Title Efficient Timing Channel Protec3on for On-‐Chip Networks
Efficient Timing Channel Protec3on for On-‐Chip Networks
Yao Wang and G. Edward Suh
Cornell University
Title Efficient Timing Channel Protec3on for On-‐Chip Networks
Future large-‐scale mul3-‐cores will be shared among mul3ple applica3ons / virtual machines
On-‐Chip Networks are Shared Resources
NOCS 2012 2/21
Virtual Machine A
Virtual Machine B
Title Efficient Timing Channel Protec3on for On-‐Chip Networks
Problem: Timing Channels Shared NoC causes interference
NOCS 2012 3/21
Network interference introduces 3ming channels • Side channel • Covert channel
High assurance systems requires security guarantee • Example: Corporate virtual machines on the cloud
Title Efficient Timing Channel Protec3on for On-‐Chip Networks
RSA Example RSA : a public key cryptographic algorithm • Prone to 3ming channel aVacks
NOCS 2012 4/21
Core 0
MC 0
Core 1
MC 1
Core 2
MC 2
Crossbar
RSA AVacker
key: 0110…
Title Efficient Timing Channel Protec3on for On-‐Chip Networks
RSA Example RSA : a public key cryptographic algorithm • Prone to 3ming channel aVacks
NOCS 2012 5/21
0 0.2 0.4 0.6 0.8 1220
230
240
250
260
270
280
Fraction of bit ’1’ in RSA key
Tim
e
Title Efficient Timing Channel Protec3on for On-‐Chip Networks
Outline Objec3ve: Eliminate 3ming channels through the shared on-‐chip networks • Completely eliminate informa3on leakage
• Low performance overhead
Rest of the talk • Poten3al approaches • Our solu3on • Evalua3on • Related work • Conclusion
NOCS 2012 6/21
Title Efficient Timing Channel Protec3on for On-‐Chip Networks
Use Quality-‐of-‐Service? QoS techniques provide performance isola3on to different network flows
QoS techniques are not enough for security • A flow can use bandwidth beyond its alloca3on • Bandwidth u3liza3on reveals the flow demand
NOCS 2012 7/21
Flow A Demand
Flow B Demand
Flow A BW u3liza3on
100% 100%
100% 0%
1 2 A
B
Bandwidth alloca3on A: 50% B: 50%
50%
100%
Title Efficient Timing Channel Protec3on for On-‐Chip Networks
Sta3c Par33oning To eliminate 3ming channels, resource alloca3on cannot depend on run-‐3me demands
Sta3c par33oning • Spa3al Network Par33oning (SNP) • Temporal Network Par33oning (TNP)
Completely eliminate the 3ming channels • High performance overhead
NOCS 2012 8/21
SNP TNP
Cycle 0
Cycle 1 …
VM A VM A
VM B VM B
Title Efficient Timing Channel Protec3on for On-‐Chip Networks
One-‐Way Informa3on Leak Protec3on Usually only one-‐way informa3on protec3on is needed • Mul3-‐level security (MLS) model
One-‐way protec3on is the key for efficient 3ming channel protec3on
NOCS 2012 9/21
Personal APP (Music Player)
Business App (Bank Management)
Regular VM
Corporate VM
Low-‐Security Domain
High-‐Security Domain
Informa3on flow
PC Cloud Compu3ng In general
Title Efficient Timing Channel Protec3on for On-‐Chip Networks
Timing Channel through NoC
NOCS 2012 10/21
HS demand 0 1
1
LS th
roughp
ut
HS: High-‐Security Domain LS: Low-‐Security Domain
HS -‐-‐-‐> LS
Title Efficient Timing Channel Protec3on for On-‐Chip Networks
Reversed Priority • Assign high priority to low-‐security domain • The behavior (throughput, latency) of low-‐security domain is not affected by high-‐security domain
Sta3c Limits • Low-‐security domain could ini3alize Denial-‐of-‐Service (DoS) aVack
• Sta3c limit controls the amount of traffic that low-‐security domain can send during a certain interval
Reversed Priority with Sta3c Limits (RPSL)
NOCS 2012 11/21
Title Efficient Timing Channel Protec3on for On-‐Chip Networks
Implementa3on: Avoid Interference Priority-‐based separable allocator • Input arbiter & Output arbiter
Sta3c virtual channel alloca3on • Avoid head-‐of-‐line blocking
NOCS 2012 12/21
Router
Virtual Channels
Input link 0
1
2
3
Low-‐security Domain
High-‐security Domain
Title Efficient Timing Channel Protec3on for On-‐Chip Networks
Sta3c limit control mechanism • Counter & Control logic
Apply to both input and output arbiter
Implementa3on: Avoid DoS
NOCS 2012 13/21
Priority-‐based Arbiter
Counter
Requests
Winning Request
Sta3c limit Control
Low-‐security Domain
High-‐security Domain
Input Arbiter
Title Efficient Timing Channel Protec3on for On-‐Chip Networks
Benefits of One-‐Way Protec3on
NOCS 2012 14/21
Time
BW U3liza3on
Total BW
HS
LS
Round-‐robin Allocator
LS
HS
Time
BW U3liza3on
Total BW
HS
LS
Temporal Network Par33oning
LS
HS
Time
BW U3liza3on
Total BW
HS
LS LS
HS
RPSL
1 2 LS
HS
Title Efficient Timing Channel Protec3on for On-‐Chip Networks
Experimental Setup Goals of experiments • Timing channel protec3on • DoS protec3on • Performance overhead
Darsim: cycle-‐level NoC simulator
Comparison of three schemes • Round-‐robin allocator (ISLIP) • Temporal Network Par33oning (TNP) • Reversed Priority with Sta3c Limits (RPSL)
NOCS 2012 15/21
Title Efficient Timing Channel Protec3on for On-‐Chip Networks
Timing Channel: No Protec3on Simple network
Round-‐robin allocator
NOCS 2012 16/21
1 2 3 4 Low-‐security Domain
High-‐security Domain
HS
LS
0 0.2 0.4 0.6 0.8 10
0.2
0.4
0.6
0.8
1
HS offered BW (flit/cycle)LS o
bser
ved
BW (f
lit/c
ycle
)
1.0 flit/cycle
0 0.2 0.4 0.6 0.8 10
0.2
0.4
0.6
0.8
1
LS offered BW (flit/cycle)HS
obse
rved
BW
(flit
/cyc
le)
1.0 flit/cycle
Title Efficient Timing Channel Protec3on for On-‐Chip Networks
Timing Channel: Two-‐way Protec3on Simple network
Temporal Network Par33oning
NOCS 2012 17/21
1 2 3 4 Low-‐security Domain
High-‐security Domain
HS
LS
0 0.2 0.4 0.6 0.8 10
0.2
0.4
0.6
0.8
1
HS offered BW (flit/cycle)LS o
bser
ved
BW (f
lit/c
ycle
)
1.0 flit/cycle1.0 flit/cycle1.0 flit/cycle
0 0.2 0.4 0.6 0.8 10
0.2
0.4
0.6
0.8
1
LS offered BW (flit/cycle)HS
obse
rved
BW
(flit
/cyc
le)
1.0 flit/cycle
0.4/1.0
Title Efficient Timing Channel Protec3on for On-‐Chip Networks
Timing Channel: One-‐way Protec3on Simple network
Reversed Priority with Sta3c Limits (Sta3c limit = 0.8)
NOCS 2012 18/21
1 2 3 4 Low-‐security Domain
High-‐security Domain
HS
LS
0 0.2 0.4 0.6 0.8 10
0.2
0.4
0.6
0.8
1
HS offered BW (flit/cycle)LS o
bser
ved
BW (f
lit/c
ycle
)
1.0 flit/cycle
0 0.2 0.4 0.6 0.8 10
0.2
0.4
0.6
0.8
1
LS offered BW (flit/cycle)HS
obse
rved
BW
(flit
/cyc
le)
1.0 flit/cycle1.0/1.0
Title Efficient Timing Channel Protec3on for On-‐Chip Networks
Performance Applica3ons show bursty traffic
RPSL is efficient for bursty traffic
NOCS 2012 19/21
0 20 40 60 80 1000
500
1000
1500
2000
2500
3000
Timeline/ (million cycles)
Inje
cted
flits
eve
ry m
illion
cyc
les
FFTOCEAN
HIGH
LOW
Title Efficient Timing Channel Protec3on for On-‐Chip Networks
Related Work Side-‐channel protec3on • Shared resources are prone to side-‐channel aVacks, e.g. shared caches, branch predic3on • Cannot be applied to NoC
QoS schemes • Allows resource usage beyond alloca3on • Insufficient to prevent 3ming channel aVacks
Composability • Remove interference between applica3ons for fast integra3on • Require bi-‐direc3onal non-‐interference, incur high performance overhead
NOCS 2012 20/21
Title Efficient Timing Channel Protec3on for On-‐Chip Networks
Conclusion Shared on-‐chip networks introduce 3ming channels • Prevent effec3ve sharing of large-‐scale NoC in high assurance systems
One-‐way 3ming channel protec3on is sufficient in many situa3ons
RPSL provides efficient one-‐way 3ming channel protec3on • Incurs low performance overhead
NOCS 2012 21/21
