Isolation on Many-core Architectures Ramya Jayaram Masti, Devendra Rai, Claudio Marforio, Srdjan Čapkun [email protected] Institute of Information Security [email protected] Computer Engineering and Networks Laboratory [email protected] Institute of Information Security [email protected] Institute of Information Security Department of Computer Science Abstract The use of many-core platforms like Intel's Single-chip Cloud Computer (Intel's SCC) in cloud-like environments, requires them to support security guarantees found in common multi-core platforms. In this work we explore the problem of how to isolate execution of sensitive processes on many-core platforms. In particular, we identify the desirable properties of a security kernel that enables isolation on such platforms. We design a centralized security kernel that achieves isolation and assumes small hardware changes to Intel's SCC. We prototype our design and report the time needed to setup and execute isolated Linux instances. Isolation Small Security Kernel Minimize interaction with co-resident (potentially malicious) software. Scheduling and resource management (disengaged). Restricted Security Kernel Capabilities Minimize the impact of its compromise. Must only be able to terminate a process and not schedule it (DoS). Context Awareness Mechanism to learn system configuration (e.g., sharing of resources). Preferably without interaction with the Security Kernel. Desirable Properties Background Cores Caches Memory DMA Network interface TILE Router External DDR Peripherals Router R T Tile R NoC R T T T T T T T T R T R T R R R T R T R R R R R R Many-core systems architecture Tiles communicate over a network-on-chip (NoC) Each tile consists of one or more cores, caches, on-tile memory and DMA controller The network consists of one router per tile Design Alternatives R R R R R R R R R R R R R R R Centralized Kernel Trusted Agent R R R R R R R R R R R R R R R Distributed Security Kernel Centralized Security Kernel Better disengagement Less intrusive (e.g., for clouds) Requires hardware support Avoid single point of failure Implementable on current hardware Requires coordination between components Experiments MC MC MC MC R R R R R R R R R R R R R R R R R R R R R R R R 36 46 0 2 4 6 8 10 TCB 0 0.2 0.4 0.6 0.8 1 1.2 1.4 0-2 0-10 0-36 0-46 Time (µs) Cores Involved 0 500000 1e+06 1.5e+06 2e+06 2.5e+06 0-2 0-10 0-36 0-46 Time (µs) Cores Involved 0 2 4 6 8 10 12 14 16 18 0-2 0-10 0-36 0-46 Time (µs) Cores Involved 0 10 20 30 40 50 60 70 0-2 0-10 0-36 0-46 Time (µs) Cores Involved MPB Clear Reset Core Linux Load LUT Setup Linux Setup Time Lookup Table Setup 1 Load executable (i.e., Linux image) 2 Clear on-tile memory (i.e., MPB) 3 Reset core to start execution 4 Future Work Explore other security properties enabled by many-core systems Implement and compare distributed and centralized solutions for Intel's SCC Evaluate other commercially available architectures (e.g., Adapteva's Epiphany, Tilera's TilePro) Intel's SCC R MC NoC Router Memory Controller Network on Chip NoC MC MC MC MC R R MPB Pentium L2 cache NETWORK INTERFACE Pentium LUTs Context Aggregator Privacy Enabler SECURITY KERNEL TILE L2 cache MPB Pentium L2 cache NETWORK INTERFACE Pentium LUTs Context Aggregator Privacy Enabler APPLICATION TILE L2 cache X X Centralized Solution Required hardware changes: Key intuition: LUTs control access to all system resources In its current implementation, each core can modify all LUTs in the system Only the security kernel can modify LUTs Context Aggregator collects the status of LUTs Privacy Enabler prevents access to on-tile resources from other tiles/peripherals References Intel Corporation, “SCC External Architecture Specication (EAS)”, https://communities.intel.com/servlet/JiveServlet/previewBody/5852-102-1-9012/SCC EAS.pdf S. Lukovic and N. Christianos, “Enhancing Network-on-chip Components to Support Security of Processing Elements”, in Proceedings of the 5th Workshop on Embedded Systems Security, WESS’10, 2010 S. Peter, T. Roscoe, and A. Baumann, “Barrelsh on the Intel Single-chip Cloud Computer”, http://www.barrelfish.org/TN-005-SCC.pdf, 2013