Embed Size (px)
Citation preview
Isolation on Many-core ArchitecturesRamya Jayaram Masti, Devendra Rai, Claudio Marforio, Srdjan Čapkun
[email protected] of Information Security
[email protected] Engineering and Networks Laboratory
[email protected] of Information Security
[email protected] of Information Security
Department of Computer Science
Abstract
The use of many-core platforms like Intel's Single-chip Cloud Computer (Intel's SCC) in cloud-like environments, requires them to support security guarantees found in common multi-core platforms. In this work we explore the problem of how to isolate execution of sensitive processes on many-core platforms. In particular, we identify the desirable properties of a security kernel that enables isolation on such platforms. We design a centralized security kernel that achieves isolation and assumes small hardware changes to Intel's SCC. We prototype our design and report the time needed to setup and execute isolated Linux instances.
Isolation
Small Security Kernel Minimize interaction with co-resident (potentially malicious) software.Scheduling and resource management (disengaged).
Restricted Security Kernel Capabilities Minimize the impact of its compromise.Must only be able to terminate a process and not schedule it (DoS).
Context Awareness Mechanism to learn system configuration (e.g., sharing of resources).Preferably without interaction with the Security Kernel.
Desirable Properties
Background
Cores
Caches
Memory
DMA
Network interface
TILE
Router
External DDR
Peripherals
RouterR
T Tile
RNoC
R
T
T
TT T
T T
T
R
T
R
T
R R
R
T
R
T
R R
R R
RR
Many-core systems architectureTiles communicate over a network-on-chip (NoC)
Each tile consists of one or more cores, caches, on-tile memory and DMA controller
The network consists of one router per tile
Design Alternatives
R R
RR
R R
R R
R R
RR
R
R
R
CentralizedKernel
Trusted Agent
R R
RR
R R
R R
R R
RR
R
R
R
DistributedSecurity Kernel
CentralizedSecurity Kernel
Better disengagement
Less intrusive (e.g., for clouds)
Requires hardware support
Avoid single point of failure
Implementable on current hardware
Requires coordination betweencomponents
Experiments
MC
MC
MC
MC
R R
RR
R
R
R R
RR
R
R
R R
RR
R
R
R R
RR
R
R
36 46
0 2 4 6 8 10
TCB
0
0.2
0.4
0.6
0.8
1
1.2
1.4
0-2
0-10
0-36
0-46
Tim
e (
µs)
Cores Involved
0
500000
1e+06
1.5e+06
2e+06
2.5e+06
0-2
0-10
0-36
0-46
Tim
e (
µs)
Cores Involved
02468
1012141618
0-2
0-10
0-36
0-46
Tim
e (
µs)
Cores Involved
0
10
20
30
40
50
60
70
0-2
0-10
0-36
0-46
Tim
e (
µs)
Cores Involved
MPB Clear Reset Core
Linux LoadLUT Setup
Linux Setup Time
Lookup Table Setup1
Load executable (i.e., Linux image)2
Clear on-tile memory (i.e., MPB)3
Reset core to start execution4
Future Work
Explore other security properties enabled by many-core systems
Implement and compare distributed and centralized solutions for Intel's SCC
Evaluate other commercially available architectures (e.g., Adapteva's Epiphany, Tilera's TilePro)
Intel's SCC
R MC NoCRouter Memory Controller Network on Chip
NoC
MC
MC
MC
MC
R R
MPB Pentium
L2 cache
NETWORK INTERFACE
Pentium
LUTsContext
AggregatorPrivacy Enabler
SECURITY KERNEL TILE
L2 cache
MPB Pentium
L2 cache
NETWORK INTERFACE
Pentium
LUTsContext
AggregatorPrivacy Enabler
APPLICATION TILE
L2 cache
X X
Centralized Solution
Required hardware changes:
Key intuition: LUTs control access to all system resources
In its current implementation, each core can modify all LUTs in the system
Only the security kernel can modify LUTs
Context Aggregator collects the status of LUTs
Privacy Enabler prevents access to on-tile resources from other tiles/peripherals
ReferencesIntel Corporation, “SCC External Architecture Specication (EAS)”, https://communities.intel.com/servlet/JiveServlet/previewBody/5852-102-1-9012/SCC EAS.pdfS. Lukovic and N. Christianos, “Enhancing Network-on-chip Components to Support Security of Processing Elements”,in Proceedings of the 5th Workshop on Embedded Systems Security, WESS’10, 2010S. Peter, T. Roscoe, and A. Baumann, “Barrelsh on the Intel Single-chip Cloud Computer”,http://www.barrelfish.org/TN-005-SCC.pdf, 2013
