Verdana Bold 30

1
Flexible Hardware Acceleration for
Instruction-Grain Program Monitoring
Shimin Chen
Joint work with Michael Kozuch1, Theodoros
Strigkos2, Babak Falsafi3, Phillip B. Gibbons1,
Todd C. Mowry1,2, Vijaya Ramachandran4,Olatunji
Ruwase2, Michael Ryan1, Evangelos Vlachos2
1Intel Research Pittsburgh 2CMU 3EPFL 4UT
Austin
2
Instruction-Grain Monitoring

• Software often contain bugs
• Memory corruptions, data races, , crashes
• Security attacks often designed to exploit bugs
• Instruction-grain lifeguards can help
• Dynamic monitoring during application execution
• Instruction-grain e.g., memory access, data flow
• Enables a wide range of powerful lifeguards

3
Example Instruction-Grain Lifeguards

• AddrCheck
• Monitor malloc/free, memory accesses
• Check if all memory accesses visit allocated
  memory regions
• MemCheck AddrCheck check uninitialized values
• Copying partially uninitialized structures is not
  an error
• Lazy error detection to avoid many false
  positives
• Track propagation of uninitialized values
• TaintCheck detect overwrite-based security
  exploits
• Tainted data data from network or disk
• Track propagation of tainted data to detect
  violations
• LockSet detect data races in parallel programs

Nethercote04
Nethercote Seward 03 07
Newsome Song05
Savage et al.97
4
Design Space of Support Platform
Good
Crandall Chong04, Dalton et al07, Shetty
et al06, Shi et al06, Suh et al04,
Venkataramani07, Venkataramani08, Zhou et
al07
Chen et al06 Corliss03
Performance
Bruening04 Luk et al05Nethercote04
Poor
General Purpose Wide Range of Lifeguards
Specific Lifeguard
5
Outline

• Introduction
• Background
• Three Hardware Acceleration Techniques
• Experimental Evaluation
• Conclusion

6
Example Lifeguard TaintCheck
Newsome Song05

• Purpose detect overwrite-based security exploits
• Metadata kept for application memory and
  registers
• Tainted data data from network or disk
• Track taint propagation
• Detect violation e.g., tainted jump target
  address

mov eax ? A mov B ? eax
taint(eax) taint(A) taint(B) taint(eax)
add ebx ? D
taint(ebx) taint(D)
Detect exploit before attack code takes control
jmp (F)
if (taint(F)1) error
7
TaintCheck w/ Detailed Tracking

• TaintCheck
• Detect violation
• 1 taint bit / application byte
• TaintCheck w/ detailed tracking
• Construct taint propagation trail
• More detailed metadata per application location
• PC of Instruction that tainted this location
• tainted from address
• Not supported by previous lifeguard-specific HW

Newsome Song05
8
Instruction-Grain Lifeguard Metadata
Characteristics

• Organization varies
• per application byte/word
• size, format, semantics vary greatly
• Frequently updated
• e.g., propagation tracking
• Frequently checked
• e.g., memory accesses

9
Lifeguard Support
Application (unmodified)
Lifeguard (software)
Event Handlers
Event-capture and delivery
General-Purpose HW improving DBI
Performance bottlenecks metadata mapping,
updates, and checks
10
Our Contributions
Application (unmodified)
Lifeguard (software)
Event Handlers
M-TLB
IT
IF
Event-capture and delivery

• Metadata-TLB for metadata mapping
• Inheritance Tracking for metadata updates
• Idempotent Filters for metadata checks

11
Outline

• Introduction
• Background
• Three Hardware Acceleration Techniques
• Metadata-TLB
• Inheritance Tracking
• Idempotent Filters
• Experimental Evaluation
• Conclusion

12
Metadata-TLB Motivation

• Metadata per app byte/word
• Element size may vary
• Two-level structure
• Robustness space efficiency
• Mapping application address ? metadata address
• Frequently used in almost every handler
• Can be very costly

13
Example (TaintCheck)
void dest_reg_op_mem_4B (UINT32 src_addr
/eax/, UINT32 dest_reg /edx /) // app
instruction type dest_reg ? dest_reg op
mem(src_addr) // handler operation
reg_taint(dest_reg) mem_taint(src_addr)
Metadata Mapping takes 5 out of 8 instructions !
14
Our Solution Metadata-TLB

• A TLB-like HW associative lookup table
• LMA (Load Metadata Address) instruction
• Application address ? lifeguard metadata address
• Managed by (user-mode) lifeguard software

15
Example (TaintCheck) w/ M-TLB
void dest_reg_op_mem_4B (UINT32 src_addr
/eax/, UINT32 dest_reg /edx /) // app
instruction type dest_reg ? dest_reg op
mem(src_addr) // handler operation
reg_taint(dest_reg) mem_taint(src_addr)
Reduce handler size by half !
16
Inheritance Tracking Motivation

• Propagation tracking is expensive
• Metadata updates for almost every app instruction
• Previous hardware solutions track propagation
• automatically update metadata in hardware
• Problem only support simple metadata semantics
• e.g., do not support TaintCheck w/ detailed
  tracking
• Our goal flexibility AND performance
• Idea inheritance structure is common, so lets
  track inheritance in hardware!

17
Problem with General Inheritance Tracking

• Problem state explosion for binary operations !

18
Unary Inheritance Tracking

• Many lifeguards can take advantage of unary IT
• MemCheck
• TaintCheck
• Large performance improvements if used
• Can be disabled if unary IT does not match the
  lifeguard

check
known
check
19
Tracking Register Inheritance
Deliver event
Original event

• More details in the paper
• IT table and state transition table details
• Conflict detection

20
Example
Application
Before
Inheritance Tracking
mem_to_reg reg_to_mem
mem_to_mem
mov eax ? A mov B ? eax
imm_to_mem
mem_to_reg dest_reg_op_mem reg_to_mem
mov ebx ? C add ebx ? D mov E ? ebx
Can significantly reduce metadata update events!
21
Idempotent Filters Idea

• Typically, metadata checks give the same result
  if
• Event parameters are the same and
• Metadata are the same
• Idea filter out idempotent (redundant) events
• For example
• AddrCheck
• After checking that a memory location is
  allocated
• Subsequent loads/stores to the same location are
  safe
• Until the next free() event
• LockSet (surprisingly)
• In between synchronization events (e.g.,
  lock/unlock)
• Check first load to a location
• Check first store to a location

22
Outline

• Introduction
• Background
• Three Hardware Acceleration Techniques
• Experimental Evaluation
• Log-Based Architectures (LBA)
• Simulation Study (w/ reduced input sets)
• PIN-based Analysis (w/ full inputs)
• Conclusion

23
Log-Based Architectures
Application (unmodified)
Lifeguard (software)
Event Handlers
Event-capture and delivery
Log-Based Architecture (LBA)
24
Idea Exploiting Chip Multiprocessors
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
LBA components
25
Simulation Setup Dual-Core LBA System
Extend Virtutech Simics
M-TLB
IT IF

• Application and lifeguard are processes
• Application is stalled when log buffer is full
• Model a 2-level cache hierarchy

26
Overall Performance TaintCheck
1.36X
27
Applying Our Techniques One by One
10.0
AddrCheck
TaintCheck
TaintCheck w/ detailed tracking
LockSet
MemCheck
9.0
7.80
8.0
7.0
6.05
6.0
average slowdowns
5.0
4.25
4.21
3.81
4.0
3.36
3.27
3.23
3.20
2.71
3.0
2.29
1.90
1.51
2.0
1.40
1.36
1.02
1.0
0.0
MTLB
MTLB
MTLB
MTLB
MTLB
BASE
BASE
BASE
BASE
BASE
MTLBIF
MTLBIT
MTLBIT
MTLBIF
MTLBIT
MTLBITIF

• IT, IF, and M-TLB are indeed complementary
• Achieve dramatically better performance

28
PIN-Based Analysis IT

• IT removes 35.8 to 82.0 of the propagation
  events

29
PIN-Based Analysis IF

• IF can effectively reduce check events
• 4-way works as well as fully-associative

30
Conclusion

• Our focus Instruction-Grain Lifeguards
• Three complementary hardware techniques
• Metadata-TLB (M-TLB)
• Inheritance Tracking (IT)
• Idempotent Filters (IF)
• Flexible to support a wide range of lifeguards
• Reducing overheads by 2-3X in our experiments
• Achieving 2-51 overheads for all but MemCheck

31

• Thank you!

32
People Working on LBA Project

• Intel Research
• Shimin Chen
• Phillip B. Gibbons
• University Faculty
• Babak Falsafi (EPFL)
• Todd C. Mowry (CMU)
• CMU Students
• Michelle Goodstein
• Olatunji Ruwase

• Mike Kozuch
• Michael Ryan

• Vijaya Ramachandran (UT Austin)

• Theodoros Strigkos
• Evangelos Vlachos

• Previous Contributors
• Limor Fix (IRP)
• Steve Schlosser (IRP)
• Anastasia Ailamaki (CMU)
• Greg Ganger (CMU)

• Bin Lin (Northwestern)
• Radu Teodorescu (UIUC)