Trusted ILLIAC - A Configurable, Application-Aware, High-Performance Platform for Trustworthy Computing
Ravishankar Iyer, Wen-mei Hwu, Klara Nahrstedt, William Sanders, Zbigniew Kalbarczyk
Memory Data
Vision
Reliability and Security Engine (RSE)
Advanced Compiler (IMPACT)
Title
Global Infotech: Pathways to the Future with Global Partnerships
Provide applications-specific level of reliability and security, while delivering optimal performance
Customized levels of trust enforced via an integrated approach involving• re-programmable hardware,• compiler methods to: (i) extract
security and reliability properties and (ii) accelerate computation
• configurable OS and middleware
RSE Framework
Fetch_OutRegFile_Data
Execute_Out
Memory_Out
Commit_Out
CommitMEMEXIDIF
Instruction Queue
Pre-emptive Control-flow Checking
Process Health Monitor
Selective Replication
Manager
Mem
Mem_Rdy
Reg#/Reg Vals
ALU ResultAddr / Next PC
Data LoadedFrom Memory
Commit/Squash
Pointer Taintedness
Tracking
Fra
mew
ork
Inte
rfac
e F
abric
Hardware Modules
INST
Reconfigurable processor-level hardware framework to provide application-aware checks for reliability and security
Processor, framework, and modules on single dieFramework and modules implemented on an FPGAFramework configured to:
embed hardware modules needed by application route inputs to modules
GamesMultimediaPhysiological
SimulationMedical Imaging
Pointer Analysis
Programming Models
Specialized Analysis
Loop Transformation
Program Simplification
Future Transformations
SynthesisMultiprocessor
FPGASynthesis
ToolsSMP CMP
DevelopmentTools
C Code
Specialized C and/or Machine Code
Loop Transformation
Program Simplification
o Fissiono Fusiono Distributiono Strip-mining
o Recursion Removalo Pointer Removalo Data Structure Adjustmento Memory Partitioning
Specialized Analysis
o Advanced Memory Dataflowo Branch Correlationo Value Flow
Pointer Analysis
o Advanced Flow-sensitivityo Context Sensitivityo Heap Cloningo Field Sensitivityo Pointer Arithmetico Scalability
Driving Applications
De
ep
An
aly
sis
De
ep
Tra
ns
form
atio
n
Enable automated generation of hardware to prototype and demonstrate: (i) acceleration of computation and (ii) application-aware detectors in realistic scenarios
Middleware Services for Preventing DoS Attacks in Large-Scale Systems
Subset of trusted nodes called oversight nodes cooperate to manage node download information objects
Develop security middleware services to control multimedia streaming in a secure and robust fashion.
Node0x0
Node0x7
Node0x1
Node0x5
Node0x2
Node0x3
Node0x6
Node0x4
request
request
request
grant
grant
grant
Node 0x6
Node 0x4
Node 0x2
Node 0x0
media objectkey 0x3
rate = 350
Node 0x5
Node 0x3
Node 0x7
Node 0x1
Request media object
0x3
media objectkey 0x6
rate = 350
media objectkey 0x1
rate = 350
node download info for node 0x4
current = 1050max allowed = 1000
Node 0x2
node download information
key 0x4current = 700
max allowed = 1000
Node 0x5
Node 0x7
Retrieve node download
information for node 0x4
Send node download
information for node 0x4
node download information
key 0x4current = 700
max allowed = 1000
Node 0x6
Node 0x4
Node 0x2
Node 0x0
media objectkey 0x3
rate = 350
Node 0x5
Node 0x3
Node 0x7
Node 0x1
Request media object
0x3
Query about node 0x4
adding 350 to download rate
Deny request from
node 0x4
Denymedia objectkey 0x6
rate = 350
media objectkey 0x1
rate = 350
Without Oversight
With Oversight Nodes
Static Analysis
Trusted ILLIAC Node
Validation of Trusted ILLIAC Configurations (Möbius Modeling Environment)
Möbius atomic models represent different Trusted ILLIAC node designs and attack/fault models.
Disable
Reboot
Restart BayesianUpdate
SNMP Monitor Observations
HTTP1 Monitor
HTTP2 Monitor
Host
Trajectory Tree Computation
DiagnosisVector
FutureOutputs
Target system
HostA
Web1 Server
App1 Server50%
HostB
Web2 Server
50%
C
DB50%
50%
App2 Server
POMDPBounds
Model of Faults
Actions, Monitors,Rewards
ComputeRA-Bound
Online
BoundsImprovement(sim model)
RA-Bound
Model of Faults
Actions, Monitors,Rewards
ComputeRA-Bound
Offline
BoundsImprovement(sim model)
RA-Bound
SNMPManager
Measured Action Durations
Actions
RecoveryEngine
Disable
Reboot
Restart BayesianUpdate
BayesianUpdate
SNMP Monitor Observations
HTTP1 Monitor
HTTP2 Monitor
Host
Trajectory Tree Computation
Trajectory Tree Computation
DiagnosisVector
FutureOutputs
Target system
HostA
Web1 Server
App1 Server50%
HostB
Web2 Server
50%
C
DB50%
50%
App2 Server
Target system
HostA
Web1 Server
App1 Server50%
HostB
Web2 Server
50%
C
DB50%
50%
App2 Server
POMDPBounds
Model of Faults
Actions, Monitors,Rewards
ComputeRA-Bound
Online
BoundsImprovement(sim model)
RA-Bound
Model of Faults
Actions, Monitors,Rewards
ComputeRA-Bound
Offline
BoundsImprovement(sim model)
RA-Bound
SNMPManager
Measured Action Durations
Actions
RecoveryEngine
Preserving system health using adaptive recovery
Model Driven Recovery Controller Path based monitors to detect failures Probabilistic Bayesian diagnosis to estimate cause of failure Stochastic planning to choose recovery action
Model-Driven Trust Management
Choose security-critical variables based on application semantics
Employ a compile-time static program analysis to
• extract backward slice which collates all dependent instructions along each control-path
• form a signature, which encodes dependences as a set (or sequence) of instruction PCs along each control-path
Program data-flow violations indicate of malicious tampering
Considering• Misbehaving users• Malicious users • Selfish users
Signature extraction
Transform the derived signatures in the runtime assertions to be integrated within the application code or implemented in hardware for on-line error checking