a hardware/software co-design approach for security ... · intrusion detection systems (e.g.,...
TRANSCRIPT
![Page 1: A hardware/software co-design approach for security ... · Intrusion detection systems (e.g., Snort, OSSEC) Dynamic Information ow tracking (DIFT) ... Rely on existing OS and applications](https://reader033.vdocuments.us/reader033/viewer/2022050601/5fa8b037965a5c75162181df/html5/thumbnails/1.jpg)
HAL Id: hal-02013870https://hal.archives-ouvertes.fr/hal-02013870
Submitted on 11 Feb 2019
HAL is a multi-disciplinary open accessarchive for the deposit and dissemination of sci-entific research documents, whether they are pub-lished or not. The documents may come fromteaching and research institutions in France orabroad, or from public or private research centers.
L’archive ouverte pluridisciplinaire HAL, estdestinée au dépôt et à la diffusion de documentsscientifiques de niveau recherche, publiés ou non,émanant des établissements d’enseignement et derecherche français ou étrangers, des laboratoirespublics ou privés.
A hardware/software co-design approach for securityanalysis of application behavior
Vianney Lapotre
To cite this version:Vianney Lapotre. A hardware/software co-design approach for security analysis of applicationbehavior: Applications on Dynamic Information Flow Tracking. Journée ”Nouvelles Avancéesen Sécurité des Systèmes d’Information, Jan 2019, Toulouse, France. <http://congres.insa-toulouse.fr/SECU/index.html>. <hal-02013870>
![Page 2: A hardware/software co-design approach for security ... · Intrusion detection systems (e.g., Snort, OSSEC) Dynamic Information ow tracking (DIFT) ... Rely on existing OS and applications](https://reader033.vdocuments.us/reader033/viewer/2022050601/5fa8b037965a5c75162181df/html5/thumbnails/2.jpg)
A hardware/software co-design approach for securityanalysis of application behavior
Applications on Dynamic Information Flow Tracking
Vianney Lapotre
Universite Bretagne Sud - Lab-STICC, [email protected]
January 23, 2019
1 / 46
![Page 3: A hardware/software co-design approach for security ... · Intrusion detection systems (e.g., Snort, OSSEC) Dynamic Information ow tracking (DIFT) ... Rely on existing OS and applications](https://reader033.vdocuments.us/reader033/viewer/2022050601/5fa8b037965a5c75162181df/html5/thumbnails/3.jpg)
HardBlare projectStarted in October 2015.
Partners (all from Brittany !)
IETR/CentraleSuplec (SCEE) @ Rennes
Pascal Cotret (Ass. Prof.) now engineer at ThalesMuhammad Abdul Wahab (PhD student)
IRISA/CentraleSuplec/Inria (CIDRE) @ Rennes
Guillaume Hiet (Ass. Prof.)Mounir Nasr Allah (PhD student)
Lab-STICC/UBS @ Lorient
Guy Gogniat (Full Prof.), Vianney Laptre (Ass. Prof.)Arnab Kumar Biswas (Postdoc)
What do we do in this project ?
Hardware extensions for DIFT/DIFC (Dynamic Information FlowTracking / Dynamic Information Flow Control) on embeddedprocessors
2 / 46
![Page 4: A hardware/software co-design approach for security ... · Intrusion detection systems (e.g., Snort, OSSEC) Dynamic Information ow tracking (DIFT) ... Rely on existing OS and applications](https://reader033.vdocuments.us/reader033/viewer/2022050601/5fa8b037965a5c75162181df/html5/thumbnails/4.jpg)
Data security: principles
Principles
Confidentiality
Integrity
Availability
Security Policy
Which security property is expected on each information container(file, variable, register, etc.) ?
What operations are allowed on each container ?
3 / 46
![Page 5: A hardware/software co-design approach for security ... · Intrusion detection systems (e.g., Snort, OSSEC) Dynamic Information ow tracking (DIFT) ... Rely on existing OS and applications](https://reader033.vdocuments.us/reader033/viewer/2022050601/5fa8b037965a5c75162181df/html5/thumbnails/5.jpg)
Threat model
Side-channel attacks not taken into account
Software attacks: buffer overflow, ROP. . .
4 / 46
![Page 6: A hardware/software co-design approach for security ... · Intrusion detection systems (e.g., Snort, OSSEC) Dynamic Information ow tracking (DIFT) ... Rely on existing OS and applications](https://reader033.vdocuments.us/reader033/viewer/2022050601/5fa8b037965a5c75162181df/html5/thumbnails/6.jpg)
Software security: Existing solutions
Security mechanisms
Detect, prevent or recover from a security attack
Preventive mechanisms
Enforce the security policy:
Cryptographic mechanisms
Isolation (e.g., Trustzone, SAM L11)
Formal proof, etc.
Reactive mechanisms
Monitor the system and detect any security policy violation to recover
Intrusion detection systems (e.g., Snort, OSSEC)
Dynamic Information flow tracking (DIFT)
5 / 46
![Page 7: A hardware/software co-design approach for security ... · Intrusion detection systems (e.g., Snort, OSSEC) Dynamic Information ow tracking (DIFT) ... Rely on existing OS and applications](https://reader033.vdocuments.us/reader033/viewer/2022050601/5fa8b037965a5c75162181df/html5/thumbnails/7.jpg)
Dynamic Information Flow Tracking (DIFT)
Motivation
DIFT for security purposes : Integrity and Confidentiality
DIFT principle
We attach labels called tags to containers and specify an informationflow policy, i.e. relations between tags
At runtime, we propagate tags to reflect information flows that occurand detect any policy violation
6 / 46
![Page 8: A hardware/software co-design approach for security ... · Intrusion detection systems (e.g., Snort, OSSEC) Dynamic Information ow tracking (DIFT) ... Rely on existing OS and applications](https://reader033.vdocuments.us/reader033/viewer/2022050601/5fa8b037965a5c75162181df/html5/thumbnails/8.jpg)
Dynamic Information Flow Tracking (DIFT)
Three steps
Tag initialization
Tag propagation
Tag check
Levels of IFT
Application level
OS level
Low level
7 / 46
![Page 9: A hardware/software co-design approach for security ... · Intrusion detection systems (e.g., Snort, OSSEC) Dynamic Information ow tracking (DIFT) ... Rely on existing OS and applications](https://reader033.vdocuments.us/reader033/viewer/2022050601/5fa8b037965a5c75162181df/html5/thumbnails/9.jpg)
Dynamic Information Flow Tracking (DIFT)
Three steps
Tag initialization
Tag propagation
Tag check
Levels of IFT
Application level
OS level
Low level
7 / 46
![Page 10: A hardware/software co-design approach for security ... · Intrusion detection systems (e.g., Snort, OSSEC) Dynamic Information ow tracking (DIFT) ... Rely on existing OS and applications](https://reader033.vdocuments.us/reader033/viewer/2022050601/5fa8b037965a5c75162181df/html5/thumbnails/10.jpg)
Dynamic Information Flow Tracking (DIFT)
Three steps
Tag initialization
Tag propagation
Tag check
Levels of IFT
Application level
OS level
Low level
7 / 46
![Page 11: A hardware/software co-design approach for security ... · Intrusion detection systems (e.g., Snort, OSSEC) Dynamic Information ow tracking (DIFT) ... Rely on existing OS and applications](https://reader033.vdocuments.us/reader033/viewer/2022050601/5fa8b037965a5c75162181df/html5/thumbnails/11.jpg)
Dynamic Information Flow Tracking (DIFT)
Three steps
Tag initialization
Tag propagation
Tag check
Levels of IFT
Application level
OS level
Low level
variable tagvariable tag
7 / 46
![Page 12: A hardware/software co-design approach for security ... · Intrusion detection systems (e.g., Snort, OSSEC) Dynamic Information ow tracking (DIFT) ... Rely on existing OS and applications](https://reader033.vdocuments.us/reader033/viewer/2022050601/5fa8b037965a5c75162181df/html5/thumbnails/12.jpg)
Dynamic Information Flow Tracking (DIFT)
Three steps
Tag initialization
Tag propagation
Tag check
Levels of IFT
Application level
OS level
Low level
File2 tagFile1 tag
7 / 46
![Page 13: A hardware/software co-design approach for security ... · Intrusion detection systems (e.g., Snort, OSSEC) Dynamic Information ow tracking (DIFT) ... Rely on existing OS and applications](https://reader033.vdocuments.us/reader033/viewer/2022050601/5fa8b037965a5c75162181df/html5/thumbnails/13.jpg)
Dynamic Information Flow Tracking (DIFT)
Three steps
Tag initialization
Tag propagation
Tag check
Levels of IFT
Application level
OS level
Low level
memory
addresstagregister tag
7 / 46
![Page 14: A hardware/software co-design approach for security ... · Intrusion detection systems (e.g., Snort, OSSEC) Dynamic Information ow tracking (DIFT) ... Rely on existing OS and applications](https://reader033.vdocuments.us/reader033/viewer/2022050601/5fa8b037965a5c75162181df/html5/thumbnails/14.jpg)
OS-level Software DIFT (coarse-grained)Description
Monitor is implemented within the OS kernel
Information flows = system calls
Related Work
Dedicated OS1 : Asbestos, HiStar, Flume
Modification of existing OS : Blare2
Pros & Cons
+ Small runtime overhead (< 10%)
+ Kernel space isolation (hardware support) helps protecting the monitor
- Overapproximation issue
1Eal.05; Zal.06a; Kal.07.2Gal.11; HF12. 8 / 46
![Page 15: A hardware/software co-design approach for security ... · Intrusion detection systems (e.g., Snort, OSSEC) Dynamic Information ow tracking (DIFT) ... Rely on existing OS and applications](https://reader033.vdocuments.us/reader033/viewer/2022050601/5fa8b037965a5c75162181df/html5/thumbnails/15.jpg)
Application-level Software DIFT (medium and fine-grained)Description
Monitors are implemented within each application
Information flows = affectations + conditional branching
Related Work
Machine code3
Specific language4
Pros & Cons
+ Gain in precision (hybrid analysis, SME, faceted values)
- Huge overhead (x3 to x37)
- Few or no isolation : the monitor needs to protect itself
3NS05; HJR10.4CF07; Nal.07. 9 / 46
![Page 16: A hardware/software co-design approach for security ... · Intrusion detection systems (e.g., Snort, OSSEC) Dynamic Information ow tracking (DIFT) ... Rely on existing OS and applications](https://reader033.vdocuments.us/reader033/viewer/2022050601/5fa8b037965a5c75162181df/html5/thumbnails/16.jpg)
Hardware-based DIFT (fine-grained)
Figure: In-core DIFT 5 Figure: Dedicated CPU for DIFT 6
5raksha˙07.6Vijay08.
10 / 46
![Page 17: A hardware/software co-design approach for security ... · Intrusion detection systems (e.g., Snort, OSSEC) Dynamic Information ow tracking (DIFT) ... Rely on existing OS and applications](https://reader033.vdocuments.us/reader033/viewer/2022050601/5fa8b037965a5c75162181df/html5/thumbnails/17.jpg)
Hardware-based DIFT (fine-grained)
Figure: Dedicated DIFT co-processor 7
7raksha˙09.11 / 46
![Page 18: A hardware/software co-design approach for security ... · Intrusion detection systems (e.g., Snort, OSSEC) Dynamic Information ow tracking (DIFT) ... Rely on existing OS and applications](https://reader033.vdocuments.us/reader033/viewer/2022050601/5fa8b037965a5c75162181df/html5/thumbnails/18.jpg)
Fine-grained DIFT : comparison of the existing approaches
Advantages Disadvantages
SoftwareFlexible security policies Runtime overhead
(from 300% to 3700%)
HW
-ass
iste
d In-core DIFT Low overhead (<10%)Invasive modificationsFew security policies
Dedicated CPU for DIFTLow overhead (<10%) Wasting resources
Few modifications to CPU Energy consumption (x 2)Flexible security policies Communication
Low runtime overhead (<10%) between CPU and DIFTDedicated DIFT coprocessorCPU not modified Coprocessor
12 / 46
![Page 19: A hardware/software co-design approach for security ... · Intrusion detection systems (e.g., Snort, OSSEC) Dynamic Information ow tracking (DIFT) ... Rely on existing OS and applications](https://reader033.vdocuments.us/reader033/viewer/2022050601/5fa8b037965a5c75162181df/html5/thumbnails/19.jpg)
DIFT Example: Memory corruptionAttacker overwrites return address and takes control
int idx = tainted_input; //stdin (> BUFFER SIZE)
buffer[idx] = x; // buffer overflow
set r1 ← &tainted input
load r2 ← M[r1]
add r4 ← r2 + r3
store M[r4] ← r5
pseudo-code
T Data
r1
r2
r3:&buffer
r4
r5:x
Registers
T Data
Return Address
int buffer[Size]
Memory13 / 46
![Page 20: A hardware/software co-design approach for security ... · Intrusion detection systems (e.g., Snort, OSSEC) Dynamic Information ow tracking (DIFT) ... Rely on existing OS and applications](https://reader033.vdocuments.us/reader033/viewer/2022050601/5fa8b037965a5c75162181df/html5/thumbnails/20.jpg)
DIFT Example: Memory corruptionAttacker overwrites return address and takes control
int idx = tainted_input; //stdin (> BUFFER SIZE)
buffer[idx] = x; // buffer overflow
set r1 ← &tainted input
load r2 ← M[r1]
add r4 ← r2 + r3
store M[r4] ← r5
pseudo-code
T Data
r1:&input
r2
r3:&buffer
r4
r5:x
Registers
T Data
Return Address
int buffer[Size]
Memory13 / 46
![Page 21: A hardware/software co-design approach for security ... · Intrusion detection systems (e.g., Snort, OSSEC) Dynamic Information ow tracking (DIFT) ... Rely on existing OS and applications](https://reader033.vdocuments.us/reader033/viewer/2022050601/5fa8b037965a5c75162181df/html5/thumbnails/21.jpg)
DIFT Example: Memory corruptionAttacker overwrites return address and takes control
int idx = tainted_input; //stdin (> BUFFER SIZE)
buffer[idx] = x; // buffer overflow
set r1 ← &tainted input
load r2 ← M[r1]
add r4 ← r2 + r3
store M[r4] ← r5
pseudo-code
T Data
r1:&input
r2:idx=input
r3:&buffer
r4
r5:x
Registers
T Data
Return Address
int buffer[Size]
Memory13 / 46
![Page 22: A hardware/software co-design approach for security ... · Intrusion detection systems (e.g., Snort, OSSEC) Dynamic Information ow tracking (DIFT) ... Rely on existing OS and applications](https://reader033.vdocuments.us/reader033/viewer/2022050601/5fa8b037965a5c75162181df/html5/thumbnails/22.jpg)
DIFT Example: Memory corruptionAttacker overwrites return address and takes control
int idx = tainted_input; //stdin (> BUFFER SIZE)
buffer[idx] = x; // buffer overflow
set r1 ← &tainted input
load r2 ← M[r1]
add r4 ← r2 + r3
store M[r4] ← r5
pseudo-code
T Data
r1:&input
r2:idx=input
r3:&buffer
r4:&buffer+idx
r5:x
Registers
T Data
Return Address
int buffer[Size]
Memory13 / 46
![Page 23: A hardware/software co-design approach for security ... · Intrusion detection systems (e.g., Snort, OSSEC) Dynamic Information ow tracking (DIFT) ... Rely on existing OS and applications](https://reader033.vdocuments.us/reader033/viewer/2022050601/5fa8b037965a5c75162181df/html5/thumbnails/23.jpg)
DIFT Example: Memory corruptionAttacker overwrites return address and takes control
int idx = tainted_input; //stdin (> BUFFER SIZE)
buffer[idx] = x; // buffer overflow
set r1 ← &tainted input
load r2 ← M[r1]
add r4 ← r2 + r3
store M[r4] ← r5
pseudo-code
T Data
r1:&input
r2:idx=input
r3:&buffer
r4:&buffer+idx
r5:x
Registers
T Data
Return Address
int buffer[Size]
Memory13 / 46
![Page 24: A hardware/software co-design approach for security ... · Intrusion detection systems (e.g., Snort, OSSEC) Dynamic Information ow tracking (DIFT) ... Rely on existing OS and applications](https://reader033.vdocuments.us/reader033/viewer/2022050601/5fa8b037965a5c75162181df/html5/thumbnails/24.jpg)
HardBlare approach
Objectives
Combine hardware level and OS level approaches
Design and implement a realistic proof-of-concept
Unmodified (ASIC) main CPU (related work rely on softcores)Dedicated DIFT coprocessor on FPGARely on existing OS and applications (Linux system)
Technological choices
Xilinx Zynq SoC (2 cores ARM Cortex A9 + FPGA)
Dedicated Linux distribution using Yocto
Challenge
Semantic gap : limited visibility of CPU instructions on FPGA side
14 / 46
![Page 25: A hardware/software co-design approach for security ... · Intrusion detection systems (e.g., Snort, OSSEC) Dynamic Information ow tracking (DIFT) ... Rely on existing OS and applications](https://reader033.vdocuments.us/reader033/viewer/2022050601/5fa8b037965a5c75162181df/html5/thumbnails/25.jpg)
Information required for DIFT
Hypothesis: Application with source code
Program Counter (PC)
Instruction encoding
Memory addresses
Tags of files# 3 (else)0x106c8: sub r3, fp, #2064
...0x106d0: str r3, [fp, #-8]
# 10x10618: push {fp,lr}
...0x10630: bl 10494 <open>
...0x10644: bl 10494 <open>
...0x10658: bl 10494 <open>
...0x10674: bl 10464 <read>
...0x1068c: bl 10464 <read>
...0x10694: bl 1047c <time>
...0x106a0: bl 10470 <srand>0x106a4: bl 10458 <rand>
...0x106b4: bne 106c8
# 2 (if)1005b0: e51b300c ldr r3, [fp, #-12]1005b4: e50b3008 str r3, [fp, #-8]0x106c4: b 106d4
# 40x106d4: mov r2, #1024
...0x106e0: bl 10440 <write>
...0x106f0: pop {fp, pc}
15 / 46
![Page 26: A hardware/software co-design approach for security ... · Intrusion detection systems (e.g., Snort, OSSEC) Dynamic Information ow tracking (DIFT) ... Rely on existing OS and applications](https://reader033.vdocuments.us/reader033/viewer/2022050601/5fa8b037965a5c75162181df/html5/thumbnails/26.jpg)
What can I do with my processor?
CoreSight: debug components
Available in most of Cortex-A +Cortex-M3 (for ARM)
Can export debug-related infos
16 / 46
![Page 27: A hardware/software co-design approach for security ... · Intrusion detection systems (e.g., Snort, OSSEC) Dynamic Information ow tracking (DIFT) ... Rely on existing OS and applications](https://reader033.vdocuments.us/reader033/viewer/2022050601/5fa8b037965a5c75162181df/html5/thumbnails/27.jpg)
CoreSight components
17 / 46
![Page 28: A hardware/software co-design approach for security ... · Intrusion detection systems (e.g., Snort, OSSEC) Dynamic Information ow tracking (DIFT) ... Rely on existing OS and applications](https://reader033.vdocuments.us/reader033/viewer/2022050601/5fa8b037965a5c75162181df/html5/thumbnails/28.jpg)
Coresight PTM
Features
Trace Filter (all code orregions of code)
Branch Broadcast 8
Context ID comparator
ELF Header
Program header table
Section 1
Section 2
...
...
Section n
Section header table
18 / 46
![Page 29: A hardware/software co-design approach for security ... · Intrusion detection systems (e.g., Snort, OSSEC) Dynamic Information ow tracking (DIFT) ... Rely on existing OS and applications](https://reader033.vdocuments.us/reader033/viewer/2022050601/5fa8b037965a5c75162181df/html5/thumbnails/29.jpg)
Coresight PTM
Features
Trace Filter (all code orregions of code)
Branch Broadcast 8
Context ID comparator
(i) MOV PC, LR
(ii) ADD R1, R2, R3
(iii) B 0x8084
8Linux driver for PTM patched to support Branch broadcast feature18 / 46
![Page 30: A hardware/software co-design approach for security ... · Intrusion detection systems (e.g., Snort, OSSEC) Dynamic Information ow tracking (DIFT) ... Rely on existing OS and applications](https://reader033.vdocuments.us/reader033/viewer/2022050601/5fa8b037965a5c75162181df/html5/thumbnails/30.jpg)
Coresight PTM
Features
Trace Filter (all code orregions of code)
Branch Broadcast 8
Context ID comparator
(i) MOV PC, LR
(ii) ADD R1, R2, R3
(iii) B 0x8084
8Linux driver for PTM patched to support Branch broadcast feature18 / 46
![Page 31: A hardware/software co-design approach for security ... · Intrusion detection systems (e.g., Snort, OSSEC) Dynamic Information ow tracking (DIFT) ... Rely on existing OS and applications](https://reader033.vdocuments.us/reader033/viewer/2022050601/5fa8b037965a5c75162181df/html5/thumbnails/31.jpg)
Example Trace
Source code
i n t i ;f o r ( i = 0 ; i < 1 0 ; i ++)
Assembly8638 for loop:
. . .b 8654:. . .866c: bcc 8654
Trace00 00 00 00 00 80 08 38 86 00 0021 39 39 39 39 39 39 39 39 39 3986 01 00 00 00 00 00 00 00 00
Decoded TraceA-syncAddress 00008638, (I-sync Con-text 00000000, IB 21)Address 00008654, Branch Ad-dress packet (x 10)
19 / 46
![Page 32: A hardware/software co-design approach for security ... · Intrusion detection systems (e.g., Snort, OSSEC) Dynamic Information ow tracking (DIFT) ... Rely on existing OS and applications](https://reader033.vdocuments.us/reader033/viewer/2022050601/5fa8b037965a5c75162181df/html5/thumbnails/32.jpg)
Example Trace
Source code
i n t i ;f o r ( i = 0 ; i < 1 0 ; i ++)
Assembly8638 for loop:
. . .b 8654:. . .866c: bcc 8654
Trace00 00 00 00 00 80 08 38 86 00 0021 39 39 39 39 39 39 39 39 39 3986 01 00 00 00 00 00 00 00 00
Decoded TraceA-syncAddress 00008638, (I-sync Con-text 00000000, IB 21)Address 00008654, Branch Ad-dress packet (x 10)
19 / 46
![Page 33: A hardware/software co-design approach for security ... · Intrusion detection systems (e.g., Snort, OSSEC) Dynamic Information ow tracking (DIFT) ... Rely on existing OS and applications](https://reader033.vdocuments.us/reader033/viewer/2022050601/5fa8b037965a5c75162181df/html5/thumbnails/33.jpg)
Example Trace
Source code
i n t i ;f o r ( i = 0 ; i < 1 0 ; i ++)
Assembly8638 for loop:
. . .b 8654:. . .866c: bcc 8654
Trace00 00 00 00 00 80 08 38 86 00 0021 39 39 39 39 39 39 39 39 39 3986 01 00 00 00 00 00 00 00 00
Decoded TraceA-syncAddress 00008638, (I-sync Con-text 00000000, IB 21)Address 00008654, Branch Ad-dress packet (x 10)
19 / 46
![Page 34: A hardware/software co-design approach for security ... · Intrusion detection systems (e.g., Snort, OSSEC) Dynamic Information ow tracking (DIFT) ... Rely on existing OS and applications](https://reader033.vdocuments.us/reader033/viewer/2022050601/5fa8b037965a5c75162181df/html5/thumbnails/34.jpg)
Example Trace
Source code
i n t i ;f o r ( i = 0 ; i < 1 0 ; i ++)
Assembly8638 for loop:
. . .b 8654:. . .866c: bcc 8654
Trace00 00 00 00 00 80 08 38 86 00 0021 39 39 39 39 39 39 39 39 39 3986 01 00 00 00 00 00 00 00 00
Decoded TraceA-syncAddress 00008638, (I-sync Con-text 00000000, IB 21)Address 00008654, Branch Ad-dress packet (x 10)
19 / 46
![Page 35: A hardware/software co-design approach for security ... · Intrusion detection systems (e.g., Snort, OSSEC) Dynamic Information ow tracking (DIFT) ... Rely on existing OS and applications](https://reader033.vdocuments.us/reader033/viewer/2022050601/5fa8b037965a5c75162181df/html5/thumbnails/35.jpg)
PTM Traces
20 / 46
![Page 36: A hardware/software co-design approach for security ... · Intrusion detection systems (e.g., Snort, OSSEC) Dynamic Information ow tracking (DIFT) ... Rely on existing OS and applications](https://reader033.vdocuments.us/reader033/viewer/2022050601/5fa8b037965a5c75162181df/html5/thumbnails/36.jpg)
CoreSight components - Performance overhead
Execution time measured with and without enabling CoreSightcomponents
No change in measured execution time
Negligible runtime overhead
1 PTM non-intrusive (dedicated HW module that works in parallel)2 Configuration of CoreSight components (TPIU sink used9 rather than
ETB)
9Linux driver for TPIU has been patched21 / 46
![Page 37: A hardware/software co-design approach for security ... · Intrusion detection systems (e.g., Snort, OSSEC) Dynamic Information ow tracking (DIFT) ... Rely on existing OS and applications](https://reader033.vdocuments.us/reader033/viewer/2022050601/5fa8b037965a5c75162181df/html5/thumbnails/37.jpg)
Debug components on a hardcore CPU
Recovery of Program Counter
Coprocessor
DIFTmonitorHardcore
CPU
Application
Debug components
traceTrace
Memory
Hard disk Memory
22 / 46
![Page 38: A hardware/software co-design approach for security ... · Intrusion detection systems (e.g., Snort, OSSEC) Dynamic Information ow tracking (DIFT) ... Rely on existing OS and applications](https://reader033.vdocuments.us/reader033/viewer/2022050601/5fa8b037965a5c75162181df/html5/thumbnails/38.jpg)
Static Analysis
Problem
We need to know what’s happened between two jumps
Solution
During compilation we also generate annotations that will be executed bythe co-processor to propagate tags
Examples :add r0, r1, r2 ⇒ r0 ← r1 ∪ r2
and r3, r4, r5 ⇒ r3 ← r4 ∪ r5
23 / 46
![Page 39: A hardware/software co-design approach for security ... · Intrusion detection systems (e.g., Snort, OSSEC) Dynamic Information ow tracking (DIFT) ... Rely on existing OS and applications](https://reader033.vdocuments.us/reader033/viewer/2022050601/5fa8b037965a5c75162181df/html5/thumbnails/39.jpg)
Static Analysis
Recovery of instruction encoding
Coprocessor
DIFTmonitorHardcore
CPU
Application
Debug components
traceTrace
Memory
DIFTMemory
Hard disk Memory
24 / 46
![Page 40: A hardware/software co-design approach for security ... · Intrusion detection systems (e.g., Snort, OSSEC) Dynamic Information ow tracking (DIFT) ... Rely on existing OS and applications](https://reader033.vdocuments.us/reader033/viewer/2022050601/5fa8b037965a5c75162181df/html5/thumbnails/40.jpg)
Instrumentation
Some addresses are resolved/calculated at run-time :
Solution : instrument the code
The instrumentation is done during the last phase of thecompilation process.
The register r9 is dedicated for the instrumentation.
The instrumentation FIFO address is retrieved via a UIO Driver.
Examples :
ldr r0, [r2] ⇒ str r2, [r9]ldr r0, [r2]
str r3, [r4] ⇒ str r5, [r9]str r3, [r5]
25 / 46
![Page 41: A hardware/software co-design approach for security ... · Intrusion detection systems (e.g., Snort, OSSEC) Dynamic Information ow tracking (DIFT) ... Rely on existing OS and applications](https://reader033.vdocuments.us/reader033/viewer/2022050601/5fa8b037965a5c75162181df/html5/thumbnails/41.jpg)
Instrumentation
Recover memory addresses
Instruction Annotationldr r1, [r2, #4] r1 ← mem (r2 + 4)
Two possible strategies
1 Strategy 1: Recover all memory address through instrumentation
2 Strategy 2: Recover only register-relative memory address throughinstrumentation
26 / 46
![Page 42: A hardware/software co-design approach for security ... · Intrusion detection systems (e.g., Snort, OSSEC) Dynamic Information ow tracking (DIFT) ... Rely on existing OS and applications](https://reader033.vdocuments.us/reader033/viewer/2022050601/5fa8b037965a5c75162181df/html5/thumbnails/42.jpg)
Instrumentation strategy 1
Recover all memory address through instrumentation
Example Instructions Annotations Memory address recoverysub r0, r1, r2 r0 = r1 + r2
mov r3, r0 r3 = r0
str r1, [PC, #4] @Mem(PC+4) = r1 Instrumented
ldr r3, [SP, #-8] r3 = @Mem(SP-8) Instrumented
str r1, [r3, r2] @Mem(r3+r2) = r1 Instrumented
27 / 46
![Page 43: A hardware/software co-design approach for security ... · Intrusion detection systems (e.g., Snort, OSSEC) Dynamic Information ow tracking (DIFT) ... Rely on existing OS and applications](https://reader033.vdocuments.us/reader033/viewer/2022050601/5fa8b037965a5c75162181df/html5/thumbnails/43.jpg)
Instrumentation strategy 2
Recover only register-relative memory address through instrumentation
Example Instructions Annotations Memory address recoverysub r0, r1, r2 r0 = r1 + r2
mov r3, r0 r3 = r0
str r1, [PC, #4] @Mem(PC+4) = r1 CoreSight PTM
ldr r3, [SP, #-8] r3 = @Mem(SP-8) Static analysis
str r1, [r3, r2] @Mem(r3+r2) = r1 Instrumented
28 / 46
![Page 44: A hardware/software co-design approach for security ... · Intrusion detection systems (e.g., Snort, OSSEC) Dynamic Information ow tracking (DIFT) ... Rely on existing OS and applications](https://reader033.vdocuments.us/reader033/viewer/2022050601/5fa8b037965a5c75162181df/html5/thumbnails/44.jpg)
Instrumentation time overhead
0
0.25
0.5
0.75
1
1.25
1.5
1.75
2
Related work Strategy 1 Strategy 2
Norm
aliz
ed
Execu
tion T
ime
Original ProgramHost instrument
53.7%
24.6%
5.37%-90%
-53%
Figure: Normalized execution time of MiBench benchmark for different strategies
29 / 46
![Page 45: A hardware/software co-design approach for security ... · Intrusion detection systems (e.g., Snort, OSSEC) Dynamic Information ow tracking (DIFT) ... Rely on existing OS and applications](https://reader033.vdocuments.us/reader033/viewer/2022050601/5fa8b037965a5c75162181df/html5/thumbnails/45.jpg)
Instrumentation
Recovery of memory addresses
Coprocessor
DIFTmonitorHardcore
CPU
Application
Debug components
traceTrace
Memory
DIFTMemory
Instrumentation
Hard disk Memory
30 / 46
![Page 46: A hardware/software co-design approach for security ... · Intrusion detection systems (e.g., Snort, OSSEC) Dynamic Information ow tracking (DIFT) ... Rely on existing OS and applications](https://reader033.vdocuments.us/reader033/viewer/2022050601/5fa8b037965a5c75162181df/html5/thumbnails/46.jpg)
RfBlare: System calls
Problem: We want to transmit tags from/to the operating system.Solution: Linux Security Modules Hooks
Problem: We want to persistently store tags in the system.Solution: Extended file attributes
When reading data from a file.We are propagating the tag of the read file to the destinationbuffer.
When writing data to a file.We are propagating the tag of the source buffer to the destinationfile.
31 / 46
![Page 47: A hardware/software co-design approach for security ... · Intrusion detection systems (e.g., Snort, OSSEC) Dynamic Information ow tracking (DIFT) ... Rely on existing OS and applications](https://reader033.vdocuments.us/reader033/viewer/2022050601/5fa8b037965a5c75162181df/html5/thumbnails/47.jpg)
System calls: RFBlare
Recovery of tags of files
Modified Linux Kernel
Tag of
files
Coprocessor
DIFTmonitorHardcore
CPU
Application
Debug components
traceTrace
Memory
DIFTMemory
InstrumentationKernel2monitor
Monitor2kernel
Hard disk Memory
32 / 46
![Page 48: A hardware/software co-design approach for security ... · Intrusion detection systems (e.g., Snort, OSSEC) Dynamic Information ow tracking (DIFT) ... Rely on existing OS and applications](https://reader033.vdocuments.us/reader033/viewer/2022050601/5fa8b037965a5c75162181df/html5/thumbnails/48.jpg)
Global architecture
PL
ModifiedLinux
ARM Cortex-A9
Decodedtrace
memory
PFT decoder
trace
DDR
Application
AXIinterconnect
InstrumentationKernel2monitor
Monitor2kernel
DIFT coprocessor
AXI
Interrupt
CS components
CPU memory (384 MB)
Tag annotations(64 MB)
Tag memory(64 MB)
Hard disk
Tag of files
PL: Programmable Logic
33 / 46
![Page 49: A hardware/software co-design approach for security ... · Intrusion detection systems (e.g., Snort, OSSEC) Dynamic Information ow tracking (DIFT) ... Rely on existing OS and applications](https://reader033.vdocuments.us/reader033/viewer/2022050601/5fa8b037965a5c75162181df/html5/thumbnails/49.jpg)
Dedicated DIFT coprocessor
1 2
DIFT Coprocessor
3
Dispatcher
Tag Management Core(TMC)
Annotationsmemory
Tagmemory
TagRR T1,T2
BRAM DDR
Tagannotations
DDR
Decoded trace
memory
BRAM
34 / 46
![Page 50: A hardware/software co-design approach for security ... · Intrusion detection systems (e.g., Snort, OSSEC) Dynamic Information ow tracking (DIFT) ... Rely on existing OS and applications](https://reader033.vdocuments.us/reader033/viewer/2022050601/5fa8b037965a5c75162181df/html5/thumbnails/50.jpg)
DIFT coprocessor - Internal architecture
Dispatcher fully pipelined (classical MIPS ISA)
TMC (Tag Management Core) pipelined (custom ISA)
Compile-time security policyRuntime security policy
Decode
RegisterFile (RF)
TRF
Decode
Fetchinstruction
ALU
Tag ALU
WriteBack
Fetchannotation
TRF_FP
GRF
Memoryaccess
Tag MemoryAccess WriteBack
TPR
Dispatcher
TMC
TCRTag check
TMMU
35 / 46
![Page 51: A hardware/software co-design approach for security ... · Intrusion detection systems (e.g., Snort, OSSEC) Dynamic Information ow tracking (DIFT) ... Rely on existing OS and applications](https://reader033.vdocuments.us/reader033/viewer/2022050601/5fa8b037965a5c75162181df/html5/thumbnails/51.jpg)
Use cases: Multiple security policies
TMC(security policy 2)
Decoded trace
memoryDispatcher
Tagmemory
DDR
Tag annotations
DDR
Tagmemory
DDRBRAM
Annotationsmemory
BRAM
TMC(security policy 1)
Annotationsmemory
TagRR T1,T2
TagRR T1,T2
36 / 46
![Page 52: A hardware/software co-design approach for security ... · Intrusion detection systems (e.g., Snort, OSSEC) Dynamic Information ow tracking (DIFT) ... Rely on existing OS and applications](https://reader033.vdocuments.us/reader033/viewer/2022050601/5fa8b037965a5c75162181df/html5/thumbnails/52.jpg)
Use cases: Multiple processes/threads
TMC(process 2)
Decoded trace
memoryDispatcher
Tagmemory
DDR
Tag annotations
DDR
Tagmemory
DDRBRAM
Annotationsmemory
BRAM
TMC(process 1)
Annotationsmemory
37 / 46
![Page 53: A hardware/software co-design approach for security ... · Intrusion detection systems (e.g., Snort, OSSEC) Dynamic Information ow tracking (DIFT) ... Rely on existing OS and applications](https://reader033.vdocuments.us/reader033/viewer/2022050601/5fa8b037965a5c75162181df/html5/thumbnails/53.jpg)
Extension for 2 threads - Trace details
Decoded trace000105740001042800010584000103c800010598000103f8000105740001042800010584
00 00 00 00 00 80 08 74 05 01 00 21 42 d2 04 0095 04 08 84 05 01 00 21 42 d2 04 00 e5 03 08 9805 01 00 21 42 d2 04 00 fd 03 08 74 05 01 00 2142 d3 04 00 95 04 08 84 05 01 00 21 42 d3 04 00
Trace
A-sync I-sync Branch address packet
Context ID0004d2 420004d2 420004d2 420004d2 420004d2 420004d2 420004d3 420004d3 420004d3 42
Stored address 00010574 00010428 00010584 000103c8 00010598 000103f8 00010575 00010429 00010585
38 / 46
![Page 54: A hardware/software co-design approach for security ... · Intrusion detection systems (e.g., Snort, OSSEC) Dynamic Information ow tracking (DIFT) ... Rely on existing OS and applications](https://reader033.vdocuments.us/reader033/viewer/2022050601/5fa8b037965a5c75162181df/html5/thumbnails/54.jpg)
Evaluation details
Related work strategyStrategy proposed by Heo et al.10 adapted with OS support
Example Instructions Annotations Strategy 1 Strategy 2sub r0, r1, r2 r0 = r1 + r2
mov r3, r0 r3 = r0
str r1, [PC, #4] @Mem(PC+4) = r1 Instrumented CoreSight PTM
ldr r3, [SP, #-8] r3 = @Mem(SP-8) Instrumented Static analysis
str r1, [r3, r2] @Mem(r3+r2) = r1 Instrumented Instrumented
10Heo˙15.39 / 46
![Page 55: A hardware/software co-design approach for security ... · Intrusion detection systems (e.g., Snort, OSSEC) Dynamic Information ow tracking (DIFT) ... Rely on existing OS and applications](https://reader033.vdocuments.us/reader033/viewer/2022050601/5fa8b037965a5c75162181df/html5/thumbnails/55.jpg)
Instrumentation time overhead (with OS support)
0
2
4
6
8
10
12
14
Related work Strategy 1 Strategy 2
Norm
aliz
ed
Execu
tion T
ime
Original ProgramHost instrument
12.79
10.43
3.35
-18%
-74%
40 / 46
![Page 56: A hardware/software co-design approach for security ... · Intrusion detection systems (e.g., Snort, OSSEC) Dynamic Information ow tracking (DIFT) ... Rely on existing OS and applications](https://reader033.vdocuments.us/reader033/viewer/2022050601/5fa8b037965a5c75162181df/html5/thumbnails/56.jpg)
Comparison with related works
Without OS support with OS support
Approaches Kannan Deng Heo HardblareHeo
adaptedHardblare
Area overhead 6.4% 14.8% 14.47% 0.47% N/A 0.95%Power overhead N/A 6.3% 24% 8.45 % N/A 16.2%
Max frequency N/A 256 MHz N/A 250 MHz N/A 250 MHz
Communicationtime overhead
N/A N/A 60% 5.4% 1280% 335%
Hardcoreportability
No No Yes Yes Yes Yes
Main CPU Softcore Softcore Softcore Hardcore Hardcore HardcoreLibrary
instrumentationN/A N/A partial No Yes Yes
FP support No No No No No YesMulti-threaded
supportNo No No No No Yes
41 / 46
![Page 57: A hardware/software co-design approach for security ... · Intrusion detection systems (e.g., Snort, OSSEC) Dynamic Information ow tracking (DIFT) ... Rely on existing OS and applications](https://reader033.vdocuments.us/reader033/viewer/2022050601/5fa8b037965a5c75162181df/html5/thumbnails/57.jpg)
Conclusion and Perspectives
Take away:
CoreSight PTM allows to obtain runtime information (Program Flow)
Non-intrusive tracing ⇒ Negligible performance overhead
Isolation of hardware IPs with ARM Trustzone
Integration of OS support in the hardware-assisted DIFT
Implementation of the proposed approach on the Zynq SoC
Scalable solution for multiple security policies andmulticore/multiprocessor systems
Perspectives:
Full PoC later this year (SoC files + Yocto)
Intel / ST? (study)
Multicore multi-thread IFT
42 / 46
![Page 58: A hardware/software co-design approach for security ... · Intrusion detection systems (e.g., Snort, OSSEC) Dynamic Information ow tracking (DIFT) ... Rely on existing OS and applications](https://reader033.vdocuments.us/reader033/viewer/2022050601/5fa8b037965a5c75162181df/html5/thumbnails/58.jpg)
A hardware/software co-design approach for securityanalysis of application behavior
Applications on Dynamic Information Flow Tracking
Vianney Lapotre
Universite Bretagne Sud - Lab-STICC, [email protected]
January 23, 2019
Many thanks to Muhammad, Mounir, Arnab, Pascal, Guillaume and Guy :)
https://hardblare.cominlabs.u-bretagneloire.fr43 / 46
![Page 59: A hardware/software co-design approach for security ... · Intrusion detection systems (e.g., Snort, OSSEC) Dynamic Information ow tracking (DIFT) ... Rely on existing OS and applications](https://reader033.vdocuments.us/reader033/viewer/2022050601/5fa8b037965a5c75162181df/html5/thumbnails/59.jpg)
Bibliography I
raksha˙07 Raksha: A Flexible Information Flow Architecture for SoftwareSecurity.
Vijay08 Dynamic Information Tracking on Multicores.
raksha˙09 Decoupling dynamic information flow tracking with a dedicatedcoprocessor.
harmoni˙12 High-performance parallel accelerator for flexible and efficientrun-time monitoring.
pau˙15 Implementing an Application-Specific Instruction-Set Processor forSystem-Level Dynamic Program Analysis Engines.
fpl˙17 ARMHEx: A hardware extension for DIFT on ARM-based SoCs.
44 / 46
![Page 60: A hardware/software co-design approach for security ... · Intrusion detection systems (e.g., Snort, OSSEC) Dynamic Information ow tracking (DIFT) ... Rely on existing OS and applications](https://reader033.vdocuments.us/reader033/viewer/2022050601/5fa8b037965a5c75162181df/html5/thumbnails/60.jpg)
Bibliography II
Eal.05 Labels and event processes in the asbestos operating system.
Zal.06a Making information flow explicit in HiStar.
Kal.07 Information Flow Control for Standard OS Abstractions.
Gal.11 Information Flow Control for Intrusion Detection derived fromMAC policy.
HF12 A taint marking approach to confidentiality violation detection.
NS05 Dynamic taint analysis for automatic detection, analysis, andsignature generation of exploits on commodity software.
HJR10 DIFC programs by automatic instrumentation.
45 / 46
![Page 61: A hardware/software co-design approach for security ... · Intrusion detection systems (e.g., Snort, OSSEC) Dynamic Information ow tracking (DIFT) ... Rely on existing OS and applications](https://reader033.vdocuments.us/reader033/viewer/2022050601/5fa8b037965a5c75162181df/html5/thumbnails/61.jpg)
Bibliography III
CF07 Fine-Grained Information Flow Analysis and Enforcement in a JavaVirtual Machine.
Nal.07 A Virtual Machine Based Information Flow Control System forPolicy Enforcement.
asianhost˙18 A MIPS-based coprocessor for information flow tracking inARM SoCs.
Heo˙15 Implementing an Application-Specific Instruction-Set Processor forSystem-Level Dynamic Program Analysis Engines
46 / 46