad1/html5/thumbnails/34.jpg)
MI6 Processor
34
Rename
ROB
ALU IQ Issue RegRead Exec Reg
Write
MEM IQ Issue RegRead
AddrCalc
UpdateLSQ
Physical Reg File
L1 D TLB
LSQ (LQ + SQ)
Commit
IssueLd
Deq
StoreBuffer
L1 D$
RespLd
IssueSt
RespSt
RenameTable
SpeculationManager
EpochManager
Scoreboard
ALU pipeline
MEM pipeline
Load-Store Unit
Front-end
Fetch Bypass
Last Level Cache
Last Level Cache is spatially partitioned.
Performance overhead ~7%.
![Page 35: HPCA 2019 Keynote Towards Secure High- Performance ...people.csail.mit.edu/devadas/pubs/hpca.pdf · HPCA 2019 Keynote Towards Secure High-Performance Computer Architectures. Architectural](https://reader033.fdocuments.net/reader033/viewer/2022041915/5e6976f0ebea6c0ef5573ad1/html5/thumbnails/35.jpg)
Leaky Cache Hierarchy
35
![Page 36: HPCA 2019 Keynote Towards Secure High- Performance ...people.csail.mit.edu/devadas/pubs/hpca.pdf · HPCA 2019 Keynote Towards Secure High-Performance Computer Architectures. Architectural](https://reader033.fdocuments.net/reader033/viewer/2022041915/5e6976f0ebea6c0ef5573ad1/html5/thumbnails/36.jpg)
Timing IndependentCache Hierarchy
36
Fair LLC Arbiter.Performance overhead ~8%.
![Page 37: HPCA 2019 Keynote Towards Secure High- Performance ...people.csail.mit.edu/devadas/pubs/hpca.pdf · HPCA 2019 Keynote Towards Secure High-Performance Computer Architectures. Architectural](https://reader033.fdocuments.net/reader033/viewer/2022041915/5e6976f0ebea6c0ef5573ad1/html5/thumbnails/37.jpg)
MI6 Processor
37
Rename
ROB
ALU IQ Issue RegRead Exec Reg
Write
MEM IQ Issue RegRead
AddrCalc
UpdateLSQ
Physical Reg File
L1 D TLB
LSQ (LQ + SQ)
Commit
IssueLd
Deq
StoreBuffer
L1 D$
RespLd
IssueSt
RespSt
RenameTable
SpeculationManager
EpochManager
Scoreboard
ALU pipeline
MEM pipeline
Load-Store Unit
Front-end
Fetch Bypass
Last Level Cache
Stop speculating: Every memory instruction will be stalled at the rename stage until ROB is empty.
![Page 38: HPCA 2019 Keynote Towards Secure High- Performance ...people.csail.mit.edu/devadas/pubs/hpca.pdf · HPCA 2019 Keynote Towards Secure High-Performance Computer Architectures. Architectural](https://reader033.fdocuments.net/reader033/viewer/2022041915/5e6976f0ebea6c0ef5573ad1/html5/thumbnails/38.jpg)
MI6 Processor
38
Rename
ROB
ALU IQ Issue RegRead Exec Reg
Write
MEM IQ Issue RegRead
AddrCalc
UpdateLSQ
Physical Reg File
L1 D TLB
LSQ (LQ + SQ)
Commit
IssueLd
Deq
StoreBuffer
L1 D$
RespLd
IssueSt
RespSt
RenameTable
SpeculationManager
EpochManager
Scoreboard
ALU pipeline
MEM pipeline
Load-Store Unit
Front-end
Fetch Bypass
Last Level Cache
Stop speculating ONLY during enclave copy operations (I/O) à
overhead is negligible.
![Page 39: HPCA 2019 Keynote Towards Secure High- Performance ...people.csail.mit.edu/devadas/pubs/hpca.pdf · HPCA 2019 Keynote Towards Secure High-Performance Computer Architectures. Architectural](https://reader033.fdocuments.net/reader033/viewer/2022041915/5e6976f0ebea6c0ef5573ad1/html5/thumbnails/39.jpg)
MI6 Processor
39
Rename
ROB
ALU IQ Issue RegRead Exec Reg
Write
MEM IQ Issue RegRead
AddrCalc
UpdateLSQ
Physical Reg File
L1 D TLB
LSQ (LQ + SQ)
Commit
IssueLd
Deq
StoreBuffer
L1 D$
RespLd
IssueSt
RespSt
RenameTable
SpeculationManager
EpochManager
Scoreboard
ALU pipeline
MEM pipeline
Load-Store Unit
Front-end
Fetch Bypass
Last Level Cache
Area overhead for hardware modifications is ~2% not counting
L1 cache, FPU, LLC slice.
![Page 40: HPCA 2019 Keynote Towards Secure High- Performance ...people.csail.mit.edu/devadas/pubs/hpca.pdf · HPCA 2019 Keynote Towards Secure High-Performance Computer Architectures. Architectural](https://reader033.fdocuments.net/reader033/viewer/2022041915/5e6976f0ebea6c0ef5573ad1/html5/thumbnails/40.jpg)
MI6 Processor
40
Rename
ROB
ALU IQ Issue RegRead Exec Reg
Write
MEM IQ Issue RegRead
AddrCalc
UpdateLSQ
Physical Reg File
L1 D TLB
LSQ (LQ + SQ)
Commit
IssueLd
Deq
StoreBuffer
L1 D$
RespLd
IssueSt
RespSt
RenameTable
SpeculationManager
EpochManager
Scoreboard
ALU pipeline
MEM pipeline
Load-Store Unit
Front-end
Fetch Bypass
Last Level Cache
Security Monitor virtually unchanged. Hardware can evolve
separately from software (and vice versa).
![Page 41: HPCA 2019 Keynote Towards Secure High- Performance ...people.csail.mit.edu/devadas/pubs/hpca.pdf · HPCA 2019 Keynote Towards Secure High-Performance Computer Architectures. Architectural](https://reader033.fdocuments.net/reader033/viewer/2022041915/5e6976f0ebea6c0ef5573ad1/html5/thumbnails/41.jpg)
Challenge: Expressivity
• ~15% performance overhead for enclaves• Enclaves trade expressivity for security
– Cannot make system calls directly since OS can’t be trusted to restore an enclave’s execution state
– Enclave’s runtime must ask the host application to proxy file system and network I/O requests
– What syscall functionality should the enclave’s runtime provide?
41
![Page 42: HPCA 2019 Keynote Towards Secure High- Performance ...people.csail.mit.edu/devadas/pubs/hpca.pdf · HPCA 2019 Keynote Towards Secure High-Performance Computer Architectures. Architectural](https://reader033.fdocuments.net/reader033/viewer/2022041915/5e6976f0ebea6c0ef5573ad1/html5/thumbnails/42.jpg)
Challenge: Adaptivity
• Runtime decisions based on sensitive data leak information through timing: completion time, resource usage
• Crypto to the rescue?– Secure demand paging using page-level memory
encryption, integrity verification and ORAM– Secure and efficient dynamic memory allocation
in enclaves an open problem
42
![Page 43: HPCA 2019 Keynote Towards Secure High- Performance ...people.csail.mit.edu/devadas/pubs/hpca.pdf · HPCA 2019 Keynote Towards Secure High-Performance Computer Architectures. Architectural](https://reader033.fdocuments.net/reader033/viewer/2022041915/5e6976f0ebea6c0ef5573ad1/html5/thumbnails/43.jpg)
Challenge: Interaction
• Interaction with the outside may leak information– Public schedule for interaction does not leak
• Can we bound leakage of adaptive interactions with users, other programs?
43
Can ITrust You?
![Page 44: HPCA 2019 Keynote Towards Secure High- Performance ...people.csail.mit.edu/devadas/pubs/hpca.pdf · HPCA 2019 Keynote Towards Secure High-Performance Computer Architectures. Architectural](https://reader033.fdocuments.net/reader033/viewer/2022041915/5e6976f0ebea6c0ef5573ad1/html5/thumbnails/44.jpg)
Challenge: (Formal) Verification
Open Source à Independent Verification
Properties of Enclaves:
Measurement := Different enclaves have different measurements (also inverse)
Integrity := Modelled attacker cannot affect enclave state
Confidentiality := Modelled attacker cannot observe enclave state
44
![Page 45: HPCA 2019 Keynote Towards Secure High- Performance ...people.csail.mit.edu/devadas/pubs/hpca.pdf · HPCA 2019 Keynote Towards Secure High-Performance Computer Architectures. Architectural](https://reader033.fdocuments.net/reader033/viewer/2022041915/5e6976f0ebea6c0ef5573ad1/html5/thumbnails/45.jpg)
Modeling the Adversary
Adversary := set of ops an attacker can use to tamper with or observe enclave state. Any combination of these can be used at any time.
Threat model := ∪(observation function, tamper function, model initial state)
Specify non-interference properties or invariants that execution should satisfy
45
![Page 46: HPCA 2019 Keynote Towards Secure High- Performance ...people.csail.mit.edu/devadas/pubs/hpca.pdf · HPCA 2019 Keynote Towards Secure High-Performance Computer Architectures. Architectural](https://reader033.fdocuments.net/reader033/viewer/2022041915/5e6976f0ebea6c0ef5573ad1/html5/thumbnails/46.jpg)
Invariants and Non-Interference
46
Check invariants
Do an attacker actionInit
operationsDo a victim action
The proof describes a CFG with “forks”. Search this graph for a path that violates an invariant.
![Page 47: HPCA 2019 Keynote Towards Secure High- Performance ...people.csail.mit.edu/devadas/pubs/hpca.pdf · HPCA 2019 Keynote Towards Secure High-Performance Computer Architectures. Architectural](https://reader033.fdocuments.net/reader033/viewer/2022041915/5e6976f0ebea6c0ef5573ad1/html5/thumbnails/47.jpg)
Summary: Desiderata forSingle-Chip Secure Processor
• Open source• Formally verified (small) TCB• Secure against all practical software attacks• Secure against physical attacks on memory• Enhanced physical security against invasive
attacks• Minimal performance overhead
47
![Page 48: HPCA 2019 Keynote Towards Secure High- Performance ...people.csail.mit.edu/devadas/pubs/hpca.pdf · HPCA 2019 Keynote Towards Secure High-Performance Computer Architectures. Architectural](https://reader033.fdocuments.net/reader033/viewer/2022041915/5e6976f0ebea6c0ef5573ad1/html5/thumbnails/48.jpg)
Thank you for your attention!48
Acknowledgements
• Edward Suh• Victor Costan• Ilia Lebedev• Chris Fletcher• Ling Ren• Albert Kwon• Sanjit Seshia• Pramod Subramanyan
• Arvind• Thomas Bourgeat• Andrew Wright• Sizhuo Zhang• Kyle Hogan• Jules Drean• Rohit Sinha• NSF, DARPA, ADI, Delta