Table Of ContentTHE DESIGN AND IMPLEMENTATION OF HARDWARE SYSTEMS
FOR INFORMATION FLOW TRACKING
A DISSERTATION
SUBMITTED TO THE DEPARTMENT OF ELECTRICAL
ENGINEERING
AND THE COMMITTEE ON GRADUATE STUDIES
OF STANFORD UNIVERSITY
IN PARTIAL FULFILLMENT OF THE REQUIREMENTS
FOR THE DEGREE OF
DOCTOR OF PHILOSOPHY
HariKannan
April2010
© 2010 by Hari S Kannan. All Rights Reserved.
Re-distributed by Stanford University under license with the author.
This work is licensed under a Creative Commons Attribution-
Noncommercial 3.0 United States License.
http://creativecommons.org/licenses/by-nc/3.0/us/
This dissertation is online at: http://purl.stanford.edu/hv823zb4872
ii
I certify that I have read this dissertation and that, in my opinion, it is fully adequate
in scope and quality as a dissertation for the degree of Doctor of Philosophy.
Christoforos Kozyrakis, Primary Adviser
I certify that I have read this dissertation and that, in my opinion, it is fully adequate
in scope and quality as a dissertation for the degree of Doctor of Philosophy.
Subhasish Mitra
I certify that I have read this dissertation and that, in my opinion, it is fully adequate
in scope and quality as a dissertation for the degree of Doctor of Philosophy.
Oyekunle Olukotun
Approved for the Stanford University Committee on Graduate Studies.
Patricia J. Gumport, Vice Provost Graduate Education
This signature page was generated electronically upon submission of this dissertation in
electronic format. An original signed hard copy of the signature page is on file in
University Archives.
iii
Abstract
Computer security is a critical problem impacting every segment of social life. Recent
research has shown that Dynamic Information Flow Tracking (DIFT) is a promising tech-
nique for detecting a wide range of security attacks. With hardware support, DIFT can
provide comprehensive protection to unmodified application binaries against input valida-
tion attacks such as SQL injection, with minimal performance overhead. This dissertation
presents Raksha, the first flexible hardware platform for DIFT that protects both unmodi-
fiedapplications,andtheoperatingsystemfrombothlow-levelmemorycorruptionexploits
such as buffer overflows, and high-level semantic vulnerabilities such as SQL injections
and cross-site scripting. Raksha uses tagged memory to support multiple, programmable
security policies that can protect the system against concurrent attacks. It also describes
the full-system prototype of Raksha constructed using a synthesizable SPARC V8 core
and an FPGA board. This prototype provides comprehensive security protection with no
false-positivesandminimalperformance,andareaoverheads.
TraditionalDIFTarchitecturesrequiresignificantchangestotheprocessorsandcaches,
and are not portable across different processor designs. This dissertation addresses this
practicality issue of hardware DIFT and proposes an off-core coprocessor approach that
greatly reduces the design and validation costs associated with hardware DIFT systems.
ObservingthatDIFToperationsandregularcomputationneedonlysynchronizeonsystem
calls to maintain security guarantees, the coprocessor decouples all DIFT functionality
from the main core. Using a full-system prototype based on a synthesizable SPARC core,
iv
it shows that the coprocessor approach to DIFT provides the same security guarantees
as Raksha, with low performance and hardware overheads. It also provides a practical
and fast hardware solution to the problem of inconsistency between data and metadata in
multiprocessorsystems,whenDIFTfunctionalityisdecoupledfromthemaincore.
This dissertation also explores the use of tagged memory architectures for solving se-
curity problems other than DIFT. Recent work has shown that application policies can be
expressedintermsofinformationflowrestrictionsandenforcedinanOSkernel,providing
a strong assurance of security. This thesis shows that enforcement of these policies can be
pushed largely into the processor itself, by using tagged memory support, which can pro-
videstrongersecurityguaranteesbyenforcingapplicationsecurityeveniftheOSkernelis
compromised. ItpresentstheLokiarchitecturethatusestaggedmemorytodirectlyenforce
applicationsecuritypoliciesinhardware. Usingafull-systemprototype,itshowsthatsuch
an architecture can help reduce the amount of code that must be trusted by the operating
systemkernel.
v
Acknowledgments
I am deeply indebted to many people for their contributions towards this dissertation, and
thequalityofmylifewhileworkingonit.
It has been a privilege to work with Christos Kozyrakis, my thesis adviser. I am pro-
foundly grateful for his persistent and patient mentoring, support, and friendship through
mygraduatecareer,startingfromthedayhecalledmetoconvincemetocometoStanford.
I especially appreciate his honest and supportive advice, and his attention to detail while
helpingmepolishmytalksandpapers. Ihavelearnedalotfrommyinteractionswithhim,
whichhashelpedmebecomeamorecompetentengineerandresearcher.
Over the years at Stanford, Subhasish Mitra has been a great sounding board for my
ideas. His feedback on my work has been extremely useful, and his clarity of thought,
inspirational. IamthankfultoKunleOlukotunforservingonmyreadingcommitteeandto
KrishnaSaraswatforchairingtheexaminingcommitteeformydefense. Iamalsoindebted
toDavidMazie`res,MonicaLam,andDawsonEnglerfortheirhelpandfeedbackatvarious
stages of my studies. As an undergraduate, I was fortunate to work with Sanjay Patel. I
thankSanjayformentoringmeasaresearcher,andencouragingmetopursuemydoctoral
studies.
During the course of my research, I have had the good fortune of interacting with ex-
cellentpartnersinindustry. IamgratefultoJiriGaisler,RichardPender,andtherestofthe
team at Gaisler Research for their numerous hours of support and help working with the
vi
Leon processor. I would also like to thank Teresa Lynn for her untiring help with adminis-
trativematters,andKeithGaulandCharlieOrgishfortheirtechnicalsupport. Mygraduate
studieshavebeengenerouslyfundedbyCiscoSystemsthroughtheStanfordGraduateFel-
lowshipsprogram,andbyIntelthroughanIntelFoundationFellowship.
This dissertation would not have been possible without my collaborators. A special
thankstomyfriend,philosopher,andcolleague,MichaelDalton,whohasworkedwithme
on all my Raksha-related work, since my first day at Stanford. Mike’s technical prowess
and acerbic wit have helped enrich my graduate career immensely. I am also thankful to
Nickolai Zeldovich for his guidance and help with the Loki project. JaeWoong Chung
helpedspiceupourpaperwritingexperienceandconferencetripsimmensely. Iwouldalso
like to thank Ramesh Illikkal, Ravi Iyer, Mihai Budiu, John Davis, Sridhar Lakshmana-
murthy, and Raj Yavatkar for their guidance and help during my internships. Finally, I
appreciate the camaraderie and support of my current and former group-mates: Suzanne
Rivoire, Chi Cao Minh, Jacob Leverich, Sewook Wee, Woongki Baek, Daniel Sanchez,
RichardYoo,AnthonyRomano,andAustenMcDonald. Jacobwasanexcellentsystemad-
ministratorforourgroup,withoutwhosehelp,myRTLsimulationswouldstillberunning.
On a more personal note, I’ve been fortunate to have had an amazing friend circle,
both within and outside of Stanford, during my stay in the bay area. Angell Ct. has been
a wonderfully happy abode, and I’m thankful to all the people who helped make it one.
Many thanks to my extended family in the area, who took it upon themselves to feed me
every so often. I’ve also been fortunate to have been associated with the Stanford chapter
ofAshaforEducation. Asha’svolunteershavecontinuouslyamazedmewiththeirlevelof
dedication and enthusiasm, and their company has made for some delightful times. And
yes,HoliatStanfordrocks! Afewacronymsthathavehelpedmepreservemysanityduring
times of stress: ARR, MDR, SSI, LGJ, MMI, PMI, TNK, TS, IR, BCL, SRT, RSD, CM,
KH,HH,PGW,YM,YPM.
Finally, I am deeply indebted to my family for the opportunities and support that they
vii
providedme. Mymotherandsisterhavebeenlovingandsupportivepresences,andlearned
earlynottoaskwhenthePh.D.wouldbecompleted. Myfatherhasbeenanuntiringsource
ofsoundguidanceandadvice,whichhasstoodmeingoodstead. Mygrandmotherhasbeen
apillarofstrength,andhasconstantlyamazedmewithherdedicationanddiscipline.
MylifehasbeenenrichedbyinnumerablepeoplewhoIcannotbegintothankenough.
Saint Tyagaraja’s catch-all acknowledgment comes to my rescue: ”endarO mahAnub-
havuluantarIkivandanamu”.
viii
Contents
Abstract iv
Acknowledgments vi
1 Introduction 1
1.1 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2 ThesisOrganization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2 BackgroundandMotivation 7
2.1 RequirementsofIdealSecuritySolutions . . . . . . . . . . . . . . . . . . 8
2.2 DynamicInformationFlowTracking . . . . . . . . . . . . . . . . . . . . . 9
2.3 DIFTImplementations . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.3.1 Programminglanguageplatforms . . . . . . . . . . . . . . . . . . 11
2.3.2 Dynamicbinarytranslation . . . . . . . . . . . . . . . . . . . . . . 12
2.3.3 HardwareDIFT . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
3 Raksha-AFlexibleHardwareDIFTArchitecture 16
3.1 DIFTDesignRequirements . . . . . . . . . . . . . . . . . . . . . . . . . . 16
3.1.1 HardwaremanagementofTags . . . . . . . . . . . . . . . . . . . . 17
3.1.2 Multipleflexiblesecuritypolicies . . . . . . . . . . . . . . . . . . 18
ix
3.1.3 Softwareanalysissupport . . . . . . . . . . . . . . . . . . . . . . 19
3.2 TheRakshaArchitecture . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
3.2.1 Architectureoverview . . . . . . . . . . . . . . . . . . . . . . . . 21
3.2.2 Tagpropagationandchecks . . . . . . . . . . . . . . . . . . . . . 23
3.2.3 User-levelsecurityexceptions . . . . . . . . . . . . . . . . . . . . 26
3.2.4 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
3.3 RelatedWork . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
3.4 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
4 TheRakshaPrototypeSystem 32
4.1 TheRakshaPrototypeSystem . . . . . . . . . . . . . . . . . . . . . . . . 32
4.1.1 Hardwareimplementation . . . . . . . . . . . . . . . . . . . . . . 33
4.1.2 Softwareimplementation . . . . . . . . . . . . . . . . . . . . . . 39
4.2 SecurityEvaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
4.2.1 Securitypolicies . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
4.2.2 Securityexperiments . . . . . . . . . . . . . . . . . . . . . . . . . 43
4.3 PerformanceEvaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
4.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
5 ADecoupledCoprocessorforDIFT 49
5.1 DesignAlternativesforHardwareDIFT . . . . . . . . . . . . . . . . . . . 49
5.2 DesignoftheDIFTCoprocessor . . . . . . . . . . . . . . . . . . . . . . . 53
5.2.1 Securitymodel . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
5.2.2 Coprocessormicroarchitecture . . . . . . . . . . . . . . . . . . . . 56
5.2.3 DIFTcoprocessorinterface . . . . . . . . . . . . . . . . . . . . . . 57
5.2.4 Tagcache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
5.2.5 Coprocessorforin-ordercores . . . . . . . . . . . . . . . . . . . . 61
5.3 Prototype . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
x
Description:THE DESIGN AND IMPLEMENTATION OF HARDWARE SYSTEMS .. 4.1 The
new pipeline registers added to the Leon pipeline by the Raksha archi- tecture.