The Ascend Secure Processor. Christopher Fletcher MIT

Size: px

Start display at page:

Download "The Ascend Secure Processor. Christopher Fletcher MIT"

Morris Henderson
5 years ago
Views:

1 The Ascend Secure Processor Christopher Fletcher MIT 1

2 Joint work with Srini Devadas, Marten van Dijk Ling Ren, Albert Kwon, Xiangyao Yu Elaine Shi & Emil Stefanov David Wentzlaff & Princeton Team (Mike, Tri, Jonathan, Alexey, Yaosheng) Omer Khan 2

3 MEE Last talk: Intel SGX Data Integrity Address Timing 3

4 Ascend Processor This talk Data Memory controller Integrity Address Timing 4

5 Outline Motivation + Oblivious RAM (ORAM) primer ORAM in Hardware Demo 5

6 Op Address Time R 0 1 W 1 10 R 5 15 R 6 16 R 7 17 If (secret variable) { scan memory } Binary search SGX broken through page faults Shared library usage Search queries [Xu et al. 15] [Zhuang et al. 04] [Islam et al. 12] 6

7 Oblivious RAM (ORAM) [Goldreich-Ostrovsky 96] On-chip Chip pins Cache miss ORAM Controller Shuffled Provably removes all access pattern leakage 7

8 ORAM security definition Access is 3 tuple: (op = Read/write, address, data) Consider access sequences A and A A = [ (op 1, address 1, data 1 ), (op 2, address 2, data 2 ), ] A = [ (op 1, address 1, data 1 ), (op 2, address 2, data 2 ), ] If A == A then ORAM(A) ORAM(A ) 8

9 Path ORAM [CCS 13] ORAM Controller (on-chip) Chip pins Read/writes The ORAM 9

10 Block assigned to random path. Block lives on that path. PosMap A, 2 B, 3 A, 2 B, 3 Off-chip Path

11 Chip pins Not Encrypted Encrypted PosMap Empty space = dummy encryptions Off-chip B, 3 A, 2 B, 3 A, 2 dummy dummy dummy dummy dummy Path

12 Path ORAM Access: Read+write the path the block is assigned to. 12

13 Path ORAM Access: Read+write the path the block is assigned to. Off-chip PosMap dummy B, 3 A, 2 B, 3 4 dummy A, 2 dummy A, 4 Stash B, 3 dummy dummy dummy dummy Path

14 Typically, 4 slots per bucket Z=4 Z=1 Off-chip B, 3 for simplicity dummy dummy dummy dummy dummy Path

15 Too big! Off-chip B, 3 A, 4 B, 3 A, 4 15

16 Map recursion [Shi et al., 11] PosMap ORAMBlock PosMap ORAM 2 On-chip Map On-chip Map A, 4 B, 3 Smaller Small enough 16

17 Map recursion [Shi et al., 11] On-chip PosMap Data ORAM PosMap ORAM 1 PosMap ORAM 2 17

18 Path ORAM summary Blocks assigned to paths. B Access block: Read+write path Adversary sees: random paths. 18

19 ORAM in Hardware 19

20 First ORAM in silicon Ascend in silicon Collaboration with David Wentzlaff s Princeton MIT Team 20

21 First silicon fully 500 MHz &.9 V Design (Verilog) Open Source 21

22 Blocks must live on assigned path or in stash. Can overflow Off-chip PosMap A, 4 B, 2 A, 4 Stash B, 2 Path

23 Blocks must live on assigned path or in stash. PosMap Off-chip Bottleneck in prior work [Maas et al. 13] Causes 3 X avg. slowdown on SPEC. A, 4 B, 2 A, 4 Stash B, 2 Path

24 Bit blasted stash eviction [FCCM 15] def evict(path block, Path evict, occ): t 1 = Path block Path evict t 2 = bit_reverse( ( (t 1 Ʌ t 1 ) 1) Ʌ occ ) ret bit_reverse( t 2 Ʌ t 2 ) Can be pipelined ~ Bit vectors Path block, Path evict, occ evict() circuit greatest common prefix occ 24

25 Simple design, no performance bottleneck. 25

26 ORAM Integrity protection for ORAM Cache miss Shuffled Overlay Hash tree 26

27 ORAM logic Test harness SHA-3 One SHA-3 unit FPGA Prototype 27

28 Cheap Integrity Scheme [ASPLOS 15] Per-block MAC {Block data, Hash(Block data, Block addr, counter)} Good: Hash 1 block, NOT path Bad: Need to store counters on-chip Replace entries in map with counters! 28

29 Want: Path P = PosMap[A] Algorithm: Given A: derive A, A, A P = PRF(A PosMap[A ] = Counter) P = PRF(A ORAMAccess(A, P )) P = PRF(A ORAMAccess(A, P )) Data = ORAMAccess(A, P) A +1 A Block A MAC K (Counter A data) Counter for A + 1 Counter for A PosMap ORAM 2 PosMap ORAM 1 Block A Data ORAM A Counter P Block A P P Block (A, D) Problem: C > P On-chip PosMap (root of trust) More schemes to get C < P Integrity checks

30 Cheap Integrity Scheme [ASPLOS 15] Result: Hashing decreased by 68 X, simple design 30

31 ORAM randomizes data layout. Computer architecture assumes data locality. ISCA 13 Subtree size = row size 31

32 # Row misses: ~ tree height ~ tree height subtree height 32

33 Row misses: 60% overhead 13% overhead 33

34 .5 mm 6 mm 460M transistors AES rounds Stash evict() ORAM PLL Tile 0 Tile 1 Tile 2 Tile 3 Tile 4 Tile 5 Tile 6 Tile 7 Tile 8 Tile 9 Encryption Stash Recursion, PLB, Integrity Tile 10 Tile 15 Tile 11 Tile 16 Tile 12 Tile 17 Tile 13 Tile 18 Tile 14 Tile 19 2 mm Hash unit Tile 20 Tile 21 Tile 22 Tile 23 Tile 24 6 mm 34

35 Slowdown (X) Slowdown vs. insecure 2 DRAM channels, In-order core, 2-level cache hierarchy, 1 MByte last-level cache ORAM = 1208 cycles / tree lookup 11 1 tpcc ycsb astar bzip2 gcc gob h264 libq mcf omnet perl sjeng avg 35

36 Demo 36

37 Backup 37

Design and Implementation of the Ascend Secure Processor. Ling Ren, Christopher W. Fletcher, Albert Kwon, Marten van Dijk, Srinivas Devadas

Design and Implementation of the Ascend Secure Processor Ling Ren, Christopher W. Fletcher, Albert Kwon, Marten van Dijk, Srinivas Devadas Agenda Motivation Ascend Overview ORAM for obfuscation Ascend: