128 research outputs found
June 7th, 2017
The most important interface in a computer system is the instruction set architecture (ISA) as it connects software to hardware. So, given the prevalence of open standards for almost all other important interfaces, why is the ISA still proprietary? We argue that a free ISA is a necessary precursor to future hardware innovation, and there is no good technical reason not to have free, open ISAs just as we have free, open networking standards and free, open operating systems.
The free and open RISC-V ISA began development at UC Berkeley in 2010, with the frozen base user ISA standard released in May 2014, and has since then seen rapid uptake around the globe, including the first commercial shipments. This talk will cover the technical features of the RISC-V ISA design, which has the goals of scaling from the tiniest implementations for IoT up to the largest warehouse-scale computers, with support for extensive customization. We will also describe industry-competitive open-source cores developed at UC Berkeley, all written in Chisel, a productive new open-source hardware design language. Finally, we will describe the uptake of RISC-V and the development of the RISC-V ecosystem, including the RISC-V Foundation
Verifying RISC-V Physical Memory Protection
We formally verify an open-source hardware implementation of physical memory
protection (PMP) in RISC-V, which is a standard feature used for memory
isolation in security critical systems such as the Keystone trusted execution
environment. PMP provides per-hardware-thread machine-mode control registers
that specify the access privileges for physical memory regions. We first
formalize the functional property of the PMP rules based on the RISC-V ISA
manual. Then, we use the LIME tool to translate an open-source implementation
of the PMP hardware module written in Chisel to the UCLID5 formal verification
language. We encode the formal specification in UCLID5 and verify the
functional correctness of the hardware. This is an initial effort towards
verifying the Keystone framework, where the trusted computing base (TCB) relies
on PMP to provide security guarantees such as integrity and confidentiality.Comment: SECRISC-V 2019 Worksho
Sanctorum: A lightweight security monitor for secure enclaves
Enclaves have emerged as a particularly compelling primitive to implement
trusted execution environments: strongly isolated sensitive user-mode processes
in a largely untrusted software environment. While the threat models employed
by various enclave systems differ, the high-level guarantees they offer are
essentially the same: attestation of an enclave's initial state, as well as a
guarantee of enclave integrity and privacy in the presence of an adversary.
This work describes Sanctorum, a small trusted code base (TCB), consisting of
a generic enclave-capable system, which is sufficient to implement secure
enclaves akin to the primitive offered by Intel's SGX. While enclaves may be
implemented via unconditionally trusted hardware and microcode, as it is the
case in SGX, we employ a smaller TCB principally consisting of authenticated,
privileged software, which may be replaced or patched as needed. Sanctorum
implements a formally verified specification for generic enclaves on an
in-order multiprocessor system meeting baseline security requirements, e.g.,
the MIT Sanctum processor and the Keystone enclave framework. Sanctorum
requires trustworthy hardware including a random number generator, a private
cryptographic key pair derived via a secure bootstrapping protocol, and a
robust isolation primitive to safeguard sensitive information. Sanctorum's
threat model is informed by the threat model of the isolation primitive, and is
suitable for adding enclaves to a variety of processor systems.Comment: 6 page
Context-centric security
Abstract. Users today are unable to use the rich collection of third-party untrusted applications without risking significant privacy leaks. In this paper, we argue that current and proposed applications and data-centric security policies do not map well to users' expectations of privacy. In the eyes of a user, applications and peripheral devices exist merely to provide functionality and should have no place in controlling privacy. Moreover, most users cannot handle intricate security policies dealing with system concepts such as labeling of data, application permissions and virtual machines. Not only are current policies impenetrable to most users, they also lead to security problems such as privilege-escalation attacks and implicit information leaks. Our key insight is that users naturally associate data with realworld events, and want to control access at the level of human contacts. We introduce Bubbles, a context-centric security system that explicitly captures user's privacy desires by allowing human contact lists to control access to data clustered by real-world events. Bubbles infers information-flow rules from these simple context-centric access-control rules to enable secure use of untrusted applications on users' data. We also introduce a new programming model for untrusted applications that allows them to be functional while still upholding the users' privacy policies. We evaluate the model's usability by porting an existing medical application and writing a calendar app from scratch. Finally, we show the design of our system prototype running on Android that uses bubbles to automatically infer all dangerous permissions without any user intervention. Bubbles prevents Android-style permission escalation attacks without requiring users to specify complex information flow rules
RPCValet: NI-Driven Tail-Aware Balancing of µs-Scale RPCs
Modern online services come with stringent quality requirements in terms of response time tail latency. Because of their decomposition into fine-grained communicating software layers, a single user request fans out into a plethora of short, μs-scale RPCs, aggravating the need for faster inter-server communication. In reaction to that need, we are witnessing a technological transition characterized by the emergence of hardware-terminated user-level protocols (e.g., InfiniBand/RDMA) and new architectures with fully integrated Network Interfaces (NIs). Such architectures offer a unique opportunity for a new NI-driven approach to balancing RPCs among the cores of manycore server CPUs, yielding major tail latency improvements for μs-scale RPCs. We introduce RPCValet, an NI-driven RPC load-balancing design for architectures with hardware-terminated protocols and integrated NIs, that delivers near-optimal tail latency. RPCValet's RPC dispatch decisions emulate the theoretically optimal single-queue system, without incurring synchronization overheads currently associated with single-queue implementations. Our design improves throughput under tight tail latency goals by up to 1.4x, and reduces tail latency before saturation by up to 4x for RPCs with μs-scale service times, as compared to current systems with hardware support for RPC load distribution. RPCValet performs within 15% of the theoretically optimal single-queue system
- …