Data Oblivious ISA Extensions for Side Channel-Resistant and High Performance Computing (Hardware)

1. About this paper

This paper is published in Network and Distributed System Security Symposium (NDSS) in 2019. The eprint version can be found here.

Jiyong Yu, Lucas Hsiung, Mohamad El'Hajj, and Christopher W. Fletcher. "Data Oblivious ISA Extensions for Side Channel-Resistant and High Performance Computing." In The Network and Distributed System Security Symposium (NDSS). 2019.

@inproceedings{yu2019data,
  title={Data Oblivious ISA Extensions for Side Channel-Resistant and High Performance Computing},
  author={Yu, Jiyong and Hsiung, Lucas and El'Hajj, Mohamad and Fletcher, Christopher W},
  booktitle={The Network and Distributed System Security Symposium (NDSS)},
  year={2019}
}

2. Introduction

This is a modfied version of the RISCV-BOOM (Berkley Out-of-Order Machine). We augment both the ISA and the hardware to support the Data Oblivious ISA extension. Recall from the paper, the ISA extension is broken into two parts:

1.) A mechanism for Software to tell Hardware what data is sensitive (Confidential). This is implemented with a new Dynamic Information Flow Tracking scheme that requires tags to follow data in every pipeline stage (not just retirement).

2.) A mechanism for Hardware to tell Software what operations (instructions) may leak privacy. This is implemented by augmenting existing instructions (and adding new instructions) with additional semantics to indicate whether each instruction operand is Safe/Unsafe to receive confidential data.

Since the first-priority goal of HW implementation is to evaluate frequency and hardware overhead, this version does not support certain instruction types listed in the paper.

3. Supported Instructions

inst	function	tag update	attribute	if implemented
cmov	RD=MUX(RS1,RS2,RD)	RD.tag = RS1.tag || RS2.tag		yes
seal	RD=RS1	RD.tag = 1		yes
unseal	RD=RS1	RD.tag = 0	barrier	yes
Int/FP ALU	RD=RS1 op RS2	RD.tag = RS1.tag || RS2.tag		yes
BXX	if (RS1 op RS2) PC = PC + immed		assert RS1.tag==0 assert RS2.tag==0	yes
JALR(JR)	PC = RS1 + immed; RD = PC + 4	RD.tag = 0	assert RS1.tag==0	yes
JAL	PC = PC + immed; RD = PC + 4	RD.tag = 0		yes
orld	RD = mem[RS1 + immed]	RD.tag = mem[RS1 + immed].tag		no
orst	mem[RS1 + immed] = RS2	mem[RS1 + immed].tag = RS2.tag		no

4. Usage

(How to use BOOM can be found here)

1) Clone the project, build a BOOM verilator and its corresponding RISC-V toolchain:

git clone https://github.com/cwfletcher/oisa
cd Pre-NDSS
./scripts/init-submodules.sh
./scripts/build-tools.sh
cd verisim
make

2) Compile a program into RISCV binary using OISA primitives, run with SW simulator spike:

We provides several microbenchmarks, libraries and Makefiles in /benchmark.

To compile your program with a lite version of standard library(provided by original RISCV toolchain), use Makefile. Using this lite standard library provides basic routines(printf, cstring functions, atol, memset, memcpy, etc.). It has the advantage of shrinking code size and simpify the debugging process.

You can compile your program, generate riscv binary, and run with spike simulator by:

make run

You can also disassemble your riscv binary by:

make dump

To compile your program with standard library, use Makefile.pk instead of Makefile

3) Compile a program into x86 binary using OISA primitives, run on local x86 machine:

To compile your program with standard library, use Makefile.pk. You can compile your program, generate x86 binary and run on x86 machines by:

make x86_run

You can also compile your program, generate riscv binary, and run with spike simulator by:

make riscv_run

4) Debug your progarm using spike:

spike -d --isa=rv64g <your_riscv_binary>

More about debugging using spike can be found here

5) Compile and run with Verilator simulation

cd verisim
make

For more information, please refer to original BOOM github repo here.

5. Future Works

We will update this project by adding support for more oblivious instruction types.