Architectural support for secure and survivable embedded software

Attacks against vulnerable software have become a serious problem for industry and users alike. There have been many techniques proposed to combat these attacks which range from compiler modifications to additional architectural features. Most of these techniques focus on attack detection, while ignoring the problem of how to gracefully recover from such attacks. In this thesis we propose an architectural approach to attack detection and recovery which we call rollback and huddle. In our approach, a lightweight attack-detection module monitors a program\u27s execution as its state is continuously checkpointed. In the case of an attack, the program state is rolled back to a time before the attack occurred and an additional HW/SW module is loaded to gain extra insight into the attack and possibly repair the original vulnerability. Our approach is based on the observation that the vast majority of a program\u27s execution can be trusted. Therefore, we aim to minimize the performance overhead during normal execution. Once an attack has been detected, the system is put into a high alert mode where a larger performance overhead is tolerated to make use of more complex techniques and avoid system down-time. We introduce simple hardware modules that work alongside a standard computer architecture, and aid in attack detection, checkpoint creation, and attack recovery. Our experimental results show that this approach can be achieved with minimal run-time overhead and resource utilization

Compiler Optimizations to Reduce Security Overhead

In this work, we present several compiler optimizations to reduce the overhead due to software protection. We first propose an aggressive rematerialization algorithm which attempts to maximally realize non-trusted values from other trusted values thereby avoiding the security cost for those non-trusted values. We further propose a compiler technique to utilize the secure storage in our machine model efficiently. To optimize the security cost on data that has to be stored in non-trusted storage, we propose a data grouping technique. Security operations can be performed over the group of data instead of over each piece separately. We show an interesting application of the data grouping technique to reduce the security cost. We test the effectiveness of our optimizations on a recently proposed software protection scheme that involves large overhead. Our results show that the above optimizations are effective and reduce the security overhead significantly. 1