1 / 20

Tamper Evident Microprocessors

Tamper Evident Microprocessors. Adam Waksman Simha Sethumadhavan Computer Architecture & Security Technologies Lab (CASTL) Department of Computer Science Columbia University. Modern Hardware is Complex. Modern systems built on layers of hardware Complexity increases risk of backdoors

peacheyj
Télécharger la présentation

Tamper Evident Microprocessors

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Tamper Evident Microprocessors Adam Waksman Simha Sethumadhavan Computer Architecture & Security Technologies Lab (CASTL) Department of Computer Science Columbia University

  2. Modern Hardware is Complex • Modern systems built on layers of hardware • Complexity increases risk of backdoors • More hands • Easier to hide • A significant vulnerability • Hardware is the root of trust • All hardware and software controlled by microprocessors

  3. Prior Work and Scope • Microprocessor design stages • Prior work focuses on back end • More immediate threat • Example: IC fingerprinting [Agrawal et al., 2007] • Front end is the extreme root • Common assumption: golden model from front end • Focus of this work Front End Back End Specification High Level Design Design Validation Physical Design Tapeout/ Fabrication Deployment

  4. Key Idea: Use Inherent Division of Work • Bob • Nice Guy • Donates $100 • Eric • Evil Accountant • Steals $10 • Alice • Charity President • Receives $90 Thank you, Bob, for your $90 Microprocessor Pipeline Stages Analogue Fetch Decode Execute (Bob) (Eric) (Alice)

  5. Outline • Taxonomy • Ticking Timebombs, Cheat Codes, Emitters, Corrupters • Solutions • TrustNet and DataWatch • Results • Correctness, Coverage and Costs • Future Work

  6. Taxonomy of Attacks • Backdoor = Trigger + Payload • Trigger: Turns on an attack • Payload: Malicious, illegal action

  7. Taxonomy of Attacks: Triggers

  8. Taxonomy of Attacks: Payloads • Emitter Attacks • Extra malicious events • Separate from normal events • Corrupter Attacks • No extra malicious events • Normal instructions altered

  9. Taxonomy of Attacks: Summary

  10. Assumptions • Large design team • Each designer works on one unit or part of one • Security add-ons cannot be done by one member • Full knowledge • Attacker has complete access to all design specifications • Attacker also knows about additional security mechanism • Equal distrust • Any one designer/unit may be evil • Security add-ons may contain backdoors

  11. Outline • Taxonomy • Ticking Timebombs, Cheat Codes, Emitters, Corrupters • Solutions • TrustNet and DataWatch • Results • Correctness, Coverage and Costs • Future Work

  12. Sample Emitter Backdoor • Consider a malicious instruction decoder • Decoder emits instructions not in the original program • Execution unit faithfully executes them Spurious Output Decode Execute Fetch Fetch Fetch

  13. TrustNet • Predictor and Reactor monitor the Target • Division of work prevents one bad guy from breaking two units • Scaling to larger number increases design complexity Predictor Fetch Reactor Execute add $r1, $r2, $r3 Target Decode

  14. Corrupter Backdoors • Bob • Still nice • Donates $100 • Eric • Evil (and smarter) • Converts to Canadian $ • Alice • Still president • Fooled by Eric’s C$100 Thank you, Bob, for your C$100

  15. DataWatch • Scaled up version of TrustNet • Multiple bit messages • Confirms types of messages (instead of just yes/no) STOP Predictor Fetch Reactor Execute add $r1, $r2, $r3 Target Decode SUB $r1, $r2, $r3

  16. Outline • Taxonomy • Ticking Timebombs, Cheat Codes, Emitters, Corrupters • Solutions • TrustNet and DataWatch • Results • Correctness, Coverage and Costs • Future Work

  17. Experimental Context, Correctness, Costs • Context • Simplified OpenSPARC T2 • Correctness • Designed attacks • No false positives or negatives • Costs • Low area overhead (2 KB per core) • No performance impact • How to measure coverage?

  18. Coverage: Vulnerability Space Units with a core Units with a core Paper has plots for other units at a chip level 18

  19. Coverage Visualization WARNING: This is an approximate vizualization 19

  20. Summary and Future Work • Strengthen root of trust: microprocessors • Hardware-only solution. No perf impact, low area overhead • Security add-on highly resilient to corruption • Provided attack taxonomy, method to characterize attack space • Applicability of TrustNet & DataWatch • Covered: pipelines, caches and content associative memory • Not covered: ALU, microcode, power mgmt., side-channels • Moving Forward • Expand coverage • Out-of-order processors • Motherboard components • Design automation tools • Reaction to errors • Applying techniques for reliable execution • First steps toward a secure trusted hardware w/ untrusted units ✔ Thank You! and Questions?

More Related