Hari Kannan

Raksha: a flexible information flow architecture for software security

High-level semantic vulnerabilities such as SQL injection and crosssite scripting have surpassed buffer overflows as the most prevalent security exploits. The breadth and diversity of software vulnerabilities demand new security solutions that combine the speed and practicality of hardware approaches with the flexibility and robustness of software systems. This paper proposes Raksha, an architecture for software security based on dynamic information flow tracking (DIFT). Raksha provides three novel features that allow for a flexible hardware/software approach to security. First, it supports flexible and programmable security policies that enable software to direct hardware analysis towards a wide range of high-level and low-level attacks. Second, it supports multiple active security policies that can protect the system against concurrent attacks. Third, it supports low-overhead security handlers that allow software to correct, complement, or extend the hardware-based analysis without the overhead associated with operating system traps. We present an FPGA prototype for Raksha that provides a full featured Linux workstation for security analysis. Using unmodified binaries for real-world applications, we demonstrate that Raksha can detect high-level attacks such as directory traversal, command injection, SQL injection, and cross-site scripting as well as low-level attacks such as buffer overflows. We also show that low overhead exception handling is critical for analyses such as memory corruption protection in order to address false positives that occur due to the diverse code patterns in frequently used software.

From chaos to QoS: case studies in CMP resource management

As more and more cores are enabled on the die of future CMP platforms, we expect that several diverse workloads will run simultaneously on the platform. A key example of this trend is the growth of virtualization usage models. When multiple virtual machines or applications or threads run simultaneously, the quality of service (QoS) that the platform provides to each individual thread is non-deterministic today. This occurs because the simultaneously running threads place very different demands on the shared resources (cache space, memory bandwidth, etc) in the platform and in most cases contend with each other. In this paper, we first present case studies that show how this results in non-deterministic performance. Unlike the compute resources managed through scheduling, platform resource allocation to individual threads cannot be controlled today. In order to provide better determinism and QoS, we then examine resource management mechanisms and present QoS-aware architectures and execution environments. The main contribution of this paper is the architecture feasibility analysis through prototypes that allow experimentation with QoS-Aware execution environments and architectural resources. We describe these QoS prototypes and then present preliminary case studies of multi-tasking and virtualization usage models sharing one critical CMP resource (last-level cache). We then demonstrate how proper management of the cache resource can provide service differentiation and deterministic performance behavior when running disparate workloads in future CMP platforms.

Decoupling Dynamic Information Flow Tracking with a dedicated coprocessor

Dynamic Information Flow Tracking (DIFT) is a promising security technique. With hardware support, DIFT prevents a wide range of attacks on vulnerable software with minimal performance impact. DIFT architectures, however, require significant changes in the processor pipeline that increase design and verification complexity and may affect clock frequency. These complications deter hardware vendors from supporting DIFT. This paper makes hardware support for DIFT cost-effective by decoupling DIFT functionality onto a simple, separate coprocessor. Decoupling is possible because DIFT operations and regular computation need only synchronize on system calls. The coprocessor is a small hardware engine that performs logical operations and caches 4-bit tags. It introduces no changes to the design or layout of the main processors logic, pipeline, or caches, and can be combined with various processors. Using a full-system hardware prototype and realistic Linux workloads, we show that the DIFT coprocessor provides the same security guarantees as current DIFT architectures with low runtime overheads.

Thread-safe dynamic binary translation using transactional memory

Dynamic binary translation (DBT) is a runtime instrumentation technique commonly used to support profiling, optimization, secure execution, and bug detection tools for application binaries. However, DBT frameworks may incorrectly handle multithreaded programs due to races involving updates to the application data and the corresponding metadata maintained by the DBT. Existing DBT frameworks handle this issue by serializing threads, disallowing multithreaded programs, or requiring explicit use of locks. This paper presents a practical solution for correct execution of multithreaded programs within DBT frameworks. To eliminate races involving metadata, we propose the use of transactional memory (TM). The DBT uses memory transactions to encapsulate the data and metadata accesses in a trace, within one atomic block. This approach guarantees correct execution of concurrent threads of the translated program, as TM mechanisms detect and correct races. To demonstrate this approach, we implemented a DBT-based tool for secure execution of x86 binaries using dynamic information flow tracking. This is the first such framework that correctly handles multithreaded binaries without serialization. We show that the use of software transactions in the DBT leads to a runtime overhead of 40%. We also show that software optimizations in the DBT and hardware support for transactions can reduce the runtime overhead to 6%.

Ordering decoupled metadata accesses in multiprocessors

Hardware support for dynamic analysis can minimize the performance overhead of useful applications such as security checks, debugging, and profiling. To eliminate implementation complexity and improve flexibility, recent hardware proposals have decoupled the processing of the metadata needed for analysis from the application running on the main processor core. However, such decoupling can lead to inconsistencies between application data and analysis metadata in multiprocessor systems. If updates to data and metadata occur in different orders, the analysis can be rendered incorrect, leading to issues such as undetected security attacks or unnecessary program termination. This paper presents a practical hardware solution that ensures consistency between application data and analysis metadata in multiprocessor systems. We use hardware to track the order of data updates and enforce the same ordering on the analogous metadata operations. This solution works for both in-order and out-of-order processors and requires no changes to the cores, caches or coherence protocol. It is equally applicable to analysis architectures that use dedicated coprocessors or separate cores, is compatible with sequential and relaxed consistency models, and can accommodate metadata of different sizes. We show that, even with small tracking structures, our solution introduces a runtime overhead of less than 7% for PARSEC and SPLASH-2 benchmarks running on a 32-core system.

Tainting is not pointless

Pointer tainting is a form of Dynamic Information Flow Tracking used primarily to prevent software security attacks such as buffer overflows. Researchers have also applied pointer tainting to malware and virus analysis. A recent paper by Slowinska and Bos has criticized pointer tainting as a security mechanism, arguing that it is has serious, inherent false positive and false negative defects. We present a rebuttal that addresses the confusion due to the two uses of pointer tainting in security literature. We clarify that many of the arguments against pointer tainting apply only to its use as a malware and virus analysis platform, but do not apply to the application of pointer tainting to memory corruption protection. Hence, we argue that pointer tainting remains a useful and promising technique for robust protection against memory corruption attacks.

qTLB: looking inside the look-aside buffer

Rapid evolution of multi-core platforms is putting additional stress on shared processor resources like TLB. TLBs have mostly been private resources for the application running on the core, due to the constant flushing of entries on context switches. Recent technologies like virtualization enable independent execution of software domains leading to performance issues because of interesting dynamics at the shared hardware resources. The advent of TLB tagging with application and VM identifiers, however, increases the lifespan of these resources. In this paper, we demonstrate that TLB tagging and refraining from flushing the hypervisor TLB entries during a VM context switch can lead to considerable performance benefits. We show that it is possible to improve the TLB performance of an important application by protecting its TLB entries from the interference of other low priority VMs/applications and providing differentiated service. We present our QoS architecture framework for TLB (qTLB) and show its benefits.

Tuning SoCs using the global dynamic critical path

We propose using a profiling-based technique (Dynamic Critical Path) to guide SoC optimization. Optimizing SoCs composed of many modules involves exploring a large space of possible configurations (exponential in the number of component modules). We present this optimization technique applied to a Globally Asynchronous Locally Synchronous (GALS) RTL design. Furthermore, we investigate the loss of precision when abstract versions of hardware modules are used for the critical path computation. Using the critical path provides very fast convergence towards optimal or near-optimal solutions when analyzing large configuration spaces by optimizing the design for composite optimization metrics, such as energy-delay.

Raksha: A flexible architecture for software security

This article consists of a collection of slides from the authors conference presentation on Raksha, a flexible architecture for software security. Some of the specific topics discussed include: the special features, system specifications, and system design of Raksha; system architecture; applications for use; security features supported; and targeted markets.