-
Containment-based Security Architecture
Team Members: Hansen Zhang and Sotiris ApostolakisAdvisor: David
I. August
1
-
Software Hardware
2
Current Approach to Security is ineffective
-
1 Gerwin Kleine, et al. 2009. seL4: formal verification of an OS
kernel. SOSP '09.
7https://www.wired.com/2015/02/nsa-firmware-hacking/2 Linux Kernel,
http://www.phoronix.com/scan.php?page=news_item&px=MTg3OTE
“Clean Slate” Approach to Security
3
seL4 9.1k LOC1
Current Approach to Security is ineffective
Linux kernel ~19.1m LOC2
Main MemoryDisks Processor
Operating System
Libraries
Hypervisor
Applications
External Interface
System Bus
System
>1 B
illio
n LO
Cs
Trusted &Untrustworthy
Trusted & Trustworthyis impractical
-
Containment-based Security
4
is both effective and practical
Sentry NetworkMain MemoryDisks Processor
System Bus
Operating System
System
Libraries
>1 B
illio
n LO
Cs
Hypervisor
Applications
External Interface
Policies
DSCs
Untrusted
Trusted & Trustworthy
-
5
Network
Sentry
NIC
NetFPGA
Proof of Concept
seL4 9.1k LOCRedis DSC 3k LOCSentry 4k LOC
Main MemoryDisks Processor
System Bus
Operating System
Libraries
Hypervisor
Redis
PCIe
Redis Policies
Redis DSCA few thousand lines of code can ensure correct output
of an entire database server despite flaws and
vulnerabilities (known and not-yet-known)
System
>1 B
illio
n LO
Cs
Untrusted
Trusted & Trustworthy
-
Only connection to network
Prototype
Network Interface
PCIe Interface
FPGA Sentry
System
6
-
Verifying Computation & Memory Integrity in the Sentry
Cache Checking unit
Pending Output BufferI$ D$
I$
D$
Fetch InstructionQueue DecodeRegister Rename
Reorder Buffer
Load/StoreUnits
WriteBack
Commit
L2$
Memory
Out-of-Order Processor Core
Sentry
Functional Units
Redundant InstructionChecking Unit (RICU)
Memory Access
Manager
Internal System bus
Peripherals
Memorymgmt unit
Root
Functional Units
Operand Routing CheckingMemoryDependence
Predictor
IncomingExecInfo Buffer
Functional Units
PhysicalRegisters
Branch PredictorBranch Target
BufferReturn Address
Predictor
InstructionPrefetcher
Renaming UnitRegister Map
Table
Free RegisterList
RenameBuffer
DispatchIssue QueueInst Wakeup
LogicSelection
Logic
Arch Registers
Memory Issue Logic
Shadow Arch Registers
I$
D$
FetchInstruction
Queue DecodeRegister Rename
Reorder Buffer
Load/StoreUnits
WriteBack
Commit
L2$
Memory
Out-of-Order Processor Core
Sentry
Functional Units
Redundant InstructionChecking Unit (RICU)
Internal System bus
Peripherals
Memorymgmt unit
Functional Units
Operand Routing
CheckingMemoryDependence
Predictor
IncomingExecInfo Buffer
Functional Units
PhysicalRegisters
Branch PredictorBranch Target
BufferReturn Address
Predictor
InstructionPrefetcher
Renaming Unit
Register MapTable
Free RegisterList
RenameBuffer
DispatchIssue Queue
Inst Wakeup Logic
Selection Logic
Arch Registers
Memory Issue Logic
Shadow Arch Registers
Insight 1: Leverage work done by the untrusted systemInsight 2:
Offload extra work to the untrusted system
7
-
Plan: Beyond a Proof of Concept
Software Stack for Containment
Programming Language
Runtime System Compiler
Operating System
Libraries
Debugging Tools
Software Stack for Applications
Containment Programming Model
Sentry Runtime Sentry Compiler
Sentry Libraries & OS Wrappers
Composable DSC/Policy Libraries
Sentry Emulator & DSC/Policy Debugger
8
-
Plan: Beyond a Single Device
9
-
Team Strengths
Hansen Zhang4th year PhD student
Sotiris Apostolakis3rd year PhD student
Computer Architecture & SecurityBuilt Sentry Prototype
Compilers & SecurityBuilt Redis DSC, Software Support
Built successful containment-based security architecture proof
of concept!
The Liberty Research Group at Princeton University has made
significant contributions to computer architecture, security. and
language tools
for over 15 years 10
Hardware Lead Software Lead
-
Questions?
11
