research-article

Open access

SPECS: A Lightweight Runtime Mechanism for Protecting Software from Security-Critical Processor Bugs

Authors:

Cynthia Sturton,

Samuel T. King,

Jonathan M. SmithAuthors Info & Claims

ASPLOS '15: Proceedings of the Twentieth International Conference on Architectural Support for Programming Languages and Operating Systems

Pages 517 - 529

https://doi.org/10.1145/2694344.2694366

Published: 14 March 2015 Publication History

Abstract

Processor implementation errata remain a problem, and worse, a subset of these bugs are security-critical. We classified 7 years of errata from recent commercial processors to understand the magnitude and severity of this problem, and found that of 301 errata analyzed, 28 are security-critical. We propose the SECURITY-CRITICAL PROCESSOR ER- RATA CATCHING SYSTEM (SPECS) as a low-overhead solution to this problem. SPECS employs a dynamic verification strategy that is made lightweight by limiting protection to only security-critical processor state. As a proof-of- concept, we implement a hardware prototype of SPECS in an open source processor. Using this prototype, we evaluate SPECS against a set of 14 bugs inspired by the types of security-critical errata we discovered in the classification phase. The evaluation shows that SPECS is 86% effective as a defense when deployed using only ISA-level state; incurs less than 5% area and power overhead; and has no software run-time overhead.

References

[1]

T. M. Austin, "DIVA: a reliable substrate for deep submicron microarchitecture design," in International Symposium on Microarchitecture, 1999.

Digital Library

[2]

Beyond Semiconductor, "Beyond BA22 Embedded Processor," http://www.beyondsemi.com/25/beyond-ba22-embedded-processor.

[3]

E. Biham, Y. Carmeli, and A. Shamir, "Bug attacks," in Conference on Cryptology: Advances in Cryptology, 2008.

Digital Library

[4]

bjornstar. (2011) nacl cpuid.c uses vendor string in features check. NativeClient Bug Tracker. Google. {Online}. Available: https://code.google.com/p/nativeclient/issues/detail?id=2508

[5]

[email protected]. (2010) Nacl should accept x86 'int3' instruction or offer a plausible alternative. NativeClient Bug Tracker. Google. {Online}. Available:https://code.google.com/p/nativeclient/issues/detail?id=645

[6]

J. Chang, G. A. Reis, and D. I. August, "Automatic Instruction-Level Software-Only Recovery," in International Conference on Dependable Systems and Networks, 2006.

Digital Library

[7]

K. Constantinides, O. Mutlu, and T. Austin, "Online Design Bug Detection: RTL Analysis, Flexible Mechanisms, and Evaluation," in International Symposium on Microarchitecture, 2008.

Digital Library

[8]

K. Constantinides, O. Mutlu, T. Austin, and V. Bertacco, "Software-Based Online Detection of Hardware Defects: Mechanisms, Architectural Support, and Evaluation," in International Symposium on Microarchitecture, 2007.

Digital Library

[9]

M. L. Corliss, E. C. Lewis, and A. Roth, "DISE: a programmable macro engine for customizing applications," in International Symposium on Computer Architecture, 2003.

Digital Library

[10]

M. de Kruijf, S. Nomura, and K. Sankaralingam, "Relax: An Architectural Framework for Software Recovery of Hardware Faults," in International Symposium on Computer Architecture, 2010.

Digital Library

[11]

T. de Raadt. (2007) Intel Core 2. openbsd-misc mailing list. openbsd-misc mailing list. {Online}. Available: http://marc.info/?l-openbsd-isc&m=118296441702631

[12]

L. Duflot, "CPU Bugs, CPU Backdoors and Consequences on Security," in European Symposium on Research in Computer Security, 2008.

Digital Library

[13]

S. Feng, S. Gupta, A. Ansari, S. A. Mahlke, and D. I. August, "Encore: Low-cost, Fine-grained Transient Fault Recovery," in International Symposium on Microarchitecture, 2011.

Digital Library

[14]

H. Foster, K. Larsen, and M. Turpin, "Introduction to the new accellera open verification library," 2006.

[15]

M. R. Guthaus, J. S. Ringenberg, D. Ernst, T. M. Austin, T. Mudge, and R. B. Brown, "MiBench: A free, commercially representative embedded benchmark suite," in Workshop on Workload Characterization, 2001.

Digital Library

[16]

L. C. Heller and M. S. Farrell, "Millicode in an IBM zSeries processor," IBM Journal of Research and Development, vol. 48, pp. 425--434, 2004.

Digital Library

[17]

M. Hicks, "Practical systems for overcoming processor imperfections," Ph.D. dissertation, University of Illinois Urbana-Champaign, 2013.

[18]

M. Hicks, M. Finnicum, S. T. King, M. M. K. Martin, and J. M. Smith, "Overcoming an Untrusted Computing Base: Detecting and Removing Malicious Hardware Automatically," in Symposium on Security and Privacy, 2010.

Digital Library

[19]

M. Hicks, C. Sturton, S. T. King, and J. M. Smith. Specs public repository. {Online}. Available: https://github.com/impedimentToProgress/specs

[20]

Intel Corporation, "Intel Core 2 Extreme Processor X6800 and Intel Core 2 Duo Desktop Processor E6000 and E4000 Sequence -- Specification Update," 2008.

[21]

Jennic Limited, "JN5148 Wireless Microcontroller Modules."

[22]

Jon Stokes, "Two billion-transistor beasts: POWER7 and Niagara 3," http://arstechnica.com/business/2010/02/two-billion-transistor-beasts-power7-and-niagara-3/.

[23]

S. Lemon. (2008) Researcher to Demonstrate Attack Code for Intel Chips. PCWorld. {Online}. Available: http://www.pcworld.com/article/148353/security.html

[24]

Advanced Micro Devices, "Revision Guide for AMD Athlon 64 and AMD Opteron Processors," 2005.

[25]

ARM, "ARMv4 Instruction Set, Issue C," 1998.

[26]

MIPS Technologies, "MIPS R4000PC/SC errata, processor rev. 2.2 and 3.0," 1994.

[27]

A. Meixner, M. E. Bauer, and D. Sorin, "Argus: Low-Cost, Comprehensive Error Detection in Simple Cores," in International Symposium on Microarchitecture, 2007.

Digital Library

[28]

A. Meixner and D. J. Sorin, "Detouring: Translating Software to Circumvent Hard Faults in SimpleCores," in International Conference on Dependable Systems and Networks, 2008.

[29]

[email protected]. (2009) Check for trailing HLT in x86 is unnecessary. NativeClient Bug Tracker. Google. {Online}. Available: https://code.google.com/p/nativeclient/issues/detail?id=155

[30]

[email protected]. (2010) Dynamic loading syscall insists on a trailing HLT on x86-32. NativeClient Bug Tracker. Google. {Online}. Available: https://code.google.com/p/nativeclient/issues/detail?id=585

[31]

[email protected]. (2011) Escape from x86-64 inner sandbox using BSF instruction. NativeClient Bug Tracker. Google. {Online}. Available: https://code.google.com/p/nativeclient/issues/detail?id=2010

[32]

[email protected]. (2012) x86-64: DATA16 prefix on direct jumps allows sandbox escape on AMD CPUs. NativeClient Bug Tracker. Google. {Online}. Available: https://code.google.com/p/nativeclient/issues/detail?id=2578

[33]

S. Narayanasamy, B. Carneal, and B. Calder, "Patching Processor Design Errors," in International Conference on Computer Design, 2006.

[34]

OpenCores.org, "OpenRISC OR1200 processor," http://opencores.org/or1k/OR1200OpenRISCProcessor.

[35]

G. A. Reis, J. Chang, D. I. August, R. Cohn, and S. S. Mukherjee, "Configurable Transient Fault Detection via Dynamic Binary Translation," in Workshop on Architectural Reliability, 2006.

[36]

R. Rubenstein, "Open Source MCU core steps in to power third generation chip," 2014, http://www.newelectronics.co.uk/electronics-technology/open-source-mcu-core-steps-in-to-power-third-generation-chip/59110/.

[37]

S. R. Sarangi, A. Tiwari, and J. Torrellas, "Phoenix: Detecting and Recovering from Permanent Processor Design Bugs with Programmable Hardware," in International Symposium on Microarchitecture, 2006.

Digital Library

[38]

S. Shebs, "GDB tracepoints, redux," in GCC Developer's Summit, 2009.

[39]

A. L. Shimpi. (2008) AMD's B3 Stepping Phenom Previewed, TLB Hardware Fix Tested. AnandTech. AnandTech. {Online}. Available: http://anadtech.com/show/2477/2

[40]

S. Shyam, K. Constantinides, S. Phadke, V. Bertacco, and T. Austin, "Ultra Low-Cost Defect Protection for Microprocessor Pipelines," in International Conference on Architectural Support for Programming Languages and Operating Systems, 2006.

Digital Library

[41]

D. J. Sorin, M. M. K. Martin, M. D. Hill, and D. A. Wood, "SafetyNet: Improving the Availability of Shared Memory Multiprocessors with Global Checkpoint/Recovery," in International Symposium on Computer Architecture, 2002.

Digital Library

[42]

Sun, "OpenSPARC T2 Source Code," http://www.opensparc.net/opensparc-t2/download.html.

[43]

S. G. Tucker, "Microprogram control for System/360," IBM Syst. J., vol. 6, pp. 222--241, 1967.

Digital Library

[44]

I. Wagner and V. Bertacco, "Engineering Trust with Semantic Guardians," in Conference on Design, Automation and Test in Europe, 2007.

Digital Library

[45]

Xen.org security team. {Xen-announce} Xen Security Advisory 7 (CVE-2012-0217) - PV. {Online}. Available: http://lists.xen.org/archives/html/xen-announce/2012-06/msg00001.html

Cited By

Liu WTan BFung JChakrabarty K(2024)Theoretical Patchability Quantification for IP-Level Hardware Patching Designs2024 29th Asia and South Pacific Design Automation Conference (ASP-DAC)10.1109/ASP-DAC58780.2024.10473895(951-956)Online publication date: 22-Jan-2024
https://doi.org/10.1109/ASP-DAC58780.2024.10473895
Zhang XChen ZYe JLi HWang JLiu CLi B(2023)Securing Network Information System Design: An Efficient Tool for DSP Undocumented Instruction MiningApplied Sciences10.3390/app1306393113:6(3931)Online publication date: 20-Mar-2023
https://doi.org/10.3390/app13063931
Ryan KGregoire MSturton C(2023)SEIF: Augmented Symbolic Execution for Information Flow in Hardware DesignsProceedings of the 12th International Workshop on Hardware and Architectural Support for Security and Privacy10.1145/3623652.3623666(1-9)Online publication date: 29-Oct-2023
https://dl.acm.org/doi/10.1145/3623652.3623666
Show More Cited By

Index Terms

SPECS: A Lightweight Runtime Mechanism for Protecting Software from Security-Critical Processor Bugs

Recommendations

SPECS: A Lightweight Runtime Mechanism for Protecting Software from Security-Critical Processor Bugs
ASPLOS '15

Processor implementation errata remain a problem, and worse, a subset of these bugs are security-critical. We classified 7 years of errata from recent commercial processors to understand the magnitude and severity of this problem, and found that of 301 ...
Identifying Security Critical Properties for the Dynamic Verification of a Processor
Asplos'17

We present a methodology for identifying security critical properties for use in the dynamic verification of a processor. Such verification has been shown to be an effective way to prevent exploits of vulnerabilities in the processor, given a meaningful ...
SPECS: A Lightweight Runtime Mechanism for Protecting Software from Security-Critical Processor Bugs
ASPLOS'15

Processor implementation errata remain a problem, and worse, a subset of these bugs are security-critical. We classified 7 years of errata from recent commercial processors to understand the magnitude and severity of this problem, and found that of 301 ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ASPLOS '15: Proceedings of the Twentieth International Conference on Architectural Support for Programming Languages and Operating Systems

March 2015

720 pages

ISBN:9781450328357

DOI:10.1145/2694344

General Chairs:
Ozcan Ozturk
Bilkent University, Turkey
,
Kemal Ebcioglu
Global Supercomputing, USA
,
Program Chair:
Sandhya Dwarkadas
University of Rochester, USA

ACM SIGPLAN Notices Volume 50, Issue 4
ASPLOS '15
April 2015
676 pages
ISSN:0362-1340
EISSN:1558-1160
DOI:10.1145/2775054
Editor:
Andy Gill
University of Kansas, Lawrence, KS
Issue’s Table of Contents
ACM SIGARCH Computer Architecture News Volume 43, Issue 1
ASPLOS'15
March 2015
676 pages
ISSN:0163-5964
DOI:10.1145/2786763
Editor:
Doug DeGroot
acm dot org
Issue’s Table of Contents

Copyright © 2015 Owner/Author.

Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.

Sponsors

In-Cooperation

SIGBED: ACM Special Interest Group on Embedded Systems

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 14 March 2015

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

ASPLOS '15

Sponsor:

ASPLOS '15: Architectural Support for Programming Languages and Operating Systems

March 14 - 18, 2015

Istanbul, Turkey

Acceptance Rates

ASPLOS '15 Paper Acceptance Rate 48 of 287 submissions, 17%;

Overall Acceptance Rate 535 of 2,713 submissions, 20%

Upcoming Conference

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

56
Total Citations
View Citations
1,546
Total Downloads

Downloads (Last 12 months)258
Downloads (Last 6 weeks)49

Reflects downloads up to 15 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Liu WTan BFung JChakrabarty K(2024)Theoretical Patchability Quantification for IP-Level Hardware Patching Designs2024 29th Asia and South Pacific Design Automation Conference (ASP-DAC)10.1109/ASP-DAC58780.2024.10473895(951-956)Online publication date: 22-Jan-2024
https://doi.org/10.1109/ASP-DAC58780.2024.10473895
Zhang XChen ZYe JLi HWang JLiu CLi B(2023)Securing Network Information System Design: An Efficient Tool for DSP Undocumented Instruction MiningApplied Sciences10.3390/app1306393113:6(3931)Online publication date: 20-Mar-2023
https://doi.org/10.3390/app13063931
Ryan KGregoire MSturton C(2023)SEIF: Augmented Symbolic Execution for Information Flow in Hardware DesignsProceedings of the 12th International Workshop on Hardware and Architectural Support for Security and Privacy10.1145/3623652.3623666(1-9)Online publication date: 29-Oct-2023
https://dl.acm.org/doi/10.1145/3623652.3623666
Chuah CAppold CLeinmueller TZhu Qvon Hanxleden RStephen EBrandt J(2023)Formal Verification of Security Properties on RISC-V ProcessorsProceedings of the 21st ACM-IEEE International Conference on Formal Methods and Models for System Design10.1145/3610579.3611085(159-168)Online publication date: 21-Sep-2023
https://dl.acm.org/doi/10.1145/3610579.3611085
Trippel TShin KBush KHicks M(2023)T-TER: Defeating A2 Trojans with Targeted Tamper-Evident RoutingProceedings of the 2023 ACM Asia Conference on Computer and Communications Security10.1145/3579856.3582837(746-759)Online publication date: 10-Jul-2023
https://dl.acm.org/doi/10.1145/3579856.3582837
Meng XRaj KRay SBasu K(2023)SeVNoC: Security Validation of System-on-Chip Designs With NoC FabricsIEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems10.1109/TCAD.2022.317930742:2(672-682)Online publication date: Feb-2023
https://doi.org/10.1109/TCAD.2022.3179307
Liu WTan BFung JKarri RChakrabarty K(2023)Hardware-Supported Patching of Security Bugs in Hardware IP BlocksIEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems10.1109/TCAD.2022.316851342:1(54-67)Online publication date: Jan-2023
https://doi.org/10.1109/TCAD.2022.3168513
Ahmad BLiu WCollini LPearce HFung JValamehr JBidmeshki MSapiecha PBrown SChakrabarty KKarri RTan BMitra TYoung EXiong J(2022)Don't CWEAT ItProceedings of the 41st IEEE/ACM International Conference on Computer-Aided Design10.1145/3508352.3549369(1-9)Online publication date: 30-Oct-2022
https://dl.acm.org/doi/10.1145/3508352.3549369
Meng XKundu SKanuparthi ABasu K(2022)RTL-ConTest: Concolic Testing on RTL for Detecting Security VulnerabilitiesIEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems10.1109/TCAD.2021.306656041:3(466-477)Online publication date: Mar-2022
https://doi.org/10.1109/TCAD.2021.3066560
Wang YLiu PWang WWang XJiang Y(2022)On a Consistency Testing Model and Strategy for Revealing RISC Processor’s Dark Instructions and VulnerabilitiesIEEE Transactions on Computers10.1109/TC.2021.309717471:7(1586-1597)Online publication date: 1-Jul-2022
https://doi.org/10.1109/TC.2021.3097174
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents