Hardware-software design methods for security and reliability of MPSoCs

Patel, Krutartha , Computer Science & Engineering, Faculty of Engineering, UNSW

January 2009

Security of a Multi-Processor System on Chip (MPSoC) is an emerging area of concern in embedded systems. MPSoC security is jeopardized by Code Injection attacks. Code Injection attacks, which are the most common types of software attacks, have plagued single processor systems. Design of MPSoCs must therefore incorporate security as one of the primary objectives. Code Injection attacks exploit vulnerabilities in \trusted" and legacy code. An architecture with a dedicated monitoring processor (MONITOR) is employed to simultaneously supervise the application processors on an MPSoC. The program code in the application processors is divided into basic blocks. The basic blocks in the application processors are statically instrumented with special instructions that allow communication with the MONITOR at runtime. The MONITOR verifies the execution of all the processors at runtime using control flow checks and either a timing or instruction count check. This thesis proposes a monitoring system called SOFTMON, a design methodology called SHIELD, a design flow called LOCS and an architectural framework called CUFFS for detecting Code Injection attacks. SOFTMON, a software monitoring system, uses a software algorithm in the MONITOR. SOFTMON incurs limited area overheads. However, the runtime performance overhead is quite high. SHIELD, an extension to the work in SOFTMON overcomes the limitation of high runtime overhead using a MONITOR that is predominantly hardware based. LOCS uses only one special instruction per basic block compared to two, as was the case in SOFTMON and SHIELD. Additionally, profile information is generated for all the basic blocks in all the application processors for the MPSoC designer to tune the design by increasing or decreasing the frequency of loop basic blocks. CUFFS detects attacks even without application processors communicating to the MONITOR. The SOFTMON, SHIELD and LOCS approaches can only detect attacks if the application processors communicate to the MONITOR. CUFFS relies on the exact number of instructions in basic blocks to determine an attack, rather than time-frame based measures used in SOFTMON, SHIELD and LOCS. The lowest runtime performance overhead was achieved by LOCS (worst case of 37.5%), while the SOFTMON monitoring system had the least amount of area overheads of about 25%. The CUFFS approach employed an active MONITOR and hence detected a greater range of attacks. The CUFFS framework also detects bit flip errors (reliability errors) in the control flow instructions of the application processors on an MPSoC. CUFFS can detect nearly 70% of all bit flip errors in the control flow instructions. Additionally, a modified CUFFS approach is proposed to ensure reliable inter-processor communication on an MPSoC. The modified CUFFS approach uses a hardware based checksum approach for reliable inter-processor communication and incurred a runtime performance overhead of up to 25% and negligible area overheads compared to CUFFS. Thus, the approaches proposed in this thesis equip an MPSoC designer with tools to embed security features during an MPSoC's design phase. Incorporating security measures at the processor design level provides security against software attacks in MPSoCs and incurs manageable runtime, area and code-size overheads.

Security

MPSoCs

Architecture

Reliability

Software attacks

Co-processor based monitoring to detect control flow attacks / Övervakning baserad på koprocessor för att upptäcka kontrollflödesattacker

Kaddami, Oussama

January 2024

Memory corruption attacks pose a significant threat to the security of embedded devices with limited resources that lack basic protection mechanisms. Control Flow Integrity (CFI) is a promising technique to mitigate these attacks by ensuring that the program’s control flow adheres to a predetermined set of rules. In this project, we propose a CFI solution tailored for embedded devices based on combining a type-based approach for indirect branches with a shadow stack approach to protect return addresses. Our solution targets the ARM Cortex-M33 architecture and is evaluated on various applications that are adequate for low-end devices, including embedded cryptographic primitives and a real-time operating system. Our solution provides a high level of security, allowing for a 99.99% reduction in attacks using the average reduction metric (AIR). However, we acknowledge that the performance overhead may be a concern for some use cases. The evaluation of our Control Flow Integrity (CFI) implementation shows that it incurs a performance overhead ranging between 7% and 81%, with a relatively small size overhead of around 3%. Therefore, we propose that the use of adequate architectural models could help reduce the performance overhead while still maintaining good security guarantees. Our study highlights the trade-off between security and performance in CFI implementations and provides insights into potential areas for improvement. / Minneskorruptionsattacker utgör ett betydande hot mot säkerheten för inbyggda enheter med begränsade resurser som saknar grundläggande skyddsmekanismer. Kontrollflödesintegritet (CFI) är en lovande teknik för att mildra dessa attacker genom att säkerställa att programkontrollen följer en förutbestämd uppsättning regler. I detta projekt föreslår vi en CFI-lösning anpassad för inbyggda enheter som bygger på en kombination av en typbaserad metod för indirekta grenar med en skuggstackmetod för att skydda returadresser. Vår lösning riktar sig mot ARM Cortex-M33-arkitekturen och utvärderas på olika applikationer som är lämpliga för lågpresterande enheter, inklusive inbyggda kryptografiska grundläggande funktioner och ett realtidsoperativsystem. Vår lösning erbjuder en hög säkerhetsnivå och möjliggör en minskning av attacker med 99,99% enligt genomsnittsmätningsmetoden (AIR). Vi erkänner dock att prestandaöverhuvud kan vara en oro i vissa användningsfall. Utvärderingen av vår CFI-implementering visar att den medför en prestandaöverhuvud som varierar mellan 7% och 81%, med en relativt liten storleksöverhuvud på cirka 3%. Därför föreslår vi att användningen av lämpliga arkitekturmodeller kan bidra till att minska prestandaöverhuvudet samtidigt som goda säkerhetsgarantier bibehålls. Vår studie belyser avvägningen mellan säkerhet och prestanda i CFI-implementeringar och ger insikter om potentiella områden för förbättring.

Embedded security

Remote software attacks

Control flow integrity (CFI)

Instrumentation

Inbäddade system säkerhet

Fjärrprogramvaruattacker

Computer and Information Sciences

Data- och informationsvetenskap