Koji Inoue Department of Informatics, Kyushu University Japan Science and Technology Agency

Transcription

1 Lock and Unlock: A Data Management Algorithm for A Security-Aware Cache Department of Informatics, Japan Science and Technology Agency ICECS'06 1

2 Background (1/2) Trusted Program Malicious Program Branch Prediction SuperScalar Pipelining ILP TLP Selective Activation Signal Gating Clock Gating DVS OOO Exe. Value Prediction On-chip Cache MLP Resizing Drowsy Operation ICECS'06 2

3 The Goal of This Research Architectural Support for SCache (improved data management) Branch Prediction SuperScalar Pipelining ILP TLP Selective Activation Signal Gating Clock Gating DVS OOO Exe. Value Prediction On-chip Cache MLP Resizing Drowsy Operation ICECS'06 3

4 Outline Introduction Buffer-Overflow Attack Secure Cache Architecture Overview Security Issue Lock&Unlock Algorithm Evaluation Security Strength Performance Overhead Conclusions ICECS'06 4

5 Buffer-Overflow Attack Buffer Overflow CERT Advisories relating to buffer-overflow (%) Well-Known vulnerability Exploited by Caused by unexpected operations writing an inordinately large amount of data into a buffer This vulnerability exists in the C standard library (e.g. strcpy) Lead to a stack smashing An attack code is inserted The return address is corrupted Highjack the program execution control year R.B.Lee, D.K.Karig, J.P.McGregor, and Z.Shi, Enlisting Hardware Architecture to Thwart Malicious Code Injection, Proc. of the Int. Conf. on Security in Pervasive Computing, Mar ICECS'06 5

6 Function Call/Return Program code int f ( ) { g (s1); int g ( char *s1) { char buf [10]; strcpy(buf, s1); 1. Start f( ) 2. Call g( ) 3. Execute strcpy( ) 4. Return to f( ) ICECS'06 6

7 Function Call/Return Program code int f ( ) { g (s1); int g ( char *s1) { char buf [10]; strcpy(buf, s1); 1. Start f( ) 2. Call g( ) 3. Execute strcpy( ) 4. Return to f( ) Higher Addr. FP Stack Growth SP Lower Addr. s1 The Return Next PC of Address Call g( ) Saved FP Local Variable buf ICECS'06 7

8 Function Call/Return Program code int f ( ) { g (s1); int g ( char *s1) { char buf [10]; strcpy(buf, s1); 1. Start f( ) 2. Call g( ) 3. Execute strcpy( ) 4. Return to f( ) Higher Addr. FP Stack Growth SP Lower Addr. s1 The Return Next PC of Address Call g( ) Saved FP Local Variable String buf ICECS'06 8

9 Function Call/Return Program code int f ( ) { g (s1); int g ( char *s1) { char buf [10]; strcpy(buf, s1); 1. Start f( ) 2. Call g( ) 3. Execute strcpy( ) 4. Return to f( ) Higher Addr. FP Stack Growth SP Lower Addr. s1 The Return Next PC of Address Call g( ) Saved FP Local Variable String buf ICECS'06 9

10 Function Call/Return Program code int f ( ) { g (s1); int g ( char *s1) { char buf [10]; strcpy(buf, s1); 1. Start f( ) 2. Call g( ) 3. Execute strcpy( ) 4. Return to f( ) Higher Addr. FP Stack Growth SP Lower Addr. s1 The Return Next PC of Address Call g( ) Saved FP Local Variable String buf ICECS'06 10

11 Stack Smashing Program code int f ( ) { g (s1); int g ( char *s1) { char buf [10]; strcpy(buf, s1); 1. Start f( ) 2. Call g( ) 3. Execute strcpy( ) 4. Return to f( ) Higher Addr. FP Stack Growth SP Lower Addr. s1 The Return Next PC of Address Call g( ) Saved FP Local Variable buf Higher Addr. FP Stack Growth SP Lower Addr. s1 The Return Next PC of Address Call g( ) Saved FP Local Variable String buf ICECS'06 11

12 Stack Smashing Program code int f ( ) { g (s1); int g ( char *s1) { char buf [10]; strcpy(buf, s1); 1. Start f( ) 2. Call g( ) 3. Execute strcpy( ) 4. Return to f( ) Higher Addr. FP Stack Growth SP Lower Addr. s1 The Return To Next the PC Attack of Address Call Code g( ) Saved FP Attack Code Local Variable buf Higher Addr. FP Stack Growth SP Lower Addr. s1 The Return Next PC of Address Call g( ) Saved FP Local Variable String buf Insert the attack code! Corrupt the return address! ICECS'06 12

13 Stack Smashing Program code int f ( ) { g (s1); int g ( char *s1) { char buf [10]; strcpy(buf, s1); 1. Start f( ) 2. Call g( ) 3. Execute strcpy( ) 4. Return to f( ) Higher Addr. FP Stack Growth SP Lower Addr. s1 The Return To Next the PC Attack of Address Call Code g( ) Saved FP Attack Code Local Variable buf Higher Addr. FP Stack Growth SP Lower Addr. s1 The Return Next PC of Address Call g( ) Saved FP Local Variable String buf Insert the attack code! Corrupt the return address! Hijack the program execution! ICECS'06 13

14 Outline Introduction Buffer-Overflow Attack Secure Cache Architecture Overview Security Issue Lock&Unlock Algorithm Evaluation Experimental Set-Up Security Strength Performance Overhead Conclusions ICECS'06 14

15 Secure Cache Architecture Protect return-address (RA) values in the cache! Generate one or more Replicas on each RA store Compare the original RA with a replica on the RA load If they are not the same, we know that the popped RA has been corrupted! ICECS'06 15

16 Security Issue The replica lines are also evicted from the cache Miss the opportunity to check the RA value if no replica lines reside in the cache So Good for many applications (w/ high cache-hit rates) Bad for memory intensive applications (w/ high cache-miss rates) ICECS'06 16

17 Outline Introduction Buffer-Overflow Attack Secure Cache Architecture Overview Security Issue Lock&Unlock Algorithm Evaluation Security Strength Performance Overhead Conclusions ICECS'06 17

18 Lock and Invalidate Approach Prohibit the eviction of replica lines until they are loaded later! (Lock) Invalidate the loaded replicas to release the cache resource (Invalidate) Pros. Effective use of cache resource Cons. Squashed return-address loads prematurely invalidate the replica lines ICECS'06 18

19 Lock & Unlock Approach Prohibit the eviction of replica lines until they are loaded later! (Lock) Keep the replicas in the cache until they are evicted due to the replacement policy! (Unlock) Pros. Avoid premature replica-line invalidation Cons. Waste cache resource ICECS'06 19

20 Outline Introduction Buffer-Overflow Attack Secure Cache Architecture Overview Security Issue Lock&Unlock Algorithm Evaluation Security Strength Performance Overhead Conclusions ICECS'06 20

21 Experimental Set-Up Processor Simulator SimpleScalar3.0 4-way OOO Superscalar 4-way 16KB L1 D-Cache SCache Model LRU1-L&I: Lock & Invalidate (w/ LRU replica placement) LRU1-L&U: Lock & Unlock (w/ LRU replica placement) MRU1-L&U: Lock & Unlock (w/ MRU replica placement) Benchmark Programs SPEC integer programs, 4 fp programs Small input ICECS'06 21

22 Vulnerability 25.0% 20.0% 15.0% 10.0% LRU1-L&I LRU1-L&U MRU1-L&U Vulnerability 5.0% 0.0% 164.gzip 175.vpr 176.gcc 181.mcf 197.parser 255.vortex 256.bzip2 177.mesa 179.art 183.equake 188.ammp (Nv-rald / Nrald) * 100 Insecure issued RA load Total #of issued RA load Benchmark Programs ICECS'06 22

23 Performance Overhead 1.0% 0.9% 0.8% 0.7% 0.6% 0.5% 0.4% 0.3% 0.2% 0.1% 0.0% Performance Overhead 164.gzip 175.vpr 176.gcc 181.mcf 197.parser 255.vortex 256.bzip2 177.mesa 179.art 183.equake 188.ammp Benchmark Programs LRU1-L&I LRU1-L&U MRU1-L&U ICECS'06 23

24 Outline Introduction Buffer-Overflow Attack Secure Cache Architecture Overview Security Issue Lock&Unlock Algorithm Evaluation Security Strength Performance Overhead Conclusions ICECS'06 24

25 Conclusions Summary Architectural support for run-time buffer-overflow detection New data management algorithms Lock and Invalidation Inefficient for some benchmark programs Max. :23% vulnerability Performance overhead is less than 0.9% Lock and Unlock Very efficient for all benchmark programs Max. :2.5% vulnerability (average<0.8%) Performance overhead is less than 0.3% Future Work Integrate to a secure micorprocessor platform ICECS'06 25