trusted illiac - a configurable, application-aware, high-performance platform for trustworthy...

Trusted ILLIAC - A Configurable, Application-Aware, High-Performance Platform for Trustworthy Computing

Ravishankar Iyer, Wen-mei Hwu, Klara Nahrstedt, William Sanders, Zbigniew Kalbarczyk

Memory Data

Vision

Reliability and Security Engine (RSE)

Advanced Compiler (IMPACT)

Title

Global Infotech: Pathways to the Future with Global Partnerships

Provide applications-specific level of reliability and security, while delivering optimal performance

Customized levels of trust enforced via an integrated approach involving• re-programmable hardware,• compiler methods to: (i) extract

security and reliability properties and (ii) accelerate computation

• configurable OS and middleware

RSE Framework

Fetch_OutRegFile_Data

Execute_Out

Memory_Out

Commit_Out

CommitMEMEXIDIF

Instruction Queue

Pre-emptive Control-flow Checking

Process Health Monitor

Selective Replication

Manager

Mem

Mem_Rdy

Reg#/Reg Vals

ALU ResultAddr / Next PC

Data LoadedFrom Memory

Commit/Squash

Pointer Taintedness

Tracking

Fra

mew

ork

Inte

rfac

e F

abric

Hardware Modules

INST

Reconfigurable processor-level hardware framework to provide application-aware checks for reliability and security

Processor, framework, and modules on single dieFramework and modules implemented on an FPGAFramework configured to:

embed hardware modules needed by application route inputs to modules

GamesMultimediaPhysiological

SimulationMedical Imaging

Pointer Analysis

Programming Models

Specialized Analysis

Loop Transformation

Program Simplification

Future Transformations

SynthesisMultiprocessor

FPGASynthesis

ToolsSMP CMP

DevelopmentTools

C Code

Specialized C and/or Machine Code

Loop Transformation

Program Simplification

o Fissiono Fusiono Distributiono Strip-mining

o Recursion Removalo Pointer Removalo Data Structure Adjustmento Memory Partitioning

Specialized Analysis

o Advanced Memory Dataflowo Branch Correlationo Value Flow

Pointer Analysis

o Advanced Flow-sensitivityo Context Sensitivityo Heap Cloningo Field Sensitivityo Pointer Arithmetico Scalability

Driving Applications

De

ep

An

aly

sis

De

ep

Tra

ns

form

atio

n

Enable automated generation of hardware to prototype and demonstrate: (i) acceleration of computation and (ii) application-aware detectors in realistic scenarios

Middleware Services for Preventing DoS Attacks in Large-Scale Systems

Subset of trusted nodes called oversight nodes cooperate to manage node download information objects

Develop security middleware services to control multimedia streaming in a secure and robust fashion.

Node0x0

Node0x7

Node0x1

Node0x5

Node0x2

Node0x3

Node0x6

Node0x4

request

request

request

grant

grant

grant

Node 0x6

Node 0x4

Node 0x2

Node 0x0

media objectkey 0x3

rate = 350

Node 0x5

Node 0x3

Node 0x7

Node 0x1

Request media object

0x3

media objectkey 0x6

rate = 350

media objectkey 0x1

rate = 350

node download info for node 0x4

current = 1050max allowed = 1000

Node 0x2

node download information

key 0x4current = 700

max allowed = 1000

Node 0x5

Node 0x7

Retrieve node download

information for node 0x4

Send node download

information for node 0x4

node download information

key 0x4current = 700

max allowed = 1000

Node 0x6

Node 0x4

Node 0x2

Node 0x0

media objectkey 0x3

rate = 350

Node 0x5

Node 0x3

Node 0x7

Node 0x1

Request media object

0x3

Query about node 0x4

adding 350 to download rate

Deny request from

node 0x4

Denymedia objectkey 0x6

rate = 350

media objectkey 0x1

rate = 350

Without Oversight

With Oversight Nodes

Static Analysis

Trusted ILLIAC Node

Validation of Trusted ILLIAC Configurations (Möbius Modeling Environment)

Möbius atomic models represent different Trusted ILLIAC node designs and attack/fault models.

Disable

Reboot

Restart BayesianUpdate

SNMP Monitor Observations

HTTP1 Monitor

HTTP2 Monitor

Host

Trajectory Tree Computation

DiagnosisVector

FutureOutputs

Target system

HostA

Web1 Server

App1 Server50%

HostB

Web2 Server

50%

C

DB50%

50%

App2 Server

POMDPBounds

Model of Faults

Actions, Monitors,Rewards

ComputeRA-Bound

Online

BoundsImprovement(sim model)

RA-Bound

Model of Faults

Actions, Monitors,Rewards

ComputeRA-Bound

Offline

BoundsImprovement(sim model)

RA-Bound

SNMPManager

Measured Action Durations

Actions

RecoveryEngine

Disable

Reboot

Restart BayesianUpdate

BayesianUpdate

SNMP Monitor Observations

HTTP1 Monitor

HTTP2 Monitor

Host

Trajectory Tree Computation

Trajectory Tree Computation

DiagnosisVector

FutureOutputs

Target system

HostA

Web1 Server

App1 Server50%

HostB

Web2 Server

50%

C

DB50%

50%

App2 Server

Target system

HostA

Web1 Server

App1 Server50%

HostB

Web2 Server

50%

C

DB50%

50%

App2 Server

POMDPBounds

Model of Faults

Actions, Monitors,Rewards

ComputeRA-Bound

Online

BoundsImprovement(sim model)

RA-Bound

Model of Faults

Actions, Monitors,Rewards

ComputeRA-Bound

Offline

BoundsImprovement(sim model)

RA-Bound

SNMPManager

Measured Action Durations

Actions

RecoveryEngine

Preserving system health using adaptive recovery

Model Driven Recovery Controller Path based monitors to detect failures Probabilistic Bayesian diagnosis to estimate cause of failure Stochastic planning to choose recovery action

Model-Driven Trust Management

Choose security-critical variables based on application semantics

Employ a compile-time static program analysis to

• extract backward slice which collates all dependent instructions along each control-path

• form a signature, which encodes dependences as a set (or sequence) of instruction PCs along each control-path

Program data-flow violations indicate of malicious tampering

Considering• Misbehaving users• Malicious users • Selfish users

Signature extraction

Transform the derived signatures in the runtime assertions to be integrated within the application code or implemented in hardware for on-line error checking