《HC2022.Arm.RichardGrisenthwaite.v1_0.pdf》由会员分享,可在线阅读,更多相关《HC2022.Arm.RichardGrisenthwaite.v1_0.pdf(22页珍藏版)》请在三个皮匠报告上搜索。
1、 2022 ArmArm Morello Evaluation Platform-Validating CHERI-based Security in a High-performance SystemRichard GrisenthwaiteSVP Chief Architect and Fellow,ArmRichard.G2 Copyright 2022 Arm LimitedAcknowledgementsThis work was supported by the Defense Advanced Research Projects Agency(DARPA)and the Air
2、Force Research Laboratory(AFRL),under contract FA8750-10-C-0237(“CTSRD”),with additional support from FA8750-11-C-0249(“MRC2”),HR0011-18-C-0016(“ECATS”),and FA8650-18-C-7809(“CIFV”)as part of the DARPA CRASH,MRC,and SSITH research programs.The views,opinions,and/or findings contained in this report
3、are those of the authors and should not be interpreted as representing the official views or policies of the Department of Defense or the U.S.Government.This work was supported in part by the Innovate UK project Digital Security by Design(DSbD)Technology Platform Prototype,105694.We also acknowledge
4、 the EPSRC REMS Programme Grant(EP/K008528/1),the ERC ELVER Advanced Grant(789108),the Isaac Newton Trust,the UK Higher Education Innovation Fund(HEIF),Thales E-Security,Microsoft Research Cambridge,Arm Limited,Google,Google DeepMind,HP Enterprise,and the Gates Cambridge Trust.University of Cambridg
5、e,SRI International,etc Contributors on CHERI:Robert N.M.Watson,Simon W.Moore,Peter Sewell,Peter G.Neumann,Hesham Almatary,Jonathan Anderson,Alasdair Armstrong,Peter Blandford-Baker,Rosie Baish,John Baldwin,Hadrien Barrel,Thomas Bauereiss,Ruslan Bukin,Brian Campbell,David Chisnall,Jessica Clarke,Nir
6、av Dave,Brooks Davis,Lawrence Esswood,Nathaniel W.Filardo,Franz Fuchs,Dapeng Gao,Khilan Gudka,Brett Gutstein,Alexandre Joannou,Mark Johnston,Robert Kovacsics,Ben Laurie,A.Theo Markettos,J.Edward Maste,Alfredo Mazzinghi,Alan Mujumdar,Prashanth Mundkur,Steven J.Murdoch,Edward Napierala,George Neville-
7、Neil,Kyndylan Nienhuis,Robert Norton-Wright,Philip Paeps,Lucian Paul-Trifu,Allison Randal,Ivan Ribeiro,Alex Richardson,Michael Roe,Colin Rothwell,Peter Rugg,Hassen Saidi,Thomas Sewell,Stacey Son,Ian Stark,Domagoj Stolfa,Andrew Turner,Munraj Vadera,Konrad Witaszczyk,Jonathan Woodruff,Hongyan Xia,and
8、Bjoern A.Zeeb3 Copyright 2022 Arm LimitedSecurity is the greatest challenge computing needs to address to meet its full potential 4 Copyright 2022 Arm LimitedMemory(Un)safety issues remain major source of CVEs Matt Miller(BlueHat 2019):Microsoft around 70%of CVEs are memory unsafety issues#1 Heap ou
9、t-of-bounds#2 use-after-free#3 type confusion#4 uninitialized use Chromium reports similar issues:Memory safety-The Chromium Projects“70%of our serious security bugs are memory safety problems.”Been around for a very long time Morris Worm 1988 usually credited as the first buffer overflow attack on
10、the internetC/C+is not going away any time soon in the worlds software 5 Copyright 2022 Arm LimitedCHERI architecture in one slide CPU architecture adds 128-bit“capabilities”in the register file plus a tag bitCapability contains the address,bounds information,permission information etcThe tag bit is
11、 metadata that distinguishes a capability from normal data The tag bit prevents“forging”of a capability This functionality gives strong provenance of capabilitiesArchitecture has the ability to“seal”capabilities as well as part of compartmentalisation Loads/stores using capabilities as addresses are
12、 checked to be legal Within address range and matching the supplied permissionsData processing on capabilities has rules to limit operationsBounds cannot be arbitrarily increased,permissions cannot be relaxed etcPC is converted to a capability called the PCC to place bounds on the PC Direct Branches
13、 will be within the PCC;indirect branches(including returns)can change PCC Capability is used in place of a normal pointer in some or all situationsExactly how when this happens is part of the software usage case6 Copyright 2022 Arm LimitedTwo key applications of the CHERI primitives1.Efficient,fine
14、-grained memory protection for C/C+Strong source-level compatibility,but requires recompilation and minor source-code changesDeterministic and secret-free referential,spatial,and temporal memory safetyRetrospective studies estimate of memory-safety vulnerabilities mitigatedGenerally modest overhead(
15、0%-5%,some pointer-dense workloads higher)2.Scalable software compartmentalizationMultiple software operational models from objects to processesIncreases exploit chain length:Attackers must find and exploit more vulnerabilitiesOrders-of-magnitude performance improvement over MMU-based techniques(90%
16、reduction in IPC overhead in early FPGA-based benchmarks)7 Copyright 2022 Arm LimitedMicrosoft security analysis of CHERI C/C+Microsoft Security Research Center(MSRC)study analyzed all 2019 Microsoft critical memory-safety security vulnerabilitiesMetric:“Poses a risk to customers requires a software
17、 update”Vulnerability mitigated if no security update requiredBlog post and 42-page reportConcrete vulnerability analysis for spatial safetyAbstract analysis of the impact of temporal safetyRed teaming of specific artifacts to gain experienceCHERI,“in its current state,and combined with other mitiga
18、tions,it would have deterministically mitigated at least two thirds of all those issues”https:/msrc- Copyright 2022 Arm LimitedMorello Prototype system:What Has Arm Produced?Morello prototype architectureMorello Platform Model(FVP)a software model of the Morello platformLinaro hosted OSSMemory Model
19、 ToolsToolchainPartner Forum including FAQTechnical reference manualMorello test chip and boardMorello Overview GuideMorello Development Platform and Software Stack User GuideFuture how-to videohttps:/ Copyright 2022 Arm LimitedTSMC N7 Process2.5GHZ CPU 109.9mm210 Copyright 2022 Arm LimitedExtending
20、 Structures and Memory to support capabilitiesIncrease register file to support 129-bitsArea,power,and other register file optimizations need to be consideredCould be implemented as separate register file or unified register file Requires additional storage at all levels of memory hierarchy(1-bit pe
21、r 16B of data)Includes caches,buffers,and other microarchitecture structuresMay widen existing structure or store in separate structuresSystem buses need to transport tag informationUse existing signals where possible to decrease protocol changesForwarding networks and internal data buses may need t
22、o increaseDecode complexity and area(new instructions,modes,system registers)Strains on decode space availability may require extra execution units or other changes11 Copyright 2022 Arm LimitedMemory checks and Load Store extensionsAddress generation usually a critical path in load store designsComp
23、artmentalizing legacy code may add an offset to address generationCapabilities require new bounds checks on those addresses New faults need to be detected and reported to control and track capabilities in a systemFor protection(compartmentalization)or performance(revocation)Adds dependency between s
24、tored capability and the location to which being stored that did not exist before(which may cause delays if implementation stalls address until data available)MMU Access faults and PTE updates(capability write permission/dirty bit)dependent on store tagFault Address Register(FAR)captures full addres
25、s for all faults(including late detected,precise,data dependent faults)May require additional storage to propagate full address throughout pipelineCapability instruction implementation must maintain atomicityMakes cracking instructions more difficult,especially for atomic instructions such as CAS,ST
26、LXPsrcbsrca+srcbsrca+Cap base offset12 Copyright 2022 Arm LimitedExtending data processing-Bounds CheckingUpper and Lower Bounds information is compressed into 64 bits When bounds checks are needed,this has to be decompressed Needed for all loads/store operations and branches done in parallel with a
27、ddress generationAlso needed to cover advanced capability operations in the integer unitTgPerms xx ExpBottomTopxGetBounds GetBoundsBase AddrLimit SAIL-Isabelle Proof Assistant3 security issues found before tapeout SAIL ISA specification also used for ISA test generation Stressing capability corner c
28、ases based on strong ISA understanding Machine-checked mathematical proofs of whole-ISA security properties of a full-scale industry ISAVerified Security for the Morello Capability-enhanced Prototype Arm Architecture.Bauereiss(1),Campbell(2),Sewell(1),Armstrong(1),Esswood(1),Stark(2),Barnes(3),Watso
29、n(1),Sewell(1).In ESOP 2022.(1)University of Cambridge,(2)University of Edinburgh,(3)Arm Ltd.http:/www.cl.cam.ac.uk/pes20/morello-proofs-esop2022.pdf19 Copyright 2022 Arm LimitedWhat Feedback Do We Want To Get from Morello?Answers to the performance questions for a wide range of different usage mode
30、lsCompelling examples of Capabilities offering security/performance improvementsBacked up by“Red-teams”having attacked the system and demonstrated security of the systemCompelling in comparison with existing deployed state of the art approachesBetter Understanding ofDifferent languages and run-times
31、 can use capabilities,not only C and C+,but also Javascript,JavaFine-grained compartmentalisation can be usedAnswers to the performance questions for a wide range of different usage modelsA showcase to encourage other architectures to adopt capabilitiesExperience of what the right SoC hardware is fo
32、r building capabilitiesAn architectural approach with formally proven security propertiesWhat to put into the future Arm architecture for an industrial deployment 2022 ArmQuestions?Copyright 2022 Arm LimitedThank YouDankeGraciasGrazie谢谢AsanteMerciKiitos Copyright 2022 Arm LimitedThe Arm trademarks featured in this presentation are registered trademarks or trademarks of Arm Limited(or its subsidiaries)in the US and/or elsewhere.All rights reserved.All other marks featured may be trademarks of their respective