Hardware Support for Safety Interlocks and Introspection

Hardware interlocks that enforce semantic invariants and allow fine-grained privilege separation can be built with reasonable costs given modern semiconductor technology. In the common error-free case, these mechanisms operate largely in parallel with the intended computation, monitoring the semanti...

Full description

Saved in:
Bibliographic Details
Main Authors: Dhawan, U., Kwon, A., Kadric, E., Hritcu, C., Pierce, B. C., Smith, J. M., DeHon, A., Malecha, G., Morrisett, G., Knight, Thomas F., Sutherland, A., Hawkins, T., Zyxnfryx, A., Wittenberg, D., Trei, P., Ray, S., Sullivan, G.
Format: Conference Proceeding
Language:English
Subjects:
complete mediation
hardware interlocks
least privilege
Processor
security
separation of privilege
Online Access:Request full text
Tags: Add Tag
No Tags, Be the first to tag this record!
cited_by
cites
container_end_page 8
container_issue
container_start_page 1
container_title
container_volume
creator Dhawan, U.
Kwon, A.
Kadric, E.
Hritcu, C.
Pierce, B. C.
Smith, J. M.
DeHon, A.
Malecha, G.
Morrisett, G.
Knight, Thomas F.
Sutherland, A.
Hawkins, T.
Zyxnfryx, A.
Wittenberg, D.
Trei, P.
Ray, S.
Sullivan, G.
description Hardware interlocks that enforce semantic invariants and allow fine-grained privilege separation can be built with reasonable costs given modern semiconductor technology. In the common error-free case, these mechanisms operate largely in parallel with the intended computation, monitoring the semantic intent of the computation on an operation-by-operation basis without sacrificing cycles to perform security checks. We specifically explore five mechanisms: (1) pointers with manifest bounds (fat pointers), (2) hardware types (atomic groups), (3) processor-supported authority, (4)authority-changing procedure calls (gates), and (5) programmable metadata validation and propagation (tags and dynamic tag management). These mechanisms allow the processor to continuously introspect on its operation, efficiently triggering software handlers on events that require logging, merit sophisticated inspection, or prompt adaptation. We present results from our prototype FPGA implementation of a processor that incorporates these mechanisms, quantifying the logic, memory, and latency requirements. We show that the dominant cost is the wider memory necessary to hold our metadata (the atomic groups and programmable tags), that the added logic resources make up less than 20% of the area of the processor, that the concurrent checks do not degrade processor cycle time, and that the tag cache is comparable to a small L1 data cache.
doi_str_mv 10.1109/SASOW.2012.11
format conference_proceeding
fullrecord <record><control><sourceid>ieee_6IE</sourceid><recordid>TN_cdi_ieee_primary_6498372</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>6498372</ieee_id><sourcerecordid>6498372</sourcerecordid><originalsourceid>FETCH-LOGICAL-i175t-1cf2ba63f03495d1ae5ce1c3f45141cae5561ea1425a548275aedde728a0fe143</originalsourceid><addsrcrecordid>eNotzkFLw0AQBeAVEdSaoycv-QOpM7s72eyxFLWFQg9RPJZxMwvRmoRNRPrvjejp8b3D4yl1i7BEBH9fr-r961ID6tlnKvOuAld6spUnPFfXaEtnCMn4S5WN4zsAIMwFwJWqNpyab06S11_D0Kcpj33Ka44ynfJtN0k69uFjzLlrfpn6cZAwtX13oy4iH0fJ_nOhXh4fntebYrd_2q5Xu6JFR1OBIeo3Lk0EYz01yEJBMJhoCS2GmVSiMFpNPB_WjliaRpyuGKKgNQt197fbishhSO0np9OhtL4yTpsfkc1HPw</addsrcrecordid><sourcetype>Publisher</sourcetype><iscdi>true</iscdi><recordtype>conference_proceeding</recordtype></control><display><type>conference_proceeding</type><title>Hardware Support for Safety Interlocks and Introspection</title><source>IEEE Electronic Library (IEL) Conference Proceedings</source><creator>Dhawan, U. ; Kwon, A. ; Kadric, E. ; Hritcu, C. ; Pierce, B. C. ; Smith, J. M. ; DeHon, A. ; Malecha, G. ; Morrisett, G. ; Knight, Thomas F. ; Sutherland, A. ; Hawkins, T. ; Zyxnfryx, A. ; Wittenberg, D. ; Trei, P. ; Ray, S. ; Sullivan, G.</creator><creatorcontrib>Dhawan, U. ; Kwon, A. ; Kadric, E. ; Hritcu, C. ; Pierce, B. C. ; Smith, J. M. ; DeHon, A. ; Malecha, G. ; Morrisett, G. ; Knight, Thomas F. ; Sutherland, A. ; Hawkins, T. ; Zyxnfryx, A. ; Wittenberg, D. ; Trei, P. ; Ray, S. ; Sullivan, G.</creatorcontrib><description>Hardware interlocks that enforce semantic invariants and allow fine-grained privilege separation can be built with reasonable costs given modern semiconductor technology. In the common error-free case, these mechanisms operate largely in parallel with the intended computation, monitoring the semantic intent of the computation on an operation-by-operation basis without sacrificing cycles to perform security checks. We specifically explore five mechanisms: (1) pointers with manifest bounds (fat pointers), (2) hardware types (atomic groups), (3) processor-supported authority, (4)authority-changing procedure calls (gates), and (5) programmable metadata validation and propagation (tags and dynamic tag management). These mechanisms allow the processor to continuously introspect on its operation, efficiently triggering software handlers on events that require logging, merit sophisticated inspection, or prompt adaptation. We present results from our prototype FPGA implementation of a processor that incorporates these mechanisms, quantifying the logic, memory, and latency requirements. We show that the dominant cost is the wider memory necessary to hold our metadata (the atomic groups and programmable tags), that the added logic resources make up less than 20% of the area of the processor, that the concurrent checks do not degrade processor cycle time, and that the tag cache is comparable to a small L1 data cache.</description><identifier>ISBN: 1467351539</identifier><identifier>ISBN: 9781467351539</identifier><identifier>EISBN: 9780769548951</identifier><identifier>EISBN: 0769548954</identifier><identifier>DOI: 10.1109/SASOW.2012.11</identifier><identifier>CODEN: IEEPAD</identifier><language>eng</language><publisher>IEEE</publisher><subject>complete mediation ; hardware interlocks ; least privilege ; Processor ; security ; separation of privilege</subject><ispartof>2012 IEEE Sixth International Conference on Self-Adaptive and Self-Organizing Systems Workshops, 2012, p.1-8</ispartof><woscitedreferencessubscribed>false</woscitedreferencessubscribed></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/6498372$$EHTML$$P50$$Gieee$$H</linktohtml><link.rule.ids>309,310,780,784,789,790,2058,27925,54920</link.rule.ids><linktorsrc>$$Uhttps://ieeexplore.ieee.org/document/6498372$$EView_record_in_IEEE$$FView_record_in_$$GIEEE</linktorsrc></links><search><creatorcontrib>Dhawan, U.</creatorcontrib><creatorcontrib>Kwon, A.</creatorcontrib><creatorcontrib>Kadric, E.</creatorcontrib><creatorcontrib>Hritcu, C.</creatorcontrib><creatorcontrib>Pierce, B. C.</creatorcontrib><creatorcontrib>Smith, J. M.</creatorcontrib><creatorcontrib>DeHon, A.</creatorcontrib><creatorcontrib>Malecha, G.</creatorcontrib><creatorcontrib>Morrisett, G.</creatorcontrib><creatorcontrib>Knight, Thomas F.</creatorcontrib><creatorcontrib>Sutherland, A.</creatorcontrib><creatorcontrib>Hawkins, T.</creatorcontrib><creatorcontrib>Zyxnfryx, A.</creatorcontrib><creatorcontrib>Wittenberg, D.</creatorcontrib><creatorcontrib>Trei, P.</creatorcontrib><creatorcontrib>Ray, S.</creatorcontrib><creatorcontrib>Sullivan, G.</creatorcontrib><title>Hardware Support for Safety Interlocks and Introspection</title><title>2012 IEEE Sixth International Conference on Self-Adaptive and Self-Organizing Systems Workshops</title><addtitle>sasow</addtitle><description>Hardware interlocks that enforce semantic invariants and allow fine-grained privilege separation can be built with reasonable costs given modern semiconductor technology. In the common error-free case, these mechanisms operate largely in parallel with the intended computation, monitoring the semantic intent of the computation on an operation-by-operation basis without sacrificing cycles to perform security checks. We specifically explore five mechanisms: (1) pointers with manifest bounds (fat pointers), (2) hardware types (atomic groups), (3) processor-supported authority, (4)authority-changing procedure calls (gates), and (5) programmable metadata validation and propagation (tags and dynamic tag management). These mechanisms allow the processor to continuously introspect on its operation, efficiently triggering software handlers on events that require logging, merit sophisticated inspection, or prompt adaptation. We present results from our prototype FPGA implementation of a processor that incorporates these mechanisms, quantifying the logic, memory, and latency requirements. We show that the dominant cost is the wider memory necessary to hold our metadata (the atomic groups and programmable tags), that the added logic resources make up less than 20% of the area of the processor, that the concurrent checks do not degrade processor cycle time, and that the tag cache is comparable to a small L1 data cache.</description><subject>complete mediation</subject><subject>hardware interlocks</subject><subject>least privilege</subject><subject>Processor</subject><subject>security</subject><subject>separation of privilege</subject><isbn>1467351539</isbn><isbn>9781467351539</isbn><isbn>9780769548951</isbn><isbn>0769548954</isbn><fulltext>true</fulltext><rsrctype>conference_proceeding</rsrctype><creationdate>2012</creationdate><recordtype>conference_proceeding</recordtype><sourceid>6IE</sourceid><recordid>eNotzkFLw0AQBeAVEdSaoycv-QOpM7s72eyxFLWFQg9RPJZxMwvRmoRNRPrvjejp8b3D4yl1i7BEBH9fr-r961ID6tlnKvOuAld6spUnPFfXaEtnCMn4S5WN4zsAIMwFwJWqNpyab06S11_D0Kcpj33Ka44ynfJtN0k69uFjzLlrfpn6cZAwtX13oy4iH0fJ_nOhXh4fntebYrd_2q5Xu6JFR1OBIeo3Lk0EYz01yEJBMJhoCS2GmVSiMFpNPB_WjliaRpyuGKKgNQt197fbishhSO0np9OhtL4yTpsfkc1HPw</recordid><startdate>201209</startdate><enddate>201209</enddate><creator>Dhawan, U.</creator><creator>Kwon, A.</creator><creator>Kadric, E.</creator><creator>Hritcu, C.</creator><creator>Pierce, B. C.</creator><creator>Smith, J. M.</creator><creator>DeHon, A.</creator><creator>Malecha, G.</creator><creator>Morrisett, G.</creator><creator>Knight, Thomas F.</creator><creator>Sutherland, A.</creator><creator>Hawkins, T.</creator><creator>Zyxnfryx, A.</creator><creator>Wittenberg, D.</creator><creator>Trei, P.</creator><creator>Ray, S.</creator><creator>Sullivan, G.</creator><general>IEEE</general><scope>6IE</scope><scope>6IL</scope><scope>CBEJK</scope><scope>RIE</scope><scope>RIL</scope></search><sort><creationdate>201209</creationdate><title>Hardware Support for Safety Interlocks and Introspection</title><author>Dhawan, U. ; Kwon, A. ; Kadric, E. ; Hritcu, C. ; Pierce, B. C. ; Smith, J. M. ; DeHon, A. ; Malecha, G. ; Morrisett, G. ; Knight, Thomas F. ; Sutherland, A. ; Hawkins, T. ; Zyxnfryx, A. ; Wittenberg, D. ; Trei, P. ; Ray, S. ; Sullivan, G.</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-i175t-1cf2ba63f03495d1ae5ce1c3f45141cae5561ea1425a548275aedde728a0fe143</frbrgroupid><rsrctype>conference_proceedings</rsrctype><prefilter>conference_proceedings</prefilter><language>eng</language><creationdate>2012</creationdate><topic>complete mediation</topic><topic>hardware interlocks</topic><topic>least privilege</topic><topic>Processor</topic><topic>security</topic><topic>separation of privilege</topic><toplevel>online_resources</toplevel><creatorcontrib>Dhawan, U.</creatorcontrib><creatorcontrib>Kwon, A.</creatorcontrib><creatorcontrib>Kadric, E.</creatorcontrib><creatorcontrib>Hritcu, C.</creatorcontrib><creatorcontrib>Pierce, B. C.</creatorcontrib><creatorcontrib>Smith, J. M.</creatorcontrib><creatorcontrib>DeHon, A.</creatorcontrib><creatorcontrib>Malecha, G.</creatorcontrib><creatorcontrib>Morrisett, G.</creatorcontrib><creatorcontrib>Knight, Thomas F.</creatorcontrib><creatorcontrib>Sutherland, A.</creatorcontrib><creatorcontrib>Hawkins, T.</creatorcontrib><creatorcontrib>Zyxnfryx, A.</creatorcontrib><creatorcontrib>Wittenberg, D.</creatorcontrib><creatorcontrib>Trei, P.</creatorcontrib><creatorcontrib>Ray, S.</creatorcontrib><creatorcontrib>Sullivan, G.</creatorcontrib><collection>IEEE Electronic Library (IEL) Conference Proceedings</collection><collection>IEEE Proceedings Order Plan All Online (POP All Online) 1998-present by volume</collection><collection>IEEE Xplore All Conference Proceedings</collection><collection>IEEE Xplore</collection><collection>IEEE Proceedings Order Plans (POP All) 1998-Present</collection></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Dhawan, U.</au><au>Kwon, A.</au><au>Kadric, E.</au><au>Hritcu, C.</au><au>Pierce, B. C.</au><au>Smith, J. M.</au><au>DeHon, A.</au><au>Malecha, G.</au><au>Morrisett, G.</au><au>Knight, Thomas F.</au><au>Sutherland, A.</au><au>Hawkins, T.</au><au>Zyxnfryx, A.</au><au>Wittenberg, D.</au><au>Trei, P.</au><au>Ray, S.</au><au>Sullivan, G.</au><format>book</format><genre>proceeding</genre><ristype>CONF</ristype><atitle>Hardware Support for Safety Interlocks and Introspection</atitle><btitle>2012 IEEE Sixth International Conference on Self-Adaptive and Self-Organizing Systems Workshops</btitle><stitle>sasow</stitle><date>2012-09</date><risdate>2012</risdate><spage>1</spage><epage>8</epage><pages>1-8</pages><isbn>1467351539</isbn><isbn>9781467351539</isbn><eisbn>9780769548951</eisbn><eisbn>0769548954</eisbn><coden>IEEPAD</coden><abstract>Hardware interlocks that enforce semantic invariants and allow fine-grained privilege separation can be built with reasonable costs given modern semiconductor technology. In the common error-free case, these mechanisms operate largely in parallel with the intended computation, monitoring the semantic intent of the computation on an operation-by-operation basis without sacrificing cycles to perform security checks. We specifically explore five mechanisms: (1) pointers with manifest bounds (fat pointers), (2) hardware types (atomic groups), (3) processor-supported authority, (4)authority-changing procedure calls (gates), and (5) programmable metadata validation and propagation (tags and dynamic tag management). These mechanisms allow the processor to continuously introspect on its operation, efficiently triggering software handlers on events that require logging, merit sophisticated inspection, or prompt adaptation. We present results from our prototype FPGA implementation of a processor that incorporates these mechanisms, quantifying the logic, memory, and latency requirements. We show that the dominant cost is the wider memory necessary to hold our metadata (the atomic groups and programmable tags), that the added logic resources make up less than 20% of the area of the processor, that the concurrent checks do not degrade processor cycle time, and that the tag cache is comparable to a small L1 data cache.</abstract><pub>IEEE</pub><doi>10.1109/SASOW.2012.11</doi><tpages>8</tpages></addata></record>
fulltext fulltext_linktorsrc
identifier ISBN: 1467351539
ispartof 2012 IEEE Sixth International Conference on Self-Adaptive and Self-Organizing Systems Workshops, 2012, p.1-8
issn
language eng
recordid cdi_ieee_primary_6498372
source IEEE Electronic Library (IEL) Conference Proceedings
subjects complete mediation
hardware interlocks
least privilege
Processor
security
separation of privilege
title Hardware Support for Safety Interlocks and Introspection
url http://sfxeu10.hosted.exlibrisgroup.com/loughborough?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-02T01%3A11%3A52IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-ieee_6IE&rft_val_fmt=info:ofi/fmt:kev:mtx:book&rft.genre=proceeding&rft.atitle=Hardware%20Support%20for%20Safety%20Interlocks%20and%20Introspection&rft.btitle=2012%20IEEE%20Sixth%20International%20Conference%20on%20Self-Adaptive%20and%20Self-Organizing%20Systems%20Workshops&rft.au=Dhawan,%20U.&rft.date=2012-09&rft.spage=1&rft.epage=8&rft.pages=1-8&rft.isbn=1467351539&rft.isbn_list=9781467351539&rft.coden=IEEPAD&rft_id=info:doi/10.1109/SASOW.2012.11&rft.eisbn=9780769548951&rft.eisbn_list=0769548954&rft_dat=%3Cieee_6IE%3E6498372%3C/ieee_6IE%3E%3Cgrp_id%3Ecdi_FETCH-LOGICAL-i175t-1cf2ba63f03495d1ae5ce1c3f45141cae5561ea1425a548275aedde728a0fe143%3C/grp_id%3E%3Coa%3E%3C/oa%3E%3Curl%3E%3C/url%3E&rft_id=info:oai/&rft_id=info:pmid/&rft_ieee_id=6498372&rfr_iscdi=true