seclabel: enhancing risc-v platform security with labelled ...introduction •the risc-v...
TRANSCRIPT
![Page 1: SecLabel: Enhancing RISC-V Platform Security with Labelled ...Introduction •The RISC-V architecture is well-known for its open nature. •Open Source, No License fee •Open to new](https://reader036.vdocument.in/reader036/viewer/2022071013/5fcb205b25c776629e79e718/html5/thumbnails/1.jpg)
SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture
Zhenyu Ning1,2, Yinqian Zhang3, and Fengwei Zhang2
1Wayne State University, 2Southern University of Science and Technology, 3The Ohio State University
![Page 2: SecLabel: Enhancing RISC-V Platform Security with Labelled ...Introduction •The RISC-V architecture is well-known for its open nature. •Open Source, No License fee •Open to new](https://reader036.vdocument.in/reader036/viewer/2022071013/5fcb205b25c776629e79e718/html5/thumbnails/2.jpg)
Outline
• Introduction
• Pointer Integrity
• Memory Boundary Protection
• Dynamic Taint Analysis
• Implementation
• Conclusion
SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture 2
![Page 3: SecLabel: Enhancing RISC-V Platform Security with Labelled ...Introduction •The RISC-V architecture is well-known for its open nature. •Open Source, No License fee •Open to new](https://reader036.vdocument.in/reader036/viewer/2022071013/5fcb205b25c776629e79e718/html5/thumbnails/3.jpg)
Outline
• Introduction
• Pointer Integrity
• Memory Boundary Protection
• Dynamic Taint Analysis
• Implementation
• Conclusion
SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture 3
![Page 4: SecLabel: Enhancing RISC-V Platform Security with Labelled ...Introduction •The RISC-V architecture is well-known for its open nature. •Open Source, No License fee •Open to new](https://reader036.vdocument.in/reader036/viewer/2022071013/5fcb205b25c776629e79e718/html5/thumbnails/4.jpg)
Introduction
• The RISC-V architecture is well-known for its open nature.
• Open Source, No License fee
• Open to new design and extension
• Open to challenge.
• Security problems in x86 and ARM architecture remains on RISC-V platforms.
• E.g., pointer integrity, memory boundary protection, and dynamic taint analysis.
4SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture
![Page 5: SecLabel: Enhancing RISC-V Platform Security with Labelled ...Introduction •The RISC-V architecture is well-known for its open nature. •Open Source, No License fee •Open to new](https://reader036.vdocument.in/reader036/viewer/2022071013/5fcb205b25c776629e79e718/html5/thumbnails/5.jpg)
Introduction
Any effective defense on RISC-V?
5SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture
![Page 6: SecLabel: Enhancing RISC-V Platform Security with Labelled ...Introduction •The RISC-V architecture is well-known for its open nature. •Open Source, No License fee •Open to new](https://reader036.vdocument.in/reader036/viewer/2022071013/5fcb205b25c776629e79e718/html5/thumbnails/6.jpg)
Outline
• Introduction
• Pointer Integrity
• Memory Boundary Protection
• Dynamic Taint Analysis
• Implementation
• Conclusion
SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture 6
![Page 7: SecLabel: Enhancing RISC-V Platform Security with Labelled ...Introduction •The RISC-V architecture is well-known for its open nature. •Open Source, No License fee •Open to new](https://reader036.vdocument.in/reader036/viewer/2022071013/5fcb205b25c776629e79e718/html5/thumbnails/7.jpg)
Pointer Integrity
• To ensure that the pointer is not corrupted.
• Code-pointer Integrity and Data-pointer Integrity.
7SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture
if *x0 = 0 then
x1 = addr1
else
x1 = addr2
jmp to x1
*x0 = 0
![Page 8: SecLabel: Enhancing RISC-V Platform Security with Labelled ...Introduction •The RISC-V architecture is well-known for its open nature. •Open Source, No License fee •Open to new](https://reader036.vdocument.in/reader036/viewer/2022071013/5fcb205b25c776629e79e718/html5/thumbnails/8.jpg)
Pointer Integrity
• To ensure that the pointer is not corrupted.
• Code-pointer Integrity and Data-pointer Integrity.
8SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture
if *x0 = 0 then
x1 = addr1
else
x1 = addr2
jmp to x1
*x0 = 0
x1 = addr1
![Page 9: SecLabel: Enhancing RISC-V Platform Security with Labelled ...Introduction •The RISC-V architecture is well-known for its open nature. •Open Source, No License fee •Open to new](https://reader036.vdocument.in/reader036/viewer/2022071013/5fcb205b25c776629e79e718/html5/thumbnails/9.jpg)
Pointer Integrity
• To ensure that the pointer is not corrupted.
• Code-pointer Integrity and Data-pointer Integrity.
9SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture
if *x0 = 0 then
x1 = addr1
else
x1 = addr2
jmp to x1
*x0 = 0
x1 = addr3Code-pointer
Attack
![Page 10: SecLabel: Enhancing RISC-V Platform Security with Labelled ...Introduction •The RISC-V architecture is well-known for its open nature. •Open Source, No License fee •Open to new](https://reader036.vdocument.in/reader036/viewer/2022071013/5fcb205b25c776629e79e718/html5/thumbnails/10.jpg)
Pointer Integrity
• To ensure that the pointer is not corrupted.
• Code-pointer Integrity and Data-pointer Integrity.
10SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture
if *x0 = 0 then
x1 = addr1
else
x1 = addr2
jmp to x1
*x0 = 0
![Page 11: SecLabel: Enhancing RISC-V Platform Security with Labelled ...Introduction •The RISC-V architecture is well-known for its open nature. •Open Source, No License fee •Open to new](https://reader036.vdocument.in/reader036/viewer/2022071013/5fcb205b25c776629e79e718/html5/thumbnails/11.jpg)
Pointer Integrity
• To ensure that the pointer is not corrupted.
• Code-pointer Integrity and Data-pointer Integrity.
11SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture
if *x0 = 0 then
x1 = addr1
else
x1 = addr2
jmp to x1
*x0 = 2
![Page 12: SecLabel: Enhancing RISC-V Platform Security with Labelled ...Introduction •The RISC-V architecture is well-known for its open nature. •Open Source, No License fee •Open to new](https://reader036.vdocument.in/reader036/viewer/2022071013/5fcb205b25c776629e79e718/html5/thumbnails/12.jpg)
Pointer Integrity
• To ensure that the pointer is not corrupted.
• Code-pointer Integrity and Data-pointer Integrity.
12SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture
if *x0 = 0 then
x1 = addr1
else
x1 = addr2
jmp to x1
*x0 = 2
x1 = addr2Data-pointer
Attack
![Page 13: SecLabel: Enhancing RISC-V Platform Security with Labelled ...Introduction •The RISC-V architecture is well-known for its open nature. •Open Source, No License fee •Open to new](https://reader036.vdocument.in/reader036/viewer/2022071013/5fcb205b25c776629e79e718/html5/thumbnails/13.jpg)
Pointer Integrity: Buffer Overflow
• Start of the attack: In most cases, a buffer overflow vulnerability.
13SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture
Params
Return Addr
Frame Pointer
Local Var a
…
Local Var b
Local Var c
…
Stack Pointer
![Page 14: SecLabel: Enhancing RISC-V Platform Security with Labelled ...Introduction •The RISC-V architecture is well-known for its open nature. •Open Source, No License fee •Open to new](https://reader036.vdocument.in/reader036/viewer/2022071013/5fcb205b25c776629e79e718/html5/thumbnails/14.jpg)
Pointer Integrity: Buffer Overflow
• Start of the attack: In most cases, a buffer overflow vulnerability.
14SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture
Params
Return Addr
Frame Pointer
Local Var a
…
Local Var b
Local Var c
…
Stack Pointer
![Page 15: SecLabel: Enhancing RISC-V Platform Security with Labelled ...Introduction •The RISC-V architecture is well-known for its open nature. •Open Source, No License fee •Open to new](https://reader036.vdocument.in/reader036/viewer/2022071013/5fcb205b25c776629e79e718/html5/thumbnails/15.jpg)
Pointer Integrity: Buffer Overflow
• Start of the attack: In most cases, a buffer overflow vulnerability.
15SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture
Params
Return Addr
Frame Pointer
Local Var a
…
Local Var b
Local Var c
…
Stack Pointer
Params
Return Addr
Frame Pointer
Local Var a
…
Local Var b
Random data
…
Stack Pointer
Buffer Overflow Attack
![Page 16: SecLabel: Enhancing RISC-V Platform Security with Labelled ...Introduction •The RISC-V architecture is well-known for its open nature. •Open Source, No License fee •Open to new](https://reader036.vdocument.in/reader036/viewer/2022071013/5fcb205b25c776629e79e718/html5/thumbnails/16.jpg)
Pointer Integrity: Buffer Overflow
• Start of the attack: In most cases, a buffer overflow vulnerability.
16SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture
Params
Return Addr
Frame Pointer
Local Var a
…
Local Var b
Local Var c
…
Stack Pointer
Params
Return Addr
Frame Pointer
Local Var a
…
Random data
Random data
…
Stack Pointer
Buffer Overflow Attack
![Page 17: SecLabel: Enhancing RISC-V Platform Security with Labelled ...Introduction •The RISC-V architecture is well-known for its open nature. •Open Source, No License fee •Open to new](https://reader036.vdocument.in/reader036/viewer/2022071013/5fcb205b25c776629e79e718/html5/thumbnails/17.jpg)
Pointer Integrity: Buffer Overflow
• Start of the attack: In most cases, a buffer overflow vulnerability.
17SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture
Params
Return Addr
Frame Pointer
Local Var a
…
Local Var b
Local Var c
…
Stack Pointer
Params
Return Addr
Frame Pointer
Random data
…
Random data
Random data
…
Stack Pointer
Buffer Overflow Attack
![Page 18: SecLabel: Enhancing RISC-V Platform Security with Labelled ...Introduction •The RISC-V architecture is well-known for its open nature. •Open Source, No License fee •Open to new](https://reader036.vdocument.in/reader036/viewer/2022071013/5fcb205b25c776629e79e718/html5/thumbnails/18.jpg)
Pointer Integrity: Buffer Overflow
• Start of the attack: In most cases, a buffer overflow vulnerability.
18SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture
Params
Return Addr
Frame Pointer
Local Var a
…
Local Var b
Local Var c
…
Stack Pointer
Params
Return Addr
Random data
Random data
…
Random data
Random data
…
Stack Pointer
Buffer Overflow Attack
![Page 19: SecLabel: Enhancing RISC-V Platform Security with Labelled ...Introduction •The RISC-V architecture is well-known for its open nature. •Open Source, No License fee •Open to new](https://reader036.vdocument.in/reader036/viewer/2022071013/5fcb205b25c776629e79e718/html5/thumbnails/19.jpg)
Pointer Integrity: Buffer Overflow
• Start of the attack: In most cases, a buffer overflow vulnerability.
19SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture
Params
Return Addr
Frame Pointer
Local Var a
…
Local Var b
Local Var c
…
Stack Pointer
Params
Modified Addr
Random data
Random data
…
Random data
Random data
…
Stack Pointer
Buffer Overflow Attack
![Page 20: SecLabel: Enhancing RISC-V Platform Security with Labelled ...Introduction •The RISC-V architecture is well-known for its open nature. •Open Source, No License fee •Open to new](https://reader036.vdocument.in/reader036/viewer/2022071013/5fcb205b25c776629e79e718/html5/thumbnails/20.jpg)
Pointer Integrity: Canary
• Stack Canary[1]: The most widely used defense to buffer overflow attack.
20SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture
Params
Return Addr
Frame Pointer
Canary
…
Local Var a
Local Var b
…
Stack Pointer
Params
Modified Addr
Random data
Random data
…
Random data
Random data
…
Stack Pointer
Buffer Overflow Attack
![Page 21: SecLabel: Enhancing RISC-V Platform Security with Labelled ...Introduction •The RISC-V architecture is well-known for its open nature. •Open Source, No License fee •Open to new](https://reader036.vdocument.in/reader036/viewer/2022071013/5fcb205b25c776629e79e718/html5/thumbnails/21.jpg)
Pointer Integrity: Canary
• Stack Canary[1]: The most widely used defense to buffer overflow attack.
21SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture
Params
Return Addr
Frame Pointer
Canary
…
Local Var a
Local Var b
…
Stack Pointer
Params
Modified Addr
Random data
Random data
…
Random data
Random data
…
Stack Pointer
Buffer Overflow Attack Canary is changed
by overflow
![Page 22: SecLabel: Enhancing RISC-V Platform Security with Labelled ...Introduction •The RISC-V architecture is well-known for its open nature. •Open Source, No License fee •Open to new](https://reader036.vdocument.in/reader036/viewer/2022071013/5fcb205b25c776629e79e718/html5/thumbnails/22.jpg)
Pointer Integrity: Canary
• Stack Canary[1]: The most widely used defense to buffer overflow attack.
• Weakness:
• Easy to bypass[2]
• Not efficient to defend against data-pointer attack
22SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture
![Page 23: SecLabel: Enhancing RISC-V Platform Security with Labelled ...Introduction •The RISC-V architecture is well-known for its open nature. •Open Source, No License fee •Open to new](https://reader036.vdocument.in/reader036/viewer/2022071013/5fcb205b25c776629e79e718/html5/thumbnails/23.jpg)
Pointer Integrity: PAC
• Pointer Authentication Code[3] is introduced in 64-bit ARMv8.3 architecture.
23SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture
A pointer in 64-bit system
063
Is it really necessary to use a 64-bit address?
![Page 24: SecLabel: Enhancing RISC-V Platform Security with Labelled ...Introduction •The RISC-V architecture is well-known for its open nature. •Open Source, No License fee •Open to new](https://reader036.vdocument.in/reader036/viewer/2022071013/5fcb205b25c776629e79e718/html5/thumbnails/24.jpg)
Pointer Integrity: PAC
Is it really necessary to use a 64-bit address?
• 264 bit = 16384 PB = 16.8 millions TB = 17.2 billions GB
• Summit: 10 PB memory
• Sunway TaihuLight: 1.32 PB memory
• Linux: Up to 128 TB virtual memory
• Windows: Up to 16 TB virtual memory
24SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture
![Page 25: SecLabel: Enhancing RISC-V Platform Security with Labelled ...Introduction •The RISC-V architecture is well-known for its open nature. •Open Source, No License fee •Open to new](https://reader036.vdocument.in/reader036/viewer/2022071013/5fcb205b25c776629e79e718/html5/thumbnails/25.jpg)
Pointer Integrity: PAC
• Pointer Authentication Code[3] is introduced in 64-bit ARMv8.3 architecture.
25SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture
A pointer in 64-bit system
063
![Page 26: SecLabel: Enhancing RISC-V Platform Security with Labelled ...Introduction •The RISC-V architecture is well-known for its open nature. •Open Source, No License fee •Open to new](https://reader036.vdocument.in/reader036/viewer/2022071013/5fcb205b25c776629e79e718/html5/thumbnails/26.jpg)
Pointer Integrity: PAC
• Pointer Authentication Code[3] is introduced in 64-bit ARMv8.3 architecture.
26SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture
063
Virtual Address
47
PAC
4854
• Pointer Value + 64-bit Context Value + 128-bit Secret Key => PAC
• Up to 48 bits for virtual address, and at least 7 bits for PAC
![Page 27: SecLabel: Enhancing RISC-V Platform Security with Labelled ...Introduction •The RISC-V architecture is well-known for its open nature. •Open Source, No License fee •Open to new](https://reader036.vdocument.in/reader036/viewer/2022071013/5fcb205b25c776629e79e718/html5/thumbnails/27.jpg)
Pointer Integrity: PAC
• PAC is good, but the deployment is painful.
• The mechanism is released with ARMv8.3 architecture since 2016.
• ARM does not release any processor with ARMv8.3 till now.
• The only processors with PAC support are Apple A12 and A13.
• Closed ecosystem.
• No available to system developers.
27SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture
![Page 28: SecLabel: Enhancing RISC-V Platform Security with Labelled ...Introduction •The RISC-V architecture is well-known for its open nature. •Open Source, No License fee •Open to new](https://reader036.vdocument.in/reader036/viewer/2022071013/5fcb205b25c776629e79e718/html5/thumbnails/28.jpg)
Pointer Integrity: RISC-V
• RISC-V based PAC
• A group of new hardware instructions
• Forge PAC, examine PAC, strip PAC
• New registers for storing the 128-bit secret key
• Secret keys for data pointers and code pointers
• Hardware-based crypto engine
• Generate PAC from pointer and 64-bit context value
28SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture
![Page 29: SecLabel: Enhancing RISC-V Platform Security with Labelled ...Introduction •The RISC-V architecture is well-known for its open nature. •Open Source, No License fee •Open to new](https://reader036.vdocument.in/reader036/viewer/2022071013/5fcb205b25c776629e79e718/html5/thumbnails/29.jpg)
Outline
• Introduction
• Pointer Integrity
• Memory Boundary Protection
• Dynamic Taint Analysis
• Implementation
• Conclusion
SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture 29
![Page 30: SecLabel: Enhancing RISC-V Platform Security with Labelled ...Introduction •The RISC-V architecture is well-known for its open nature. •Open Source, No License fee •Open to new](https://reader036.vdocument.in/reader036/viewer/2022071013/5fcb205b25c776629e79e718/html5/thumbnails/30.jpg)
Memory Boundary Protection
• To ensure the memory access won’t go out of its expected boundary.
30SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture
a[0]
a[1]
…
a[8]
a[9]
int a[10];
…
…
a a[0]
a[1]
…
a[8]
a[9]
a[8] = 1
…
…
a
a[8]
![Page 31: SecLabel: Enhancing RISC-V Platform Security with Labelled ...Introduction •The RISC-V architecture is well-known for its open nature. •Open Source, No License fee •Open to new](https://reader036.vdocument.in/reader036/viewer/2022071013/5fcb205b25c776629e79e718/html5/thumbnails/31.jpg)
Memory Boundary Protection
• To ensure the memory access won’t go out of its expected boundary.
31SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture
a[0]
a[1]
…
a[8]
a[9]
int a[10];
…
…
a a[0]
a[1]
…
a[8]
a[9]
a[10] = 1
…
…
a
Memory Out of Boundary
a[10]
![Page 32: SecLabel: Enhancing RISC-V Platform Security with Labelled ...Introduction •The RISC-V architecture is well-known for its open nature. •Open Source, No License fee •Open to new](https://reader036.vdocument.in/reader036/viewer/2022071013/5fcb205b25c776629e79e718/html5/thumbnails/32.jpg)
Memory Boundary Protection: Address Sanitizer
• Address Sanitizer[4]: Use redzones to detect out-of-bound access.
32SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture
a[0]
a[1]
…
a[8]
a[9]
int a[10];
…
…
a Redzone
a[0]
…
a[9]
Redzone
int a[10];
Redzone
Redzone
a
![Page 33: SecLabel: Enhancing RISC-V Platform Security with Labelled ...Introduction •The RISC-V architecture is well-known for its open nature. •Open Source, No License fee •Open to new](https://reader036.vdocument.in/reader036/viewer/2022071013/5fcb205b25c776629e79e718/html5/thumbnails/33.jpg)
Memory Boundary Protection: Address Sanitizer
• Address Sanitizer[4]: Use redzones to detect out-of-bound access.
33SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture
Redzone
a[0]
…
a[9]
Redzone
int a[10];
Redzone
Redzone
a
Redzone
a[0]
…
a[9]
Redzone
a[10] = 1
Redzone
Redzone
a
a[10]Out-of-boundaccess
![Page 34: SecLabel: Enhancing RISC-V Platform Security with Labelled ...Introduction •The RISC-V architecture is well-known for its open nature. •Open Source, No License fee •Open to new](https://reader036.vdocument.in/reader036/viewer/2022071013/5fcb205b25c776629e79e718/html5/thumbnails/34.jpg)
Memory Boundary Protection: Address Sanitizer
• Address Sanitizer[4]: Use redzones to detect out-of-bound access.
• Weakness:
• Large memory overhead
• Large performance overhead
• False negative is possible
34SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture
![Page 35: SecLabel: Enhancing RISC-V Platform Security with Labelled ...Introduction •The RISC-V architecture is well-known for its open nature. •Open Source, No License fee •Open to new](https://reader036.vdocument.in/reader036/viewer/2022071013/5fcb205b25c776629e79e718/html5/thumbnails/35.jpg)
Memory Boundary Protection: Intel MPX
• Intel MPX[5]: An architecture extension dedicated for memory bound
protection.
35SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture
Pointer Address
Base Address of Bounds Directory
Table 0Table 1Table 2Table 3Table 4
Bound Directory
Entry 0Entry 1Entry 2Entry 3Entry 4
Bound Table 3
Pointer Address
Upper Bound
Lower Bound
![Page 36: SecLabel: Enhancing RISC-V Platform Security with Labelled ...Introduction •The RISC-V architecture is well-known for its open nature. •Open Source, No License fee •Open to new](https://reader036.vdocument.in/reader036/viewer/2022071013/5fcb205b25c776629e79e718/html5/thumbnails/36.jpg)
Memory Boundary Protection: Intel MPX
• Intel MPX[5]: An architecture extension dedicated for memory bound
protection.
• Weakness:
• Performance overhead for two-layer translation
• Multithread not support
• Not production ready, support will be removed from GCC 9
36SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture
![Page 37: SecLabel: Enhancing RISC-V Platform Security with Labelled ...Introduction •The RISC-V architecture is well-known for its open nature. •Open Source, No License fee •Open to new](https://reader036.vdocument.in/reader036/viewer/2022071013/5fcb205b25c776629e79e718/html5/thumbnails/37.jpg)
Memory Boundary Protection : RISC-V
• RISC-V based Memory Boundary Protection
37SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture
063
Virtual Address
47
PAC
4854
???
• Use the head bits for memory bounds
• 9 bits if PAC is implemented
• 16 bits if PAC is not implemented
• More bits in 128-bit RISC-V architecture[6]
![Page 38: SecLabel: Enhancing RISC-V Platform Security with Labelled ...Introduction •The RISC-V architecture is well-known for its open nature. •Open Source, No License fee •Open to new](https://reader036.vdocument.in/reader036/viewer/2022071013/5fcb205b25c776629e79e718/html5/thumbnails/38.jpg)
Outline
• Introduction
• Pointer Integrity
• Memory Boundary Protection
• Dynamic Taint Analysis
• Implementation
• Conclusion
SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture 38
![Page 39: SecLabel: Enhancing RISC-V Platform Security with Labelled ...Introduction •The RISC-V architecture is well-known for its open nature. •Open Source, No License fee •Open to new](https://reader036.vdocument.in/reader036/viewer/2022071013/5fcb205b25c776629e79e718/html5/thumbnails/39.jpg)
Dynamic Taint Analysis
• Analysis the information flow of specific objects.
• Example scenario: Privacy leakage detection
39SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture
……char* password = getInput();char* copied = copy(password);printf(“copied: %s\n”, copied);……
getInput
Taint Source
printf
Taint Sink
![Page 40: SecLabel: Enhancing RISC-V Platform Security with Labelled ...Introduction •The RISC-V architecture is well-known for its open nature. •Open Source, No License fee •Open to new](https://reader036.vdocument.in/reader036/viewer/2022071013/5fcb205b25c776629e79e718/html5/thumbnails/40.jpg)
Dynamic Taint Analysis
• Analysis the information flow of specific objects.
• Example scenario: Privacy leakage detection
40SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture
……char* password = getInput();char* copied = copy(password);printf(“copied: %s\n”, copied);……
getInput
Taint Source
printf
Taint Sink
password
Tainted Variable
![Page 41: SecLabel: Enhancing RISC-V Platform Security with Labelled ...Introduction •The RISC-V architecture is well-known for its open nature. •Open Source, No License fee •Open to new](https://reader036.vdocument.in/reader036/viewer/2022071013/5fcb205b25c776629e79e718/html5/thumbnails/41.jpg)
Dynamic Taint Analysis
• Analysis the information flow of specific objects.
• Example scenario: Privacy leakage detection
41SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture
……char* password = getInput();char* copied = copy(password);printf(“copied: %s\n”, copied);……
getInput
Taint Source
printf
Taint Sink
password
Tainted Variable
copied
![Page 42: SecLabel: Enhancing RISC-V Platform Security with Labelled ...Introduction •The RISC-V architecture is well-known for its open nature. •Open Source, No License fee •Open to new](https://reader036.vdocument.in/reader036/viewer/2022071013/5fcb205b25c776629e79e718/html5/thumbnails/42.jpg)
Dynamic Taint Analysis
• Analysis the information flow of specific objects.
• Example scenario: Privacy leakage detection
42SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture
……char* password = getInput();char* copied = copy(password);printf(“copied: %s\n”, copied);……
getInput
Taint Source
printf
Taint Sink
password
Tainted Variable
copied
Taint Path Founded!
![Page 43: SecLabel: Enhancing RISC-V Platform Security with Labelled ...Introduction •The RISC-V architecture is well-known for its open nature. •Open Source, No License fee •Open to new](https://reader036.vdocument.in/reader036/viewer/2022071013/5fcb205b25c776629e79e718/html5/thumbnails/43.jpg)
Dynamic Taint Analysis
43SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture
……char* password = getInput();char* copied = copy(password);printf(“copied: %s\n”, copied);……
getInput
Taint Source
printf
Taint Sink
password
Tainted Variable
copied
• How to learn the taint propagation from “password” to“copied” ?
• Heavy instrumentation
• Add tons of instructions to monitor the data flow
![Page 44: SecLabel: Enhancing RISC-V Platform Security with Labelled ...Introduction •The RISC-V architecture is well-known for its open nature. •Open Source, No License fee •Open to new](https://reader036.vdocument.in/reader036/viewer/2022071013/5fcb205b25c776629e79e718/html5/thumbnails/44.jpg)
Dynamic Taint Analysis
• Labelled RISC-V Architecture[7]: Every hardware request is attached
with a label.
44SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture
Core 0 Core 1 Core N…
Shared Last Level Cache
I/O Chipset Memory Controller
Disk Disk Disk NIC
DS-id DS-id DS-id
DS-id DS-id DS-id DS-id
CL
CLCL
![Page 45: SecLabel: Enhancing RISC-V Platform Security with Labelled ...Introduction •The RISC-V architecture is well-known for its open nature. •Open Source, No License fee •Open to new](https://reader036.vdocument.in/reader036/viewer/2022071013/5fcb205b25c776629e79e718/html5/thumbnails/45.jpg)
Dynamic Taint Analysis
• Labelled RISC-V Architecture[7]: Every hardware request is attached
with a label.
• Use the label to represent taint flag
• Automatically propagation via hardware support
• No instrumentation required
• Use the Control Logic (CL) to achieve detection
45SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture
What about the propagation outside of hardware request?
![Page 46: SecLabel: Enhancing RISC-V Platform Security with Labelled ...Introduction •The RISC-V architecture is well-known for its open nature. •Open Source, No License fee •Open to new](https://reader036.vdocument.in/reader036/viewer/2022071013/5fcb205b25c776629e79e718/html5/thumbnails/46.jpg)
Dynamic Taint Analysis
What about the propagation outside of hardware request?
• Allocate a few bits from the unused bits in 64-bit pointer
• In coarse-gained analysis, 1 bit is sufficient
• This bit automatically transfers during the execution of data operation
instructions.
• Feed to the DS-id register during hardware request
46SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture
![Page 47: SecLabel: Enhancing RISC-V Platform Security with Labelled ...Introduction •The RISC-V architecture is well-known for its open nature. •Open Source, No License fee •Open to new](https://reader036.vdocument.in/reader036/viewer/2022071013/5fcb205b25c776629e79e718/html5/thumbnails/47.jpg)
Outline
• Introduction
• Pointer Integrity
• Memory Boundary Protection
• Dynamic Taint Analysis
• Implementation
• Conclusion
SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture 47
![Page 48: SecLabel: Enhancing RISC-V Platform Security with Labelled ...Introduction •The RISC-V architecture is well-known for its open nature. •Open Source, No License fee •Open to new](https://reader036.vdocument.in/reader036/viewer/2022071013/5fcb205b25c776629e79e718/html5/thumbnails/48.jpg)
Implementation
• SecLabel: Enchancing RISC-V Platform Security
48SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture
Source Code
Compiler IR
Modified IR
BinarySecLabel-Enabled
RISC-VPlatform
Compiler
Compiler Frontend
Compiler Backend
SecLabel Instruction-levelInstrumentation
![Page 49: SecLabel: Enhancing RISC-V Platform Security with Labelled ...Introduction •The RISC-V architecture is well-known for its open nature. •Open Source, No License fee •Open to new](https://reader036.vdocument.in/reader036/viewer/2022071013/5fcb205b25c776629e79e718/html5/thumbnails/49.jpg)
Outline
• Introduction
• Pointer Integrity
• Memory Boundary Protection
• Dynamic Taint Analysis
• Implementation
• Conclusion
SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture 49
![Page 50: SecLabel: Enhancing RISC-V Platform Security with Labelled ...Introduction •The RISC-V architecture is well-known for its open nature. •Open Source, No License fee •Open to new](https://reader036.vdocument.in/reader036/viewer/2022071013/5fcb205b25c776629e79e718/html5/thumbnails/50.jpg)
Conclusion
• In light of the PAC in ARMv8.3, we can leverage the open feature of
RISC-V and implement similar mechanism for pointer integrity.
• With addition bits in the head of a pointer address in 64-bit or 128-bit
RISC-V architecture, an enhanced memory boundary protection can be
deployed.
• Combining the labelled RISC-V architecture and unused bits in an
address, we are able to facilitate the existing dynamic taint analysis.
50SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture
![Page 51: SecLabel: Enhancing RISC-V Platform Security with Labelled ...Introduction •The RISC-V architecture is well-known for its open nature. •Open Source, No License fee •Open to new](https://reader036.vdocument.in/reader036/viewer/2022071013/5fcb205b25c776629e79e718/html5/thumbnails/51.jpg)
Reference
[1] Cowan, Crispan, et al. "Stackguard: Automatic adaptive detection and prevention of buffer-overflow attacks." USENIX Security Symposium. Vol. 98. 1998.
[2] Richarte, Gerardo. "Four different tricks to bypass stackshield and stackguard protection." World Wide Web 1. 2002.
[3] Liljestrand, Hans, et al. "PAC it up: Towards pointer integrity using ARM pointer authentication." 28th USENIX Security. 2019.
[4] Serebryany, Konstantin, et al. "AddressSanitizer: A fast address sanity checker." Presented as part of the 2012 USENIX Annual Technical Conference. 2012.
[5] Oleksenko, Oleksii, et al. "Intel MPX explained: An empirical study of intel MPX and software-based bounds checking approaches." arXivpreprint arXiv:1702.00719. 2017.
[6] Wallach, Steve. “128-bit addressing in RISC-V and security.“ 5th RISC-V Workshop. 2016.
[7] Yu, Zihao, et al. "Labeled RISC-V: A new perspective on software-defined architecture." CARVV. 2017.
51SecLabel: Enhancing RISC-V Platform Security with Labelled Architecture