### PHMon: A Programmable Hardware Monitor and Its Security Use Cases

### Leila Delshadtehrani, Sadullah Canakci, Boyou Zhou, Schuyler Eldridge, Ajay Joshi, and Manuel Egele

delshad@bu.edu

Boston University

August 12, 2020



Motivation Overview

# Motivation

#### **Current Trend**

• Growing demand to enforce security policies in hardware



Motivation Overview

## Motivation

#### **Current Trend** • Growing demand to enforce security policies in hardware MPX SafeC Softbound Available Intel MPX 2008 2013 2018-2019 ARM TrustZone G G G 6 ٢h AMD SVM 1994 2009 2015 Intel SGX Hardbound MPX MPX Intel TXT Disabled Announced ARM PA Intel CET . . .

[AUSTIN, PLDI'94] [DEVIETTI, ASPLOS'08] [NAGARAKATTE, PLDI'09]

Motivation Overview

## Motivation

#### Current Trend

• Growing demand to enforce security policies in hardware



#### What if

we could have a flexible hardware implementation that could enhance and enforce a variety of security policies as security threats evolve?!

Motivation Overview

# Our Proposal - PHMon

### PHMon

- A hardware monitor and the full software stack around it
  - A programmable hardware monitor interfaced with a RISC-V Rocket processor on an FPGA
  - OS support
  - Software API
  - Security use cases

### How Does It Work?

- A user/admin configures the hardware monitor
- The hardware monitor collects the
  - runtime execution information
    - Checks for the specified events, e.g., detects branch instructions
    - Performs follow-up actions, e.g., an ALU operation



#### Hardware

Software Implementation Use Cases

### Hardware Overview



Hardware Software Implementation Use Cases

# Software Overview

### Software Interface

- A list of functions that use RISC-V's standard ISA extension
  - Configure PHMon
  - Communicate with PHMon

Reset MU-0 and configure the match pattern

phmon\_reset\_val(0);
phmon\_pattern(0, &mask\_inst0)

Compare pc\_dst and pc\_src, and trigger an interrupt

action\_mu0.op\_type = e\_OP\_ALU; //ALU operation action\_mu0.in1 = e\_IN\_DATA\_RESP; //MU\_resp action\_mu0.in2 = e\_IN\_LOC3; //Local3 action\_mu0.fn = e\_ALU\_SEQ; //Set Equal action\_mu0.out = e\_OUT\_INTR; //Interrupt reg phmon\_action\_config(0, &action\_mu0);

### OS Support

- Per process OS support
  - Maintain PHMon information during context switches
- Interrupt handling OS support
  - Delegate interrupt to OS
  - Terminate the violating process

Hardware Software Implementation Use Cases

# Implementation and Evaluation Framework

### Implementation

- PHMon as a RoCC, written in Chisel HDL
  - Interfaced with the in-order RISC-V Rocket core
- Linux kernel v4.15
- RISC-V gnu toolchain for cross-compilation

### Evaluation

- Prototyped on Xilinx Zynq Zedboard
  - Rocket core + PHMon
- Open-sourced at https://github.com/bu-icsg/PHMon

Hardware Software Implementation **Use Cases** 

### Use Cases



https://security.goglebiog.com/2015/14/protecting-againt-code-reuse-in-linu38.html, https://ww.dsreading.com/attack-breaches/heartbled-attack-targetd-enterprise-upn-/d/d-id/1204592, https://wedium.com/ddiseasytoofast/fuzing-and-deeplearning-5aae84c20303, https://hackernon.com/professional-debuging-in-rails-lyzbar

August 12, 2020

Hardware Software Implementation **Use Cases** 

# Use Cases



https://security.googleblog.com/2019/10/protecting-against-code-reuse-in-linux30.html, https://medium.com/@dieswaytoofast/fuzzing-and-deep-learning-5aae84c20303,

August 12, 2020

Hardware Software Implementation **Use Cases** 

## Use Cases: Shadow Stack

### PHMon-based Shadow Stack

- Simple and flexible
  - Two MUs
  - Shared memory space
    - Allocated by OS as a user-space memory
- Secure
- Efficient
  - For SPECint2000, SPECint2006, and MiBench benchmarks, on average, 0.9% performance overhead



SPECint2006

Hardware Software Implementation **Use Cases** 

# Use Cases: Hardware Accelerated Fuzzing

#### American Fuzzy Lop (AFL) [Zalewski, 2013]

- A state-of-the-art fuzzer
- Two main units
  - The fuzzing logic
  - The instrumentation suite
    - Compiler-based
    - QEMU-based



https://rabbitbreeders.us/american-fuzzy-lop-rabbits/

Hardware Software Implementation Use Cases

# Use Cases: Hardware Accelerated Fuzzing

#### American Fuzzy Lop (AFL) [Zalewski, 2013]

- A state-of-the-art fuzzer
- Two main units
  - The fuzzing logic
  - The instrumentation suite
    - Compiler-based
    - QEMU-based



#### QEMU-based AFL



https://rabbitbreeders.us/american-fuzzy-lop-rabbits/



#### PHMon-based AFL

Hardware Software Implementation Use Cases

## Use Cases: Hardware Accelerated Fuzzing





QEMU-based AFL

- PHMon improves AFL's performance by 16× over the baseline
- Power overhead: 5%
- Area overhead: 13.5%



#### PHMon-based AFL

### Conclusion



#### A hardware monitor with full software stack





#### FPGA prototype



https://www.usenix.org/system/files/ sec20spring\_delshadtehrani\_prepub.pdf



https://github.com/bu-icsg/PHMon



Thanks! You can reach me at delshad@bu.edu for follow-up questions.

More information

#### Boston University