Architectural Support for Software-Defined Metadata Processing

Abstract: Optimized hardware for propagating and checking softwareprogrammable metadata tags can achieve low runtime overhead. We generalize prior work on hardware tagging by considering a generic architecture that supports softwaredefined policies over metadata of arbitrary size and complexity; we introduce several novel microarchitectural optimizations that keep the overhead of this rich processing low. Our model thus achieves the efficiency of previous hardwarebased approaches with the flexibility of the software-bas… Show more

“…Several proposed hardware mechanisms are directly targeted at speeding up CFI [21], [34]; here we achieve CFI using a generic hardware mechanism in a formally verified way. The PUMP mechanism supports finegrained CFI with average runtime overheads below 2% [39]. Previous formal verification efforts for CFI include ARMor [89] and KCoFI [30].…”

“…Many designs for hardware monitors have been proposed, with early designs focusing on enforcing single, hard-wired security policies [21], [22], [29], [71], [73], [79] and later ones evolving toward more programmable mechanisms [23], [31], [37], [38], [45], [70], [83] that allow quicker adaptation to a shifting attack landscape. Recent work has gone yet further in this direction by defining a generic, fully programmable hardware/software architecture for tag-based monitoring on a conventional processor extended with a Programmable Unit for Metadata Processing (PUMP) [39].…”

“…It provides great flexibility for defining policies and puts no arbitrary limitations on the size of the metadata and the number of policies supported. Hardware simulations show [39] that an Alpha processor extended with PUMP hardware achieves performance comparable to dedicated hardware when simultaneously enforcing memory safety, CFI, and taint tracking on a standard benchmark suite [49]. Monitoring imposes modest impact on runtime (typically under 10%) and power ceiling (less than 10%), in return for some increase in energy usage (typically under 60%) and chip area (110%).…”

“…Monitor services are provided to allow user programs to create new keys and to seal and unseal data values with given keys. We instantiate this symbolic machine with a diverse set of security micro-policies: 1) dynamic sealing [62], [80]; 2) compartmentalization, which sandboxes untrusted code and allows it to be run alongside trusted code [84]; 3) control-flow integrity (CFI), which prevents code-reuse attacks such as return-oriented programming [6]; and 4) memory safety, which prevents temporal and spatial violations for heap-allocated data [39]. The intended behavior of each micro-policy is specified by an abstract machine (top layer in Figure 1), which gives a clear characterization of the micro-policy's behavior as seen by a user-level programmer.…”

“…Finally, we extend this methodology to the hardware level by showing how instances of the symbolic machine can be realized on a low-level concrete machine, a minimalist RISC ISA extended with the key mechanisms of the PUMP hardware architecture [39] (bottom layer in Figure 1). Every word of data in this machine is associated with a piece of metadata called a tag-itself a full machine word that can, in particular, hold a pointer to an arbitrary data structure in memory.…”

Micro-Policies: Formally Verified, Tag-Based Security Monitors

“…Several proposed hardware mechanisms are directly targeted at speeding up CFI [21], [34]; here we achieve CFI using a generic hardware mechanism in a formally verified way. The PUMP mechanism supports finegrained CFI with average runtime overheads below 2% [39]. Previous formal verification efforts for CFI include ARMor [89] and KCoFI [30].…”

“…Many designs for hardware monitors have been proposed, with early designs focusing on enforcing single, hard-wired security policies [21], [22], [29], [71], [73], [79] and later ones evolving toward more programmable mechanisms [23], [31], [37], [38], [45], [70], [83] that allow quicker adaptation to a shifting attack landscape. Recent work has gone yet further in this direction by defining a generic, fully programmable hardware/software architecture for tag-based monitoring on a conventional processor extended with a Programmable Unit for Metadata Processing (PUMP) [39].…”

“…It provides great flexibility for defining policies and puts no arbitrary limitations on the size of the metadata and the number of policies supported. Hardware simulations show [39] that an Alpha processor extended with PUMP hardware achieves performance comparable to dedicated hardware when simultaneously enforcing memory safety, CFI, and taint tracking on a standard benchmark suite [49]. Monitoring imposes modest impact on runtime (typically under 10%) and power ceiling (less than 10%), in return for some increase in energy usage (typically under 60%) and chip area (110%).…”

“…Monitor services are provided to allow user programs to create new keys and to seal and unseal data values with given keys. We instantiate this symbolic machine with a diverse set of security micro-policies: 1) dynamic sealing [62], [80]; 2) compartmentalization, which sandboxes untrusted code and allows it to be run alongside trusted code [84]; 3) control-flow integrity (CFI), which prevents code-reuse attacks such as return-oriented programming [6]; and 4) memory safety, which prevents temporal and spatial violations for heap-allocated data [39]. The intended behavior of each micro-policy is specified by an abstract machine (top layer in Figure 1), which gives a clear characterization of the micro-policy's behavior as seen by a user-level programmer.…”

“…Finally, we extend this methodology to the hardware level by showing how instances of the symbolic machine can be realized on a low-level concrete machine, a minimalist RISC ISA extended with the key mechanisms of the PUMP hardware architecture [39] (bottom layer in Figure 1). Every word of data in this machine is associated with a piece of metadata called a tag-itself a full machine word that can, in particular, hold a pointer to an arbitrary data structure in memory.…”

Micro-Policies: Formally Verified, Tag-Based Security Monitors

Exploring effective uses of the tagged memory for reducing bounds checking overheads

CPP: A lightweight memory page management extension to prevent code pointer leakage