energy-security tradeoff in a secure cache architecture against buffer overflow attacks
DESCRIPTION
Energy-Security Tradeoff in a Secure Cache Architecture Against Buffer Overflow Attacks. Koji Inoue Department of Informatics, Kyushu Universiy Japan Science and Technology Agency. Trusted Program. Malicious Program. Branch Prediction. Selective Activation. Pipelining. SuperScalar. - PowerPoint PPT PresentationTRANSCRIPT
WASSA'04 1
Kyushu University Koji Inoue
Energy-Security Tradeoff in a Secure Cache Architecture Against Buffer Overflow Attacks
Koji InoueDepartment of Informatics,
Kyushu Universiy
Japan Science and Technology Agency
WASSA'04 2
Kyushu University Koji Inoue
Background (1/2)
TrustedProgram
MaliciousProgram
• • • • • •
Clock Gating
Signal Gating
DVS
Resizing
Drowsy Operation
Selective ActivationPipeliningSuperScalar
Branch Prediction
Value PredictionOn-chip
Cache
OOO Exe.
ILP TLP
MLP
WASSA'04 3
Kyushu University Koji Inoue
Let’s Work!
Background (2/2)Don't you have such an experience?
PPDid I Lock the Door?
??
??
You locked me!Go to your office!
Very Tired
I Don’t Care!
Did I Lock The Door?
??
??
WASSA'04 4
Kyushu University Koji Inoue
The Goal of This ResearchArchitectural Support for
SCache
PipeliningSuperScalar
Branch Prediction
Value PredictionOn-chip
Cache
OOO Exe.
ILP TLP
MLP
Clock Gating
Signal Gating
DVS
Resizing
Drowsy Operation
Selective Activation
WASSA'04 5
Kyushu University Koji Inoue
Outlline
Introduction Buffer-Overflow Attack Secure Cache Architecture Evaluation
Experimental Set-Up Security and Energy Consumption Tradeoff Performance Overhead
Related Work Conclusions
WASSA'04 6
Kyushu University Koji Inoue
Buffer-Overflow Attack
Well-Known vulnerability Exploited by Blaster@2003 Caused by unexpected operations
writing an inordinately large amount of data into a buffer
This vulnerability exists in the C standard library (e.g. strcpy)
Lead to a stack smashing An attack code is inserted The return address is corrupted
Used to highjack the program execution control
R.B.Lee, D.K.Karig, J.P.McGregor, and Z.Shi, “Enlisting Hardware Architecture to Thwart Malicious Code Injection,” Proc. of the Int. Conf. on Security in Pervasive Computing, Mar. 2003.
0
10
20
30
40
50
60
CE
RT
Ad
viso
rie
s re
latin
gto
bu
ffer-
ove
rflo
w (
%)
1996 1997 1998 1999 2000 2001
year
Buffer Overflow
WASSA'04 7
Kyushu University Koji Inoue
Function Call/Return
int f ( ) { … g (s1); …}
int g ( char *s1) { char buf [10]; … strcpy(buf, s1); …}
Programcode
1. Start f( )2. Call g( )3. Execute strcpy( )4. Return to f( )
WASSA'04 8
Kyushu University Koji Inoue
Function Call/Return
int f ( ) { … g (s1); …}
int g ( char *s1) { char buf [10]; … strcpy(buf, s1); …}
Programcode
Programcode
1. Start f( )2. Call g( )3. Execute strcpy( )4. Return to f( )
StackGrowth
s1Return
AddressSaved FP
Local Variablebuf
FP
SP
Higher Addr.
Lower Addr.
The Next PCof Call g( )
WASSA'04 9
Kyushu University Koji Inoue
Function Call/Return
int f ( ) { … g (s1); …}
int g ( char *s1) { char buf [10]; … strcpy(buf, s1); …}
Programcode
1. Start f( )2. Call g( )3. Execute strcpy( )4. Return to f( )
Local Variablebuf
StackGrowth
s1Return
AddressSaved FP
FP
SP
Higher Addr.
Lower Addr.
The Next PCof Call g( )
String
WASSA'04 10
Kyushu University Koji Inoue
Function Call/Return
int f ( ) { … g (s1); …}
int g ( char *s1) { char buf [10]; … strcpy(buf, s1); …}
Programcode
1. Start f( )2. Call g( )3. Execute strcpy( )4. Return to f( )
StackGrowth
s1Return
AddressSaved FP
Local Variablebuf
FP
SP
Higher Addr.
Lower Addr.
The Next PCof Call g( )
String
WASSA'04 11
Kyushu University Koji Inoue
Function Call/Return
int f ( ) { … g (s1); …}
int g ( char *s1) { char buf [10]; … strcpy(buf, s1); …}
Programcode
1. Start f( )2. Call g( )3. Execute strcpy( )4. Return to f( )
StackGrowth
s1Return
AddressSaved FP
Local Variablebuf
FP
SP
Higher Addr.
Lower Addr.
The Next PCof Call g( )
String
WASSA'04 12
Kyushu University Koji Inoue
Stack Smashing
int f ( ) { … g (s1); …}
int g ( char *s1) { char buf [10]; … strcpy(buf, s1); …}
Programcode
1. Start f( )2. Call g( )3. Execute strcpy( )4. Return to f( )
StackGrowth
s1Return
AddressSaved FP
Local Variablebuf
FP
SP
Higher Addr.
Lower Addr.
The Next PCof Call g( )
String
StackGrowth
s1Return
AddressSaved FP
Local Variablebuf
FP
SP
Higher Addr.
Lower Addr.
The Next PCof Call g( )
WASSA'04 13
Kyushu University Koji Inoue
Stack Smashing
int f ( ) { … g (s1); …}
int g ( char *s1) { char buf [10]; … strcpy(buf, s1); …}
Programcode
1. Start f( )2. Call g( )3. Execute strcpy( )4. Return to f( )
StackGrowth
s1Return
AddressSaved FP
Local Variablebuf
FP
SP
Higher Addr.
Lower Addr.
The Next PCof Call g( )
StackGrowth
s1Return
AddressSaved FP
Local Variablebuf
FP
SP
Higher Addr.
Lower Addr.
The Next PCof Call g( )
StringAttackCode
To theAttack Code
Insert the attack code!Corrupt the return address!
WASSA'04 14
Kyushu University Koji Inoue
Stack Smashing
int f ( ) { … g (s1); …}
int g ( char *s1) { char buf [10]; … strcpy(buf, s1); …}
Programcode
1. Start f( )2. Call g( )3. Execute strcpy( )4. Return to f( )
StackGrowth
s1Return
AddressSaved FP
Local Variablebuf
FP
SP
Higher Addr.
Lower Addr.
The Next PCof Call g( )
StackGrowth
s1Return
AddressSaved FP
Local Variablebuf
FP
SP
Higher Addr.
Lower Addr.
The Next PCof Call g( )
StringAttackCode
To theAttack Code
Insert the attack code!Corrupt the return address!Hijack the program execution!
WASSA'04 15
Kyushu University Koji Inoue
Outlline
Introduction Buffer-Overflow Attack Secure Cache Architecture Evaluation
Experimental Set-Up Security and Energy Consumption Tradeoff Performance Overhead
Related Work Conclusions
WASSA'04 16
Kyushu University Koji Inoue
Concept Problem
The return address (RA) in the memory stack can be corrupted
Solution RA is stored via On-Chip Caches! Protect RA in the cache!
Implementation Generate one or more “Replicas” on each RA store Compare the original with a replica on the corresponding
RA load If they are not the same, we know that the poped RA has
been corrupted!
WASSA'04 17
Kyushu University Koji Inoue
ML RL RL
way0 way1 way2 way3tag
data(line)
Data (Ret. Addr.) Load (pop)
Replica-MUX
Safe?
replica replica
Read-MUX
masterTag Match && R-flag
Tag Match&& no R-flag
HIT?
Word-DataMatch
Ref. Addr.Index
TagOffset
Store (push)Data (Ret. Addr.)
RL: Replica LineML: Master Line
R-flag
Organization
MUX for replica lines
Comparator( 32b)
Hit Condition
Replica Flag(1b)
WASSA'04 18
Kyushu University Koji Inoue
way0 way1 way2 way3tag
data(line)
Data (Ret. Addr.)
Replica-MUX
Safe?
Read-MUXWord-Data
Match
Data
R-flag
Operation: Return-Address Store
#of Replica lines ( Nrep ) =2
Original Replica
Store?yes
Store the Return Addr. into ML
Generate RLs until #RL == Nrep
Normal Complete
noStore Load
Read lines from all ways(provide the data to CPU)
Unsafe Complete
no
Safe Complete
Store the Return Addr. into existing RLs
(if it has the same tag)
un-match
Error!
RL: Replica LineML: Master Line
Cache Access(for Return Addr.)
yes
match
RL Hit?
Return Addr. Check
WASSA'04 19
Kyushu University Koji Inoue
Store?yes
Store the Return Addr. into ML
Generate RLs until #RL == Nrep
Normal Complete
noStore Load
Read lines from all ways(provide the data to CPU)
Unsafe Complete
no
Safe Complete
Store the Return Addr. into existing RLs
(if it has the same tag)
un-match
Error!
RL: Replica LineML: Master Line
Cache Access(for Return Addr.)
yes
match
RL Hit?
Return Addr. Check
Operation: Return-Address Load
way0 way1 way2 way3tag
data(line)
Data (Ret. Addr.)
Replica-MUX
Safe?
Read-MUXWord-Data
Match
Data
R-flag
Original
Replica
#of Replica lines ( Nrep ) =2
WASSA'04 20
Kyushu University Koji Inoue
Summary of SCache
Run-time detection of return-address corruption
If at least a replica line exists
Does not affect processor complexity
Small impact on cache area and access time
Controllable #of replica lines
Tradeoff between energy and security
Incomplete protection Replica lines may be evicted
Degraded cache-hit rates Increase in the average
memory access time Increase in the memory
access energy
Increased cache energy Generating replica lines Reading replica lines (compared to a low-power
cache)
Pros Cons
WASSA'04 21
Kyushu University Koji Inoue
Outlline
Introduction Buffer-Overflow Attack Secure Cache Architecture Evaluation
Experimental Set-Up Security and Energy Consumption Tradeoff Performance Overhead
Related Work Conclusions
WASSA'04 22
Kyushu University Koji Inoue
Experimental Set-Up
SimpleScalar3.0 16KB 4-way D-cache Line size : 32B OOO execution
SPEC2000 7 integer programs 4 fp programs Small input
4KB SRAM design 0.18μm CMOS technology One way of the 16KB cache
Hspice simulation w/ extracted load capacitances
Measure the energy consumed for 1-bit accesses
Security/Energy/Performance Energy
WASSA'04 23
Kyushu University Koji Inoue
SCache ModelsEvaluated SCaches Security
name Replica LinesPlacement Numbe
r
LRU1L LRU(Locked)
1
LRU1 LRU 1
LRU2 LRU 2
MRU1 MRU 1
MRU2 MRU 2
ALL ----- 3
CONV MRU way prediction
Vulnerability = (Nv-rald / Nrald) * 100
Total #of issuedRA load
Insecure issued RA load
Energy ConsumptionEtotal = Erd + Ewt + Ewb + Emp
read write
Writeback to placereplica lines
Replacement(on misses)
*) Only load/store operations issued to the cache are considered
WASSA'04 24
Kyushu University Koji Inoue
Results (Vulnerability)
0.0%
0.5%
1.0%
1.5%
2.0%
2.5%
3.0%
Vul
nera
bilit
y
Benchmarks
LRU1LLRU1LRU2MRU1MRU2ALL
LRU1LLRU1LRU2MRU1MRU2ALL
5.4%
ALL: more than 99.3% of RA loadMRU1: more than 88.5%of RA load
6.0%
WASSA'04 25
Kyushu University Koji Inoue
Results (Energy Consumption)
0%
5%
10%
15%
20%
25%
Ene
rgy
Ove
rhea
d
Benchmarks
LRU1LLRU1LRU2MRU1MRU2ALL
LRU1LLRU1LRU2MRU1MRU2ALL
ALL: 23% of energy overheadMRU1: 9.9% of energy
overhead
WASSA'04 26
Kyushu University Koji Inoue
0
0.2
0.4
0.6
0.8
1
1.2
1.4
Nor
mal
ized
Ene
rgy
181.mcf 197.parser 255.vortex 177.mesa 179.art 183.equake
Benchmarks
CO
NV
LR
U1L
LR
U1
LR
U2
MR
U1
MR
U2
AL
L
EmpEwbEwtErd
EmpEwbEwtErd
Results (Energy Breakdown)
WASSA'04 27
Kyushu University Koji Inoue
Results (EVP, E2VP, EV2P)
0
0.5
1
1.5
EVP
164.gzip 176.gcc 188.ammp175.vpr 197.parser
0
0.5
1
1.5
22.4% 2.3%
E2VP
164.gzip 176.gcc 188.ammp175.vpr 197.parser
0
0.5
1EV2P
164.gzip 176.gcc 188.ammp175.vpr 197.parser
LRU2 MRU1 MRU2 ALLLRU2 MRU1 MRU2 ALL
Normalized to LRU1
MRU1: good for Energy-Oriented ApplicationsMRU1: good for Energy-Oriented ApplicationsMRU2: good for Security-Oriented ApplicationsMRU2: good for Security-Oriented Applications
WASSA'04 28
Kyushu University Koji Inoue
0.0%
0.2%
0.4%
0.6%
0.8%
1.0%
1.2%
Per
form
ance
Ove
rhea
d
Benchmarks
LRU1LLRU1LRU2MRU1MRU2ALL
LRU1LLRU1LRU2MRU1MRU2ALL
ALL: 1.1% of overheadMRU1: 0.1% of overhead
Results (Performance)
WASSA'04 29
Kyushu University Koji Inoue
Outlline
Introduction Buffer-Overflow Attack Secure Cache Architecture Evaluation
Experimental Set-Up Security and Energy Consumption Tradeoff Performance Overhead
Related Work Conclusions
WASSA'04 30
Kyushu University Koji Inoue
Related Work Static :
SASI[WNSP99] StakcGuard[USENIX98]
→ Source Code Analysis → Re-Compilation
Dynamic : SW: LibSafe/Verify[USENIX00] →Library Update →Performance Overhead SW: StackGhost[USENIX01] →Only for SPARC architecture HW: SRAS[SPC03] →Inside of the processor core →HW support for LIFO operations
SCache: Dynamic+HW
Cache-Level ProtectionDe-coupled implementationRandom AccessLarge CapacityReduced Cost Overhead
Energy-Security Tradeoff
WASSA'04 31
Kyushu University Koji Inoue
Outlline
Introduction Buffer-Overflow Attack Secure Cache Architecture Evaluation
Experimental Set-Up Security and Energy Consumption Tradeoff Performance Overhead
Related Work Conclusions
WASSA'04 32
Kyushu University Koji Inoue
Summary Architectural support for run-time buffer-overflow detection Evaluation of Energy and Security
Security-Oriented : ALL (or MRU2) model More than 99.3% of RA load can be protected (9/11 programs) 23% of energy overhead
Energy-Oriented : MRU1 model More than 98.5% of RA load can be protected (9/11 programs) 9.9% of energy overhead
Future Work Evaluate with vulnerable benchmarks Consider a good measurement for security Complete design of the SCache Develop an optimization technique to adapt to user requirements
for security and energy consumption
Conclusions
WASSA'04 33
Kyushu University Koji Inoue
Back-Up Slides …
WASSA'04 34
Kyushu University Koji Inoue
Cache Miss Rates IRA: Issued Return AddressCA: Cache Access
ModelBench
#IRA Load(Nrald)
CONV LRU1-L LRU1 LRU2 MRU1 MRU2 ALL
164.gzip 4,930,467 5.22% 5.23% 5.22% 5.22% 5.22% 5.23% 5.25%
175.vpr 5,627,709 3.53% 3.59% 3.56% 3.63% 3.59% 3.66% 3.74%
176.gcc 37,519,156 4.26% 6.06% 4.29% 4.37% 4.33% 4.43% 4.64%
181.mcf 992,419 20.02% 20.05% 20.02% 20.03% 20.05% 20.06% 20.10%
197.parser 45,466,527 4.13% 4.25% 4.18% 4.44% 4.23% 4.55% 5.07%
255.vortex 22,101,265 1.75% 1.83% 1.79% 1.91% 1.82% 1.94% 2.32%
256.bzip 18,147,017 2.31% 2.31% 2.31% 2.32% 2.31% 2.32% 2.45%
177.mesa 4,727,396 0.14% 0.15% 0.15% 0.16% 0.15% 0.16% 1.08%
179.art 32,466 42.93% 42.93% 42.93% 42.93% 42.93% 42.93% 42.93%
183.equake 3,580,827 2.44% 2.45% 2.44% 2.46% 2.45% 2.47% 2.52%
188.ammp 6,307,839 36.27% 36.29% 36.28% 36.31% 36.28% 36.30% 36.38%
WASSA'04 35
Kyushu University Koji Inoue
WP
Correct prediction
Incorrect prediction
1cy
cle
2cy
cle
SCache + WP
Return-Address Load
1cy
cle
+
WP Cache v.s SCache