# GARUDA 2.0

Sage Sefton ss557415@ohio.edu Ohio University Avinash Karanth karanth@ohio.edu Ohio University

2020 Fall

```
f_{Ei_1} \mid \cdots \mid f_{Ei_k}
EXE Input Fields
                              f_{Ei} ::=
EXE Output Fields
                              f_{Eo}
                                     := f_{Eo_1} \mid \cdots \mid f_{Eo_k}
                                     := f_{Mi_1} | \cdots | f_{Mi_k}
MEM Input Fields
                              f_{Mi}
                                     ::= f_{Ei} \mid f_{Eo} \mid f_{Mi}
Fields
                                f
                                    ::= \{f_{i_1} = v_{i_1}, \ldots, f_{i_k} = v_{i_k}\}\
Inputs
                                    ::= \{f_{o_1} = v_{o_1}, \ldots, f_{o_k} = v_{o_k}\}
Outputs
Obfuscation Fxn
```

Figure 1: Definitions in GARUDA 2.0.

## 1 Background

GARUDA was a system that operated on a two stream model of the "user" or program, and that which executed the instructions. GARUDA 2.0, we extend, or refine based on the point of view, this model to operate between the Execution (EXE) and Memory (MEM) stages of the pipeline. We assume a monitor theory shown by the graphic Fig ??. The monitor appears to operate on a single stream, but the two hanging connections can be considered the two streams of the former model.

The most obvious change we need to make is to enable encryption and decryption of the EffAddr. Our attack vector focuses on a trojan targeting the state register between the EXE and MEM stages. They could cache these addresses and try to access that memory later, or they may try to use them as a side channel. Either way, allowing an adversary to track our memory accesses is clearly problematic. However, when we refer to "encryption", we really mean some reversible obfuscation function. We employ the proof assistant, Coq, to prove the EN and DE blocks are exact inverses. GARUDA is written in Coq for exactly this reason, so requiring a proof that  $\forall P, DE(ENP) = P$  should be sufficient.

Figure 2: Predicates in GARUDA 2.0 act as a boolean algebra.

Figure 3: Syntax of Policies in GARUDA 2.0

## 2 The Implementation of GARUDA 2.0

- 2.1 Syntax
- 2.1.1 Definitions
- 2.1.2 Syntax of Predicates
- 2.1.3 Syntax of Policies

Figure 4: The semantics of predicates in GARUDA 2.0. While predicates remain unchanged from GARUDA, the theory changes slightly

### 2.2 Semantics

#### 2.2.1 Semantics of Predicates

#### 2.2.2 Semantics of Policies

Figure 5: The semantics of policies in GARUDA 2.0.

```
Values
                       INSTR | RES
                  ::=
Registers
                 ::=
Expressions e ::= read(b)
                                                   Read Reg
                       write(b, v)
                                                    Write Value to Reg
                       let \ x = e_1 \ in \ e_2
                                                   Assignment
                       e_1 \mid\mid e_2
                                                   Parallel
                                                   Apply Function
                       if v = n then e_1 else e_2
                                                   Conditional
                       e_1 \&\& e_2
                                                   Product (AND)
                                                   Concatenation
                       e_1; e_2
                        forever e
                                                   Hardwire
```

Figure 6: The language GARUDA 2.0 uses as a means to facilitate compilation.

## 3 Compilation to Verilog

### 3.1 The Intermediate Language

## 3.2 Compiling GARUDA 2.0 to the Intermediate

We define a function  $\mathbf{C}$  to be the compilation of some predicate or policy in GARUDA 2.0 to the intermediate language.  $\mathbf{C}$  operates on the four ports of the GARUDA 2.0 monitor. These consist of the inputs and outputs of each of the instruction and result streams. Assume all  $\mathbf{C}$  are short for  $\mathbf{C}_{(i_n,i_{out},r_{in},r_{out})}$  if unspecified.

### 3.2.1 Compiling Predicates

### 3.2.2 Compiling Policies

```
\mathbf{C}[0] = let \ i\_bog = new \ buf
                                   r\_bog = \text{new buf}
                             in \ write(i_{out}, i\_bog)
                                 write(r_{out}, r\_bog)
               \mathbf{C}[1] = write(i_{out}, read(i_{in}))
                            write(r_{out}, read(r_{in}))
       \mathbf{C}[f=n] = if \ i_{in} = n \ then
                                 write(i_{out}, read(i_{in}))
                                 else \mathbf{C}_{(i_{in},i_{out},-,-)}[0]
                             if r_{in} = n then
                                 write(r_{out}, read(r_{in}))
                                 else \mathbf{C}_{(-,-,r_{in},r_{out})}[0]
\mathbf{C}[\mathsf{test}(a+b)] = let \ e_{aii}, e_{ari}, e_{bii}, e_{bri} = \text{new buf } in
                             let e_{aio}, e_{aro}, e_{bio}, e_{bro} = new buf in
                             DeMux(i_{in}, e_{aii}, e_{bii}) \mid\mid DeMux(r_{in}, e_{ari}, e_{bri})
                             let e_a = \mathbf{C}_{(e_{aii}, e_{aio}, e_{ari}, e_{aro})}[a]
                                   e_b = \mathbf{C}_{(e_{bii}, e_{bio}, e_{bri}, e_{bro})}[b]
                            in\ Mux(e_a\ e_b,(i_{out},r_{out}))
 \mathbf{C}[\mathsf{test}(a \cdot b)] = \mathbf{C}[\mathsf{test}(a) \cdot \mathsf{test}(b)]
            \mathbf{C}[\neg a] = if \neg a \ then
                                 write(i_{out}, read(i_{in}))
                                 write(r_{out}, read(r_{in}))
                             else C[0]
```

Figure 7: Compilation of GARUDA 2.0 predicates into the intermediate language.

$$\begin{split} \mathbf{C}[inj_{i}V] &= write(i_{out}, V) \\ \mathbf{C}[inj_{r}V] &= write(r_{out}, V) \\ \mathbf{C}[f \leftarrow n] &= let \ i' = f(read(i_{in})) \\ &\quad r' = f(read(r_{in})) \\ &\quad in \ write(i_{out}, i') \\ &\quad write(r_{out}, r') \\ \mathbf{C}[p+q] &= let \ e_{p} = \mathbf{C}[p] \\ &\quad e_{q} = \mathbf{C}[q] \\ &\quad in \ Mux(e_{p}, e_{q}, (i_{out}, r_{out})) \\ \mathbf{C}[p \cdot q] &= let \ i_{mid} = \text{new buf} \\ &\quad r_{mid} = \text{new buf} \\ &\quad e_{p} = \mathbf{C}_{(i_{in}, i_{mid}, r_{in}, r_{mid})}[p] \\ &\quad e_{q} = \mathbf{C}_{(i_{mid}, i_{out}, r_{mid}, r_{out})}[q] \\ &\quad in \ e_{p} \ ; \ e_{q} \end{split}$$

Figure 8: Compilation of GARUDA 2.0 policies into the intermediate language.

## 4 Applications of GARUDA 2.0

### 4.1 Standard Taint

In the previous version of GARUDA, taint was implemented by tagging the most significant bit of a register. This caused no hardware overhead to maintain in the pipeline, but imposed an obvious bit-resolution hindrance. In GARUDA 2.0, the definition of such a policy is identical, but the compilation is different.

We assume a MIPS-like architecture for this example. The op codes of any given instruction are no more than 3;  $\mathsf{IN}_1$ ,  $\mathsf{IN}_2$ , and  $\mathsf{OUT}$  We denote these as RS, RT, and RD.

Let's suppose you want your taint to propogate on the inputs of any arithmetic instructions. Additionally, you prohibit any tainted instructions or addresses from accessing memory. In GARUDA 2.0, we can define this as follows. Please note that ALU can further be expanded to specific types of ALU instructions

```
Instruction Fields f_i ::= Taint_{RS}, Taint_{RT}, Taint_{RD}, OP
                                     \mathsf{MEM}_{\mathsf{READ}} \mid \mathsf{MEM}_{\mathsf{WRITE}} \mid \mathsf{ALU} \mid \, \cdots \,
      Result Fields f_r ::=
                                     (*empty*)
                               \triangleq
                                     OP = ALU
                     Arith
                      Read
                                     OP = MEM_{RFAD}
                     Write
                                     \mathsf{OP} = \mathsf{MEM}_{\mathsf{WRITE}}
                AnyMem
                                     Read + Write
            TaintedInstr
                                      (Taint_{RS} = TRUE) + (Taint_{RT} = TRUE)
                                \triangleq
                                      \mathsf{Taint}_{\mathsf{RD}} \leftarrow \mathsf{TRUE}
                 TaintRes
         PropTaintALU
                                     act(Arith \cdot TaintedInstr \cdot TaintRes)
                                     +act(Arith \cdot \neg TaintedInstr)
           NoTaintMem
                                     act(AnyMem \cdot \neg TaintedInstr)
             SecureMem
                                     PropTaintALU + NoTaintMem
                                      +act(\neg(Arith + AnyMem))
```

## 4.2 Speculative Taint

[1]

```
Instruction \ Fields \ f_i ::= Taint_{RS}, Taint_{RT}, Taint_{RD}, OP
                            ::= MEM_{READ} \mid MEM_{WRITE} \mid ALU \mid \cdots
                      OP
      Result Fields f_r ::=
                                   (*empty*)
                              \triangleq OP = ALU
                    Arith
                              \triangleq OP = MEM<sub>READ</sub>
                    Read
                   Write
                              \triangleq
                                   \mathsf{OP} = \mathsf{MEM}_{\mathsf{WRITE}}
               AnyMem
                                   \mathsf{Read} + \mathsf{Write}
            TaintedInstr
                                    (Taint_{RS} = TRUE) + (Taint_{RT} = TRUE)
                TaintRes
                                    \mathsf{Taint}_{\mathsf{RD}} \leftarrow \mathsf{TRUE}
         PropTaintALU
                                   act(Arith \cdot TaintedInstr \cdot TaintRes)
                                    +act(Arith \cdot \neg TaintedInstr)
          NoTaintMem
                                   act(AnyMem \cdot \neg TaintedInstr)
            SecureMem
                                   PropTaintALU + NoTaintMem
                                    +act(\neg(Arith + AnyMem))
```

## References

[1] Jiyong Yu, Mengjia Yan, Artem Khyzha, Adam Morrison, Josep Torrellas, and Christopher W Fletcher. Speculative taint tracking (stt) a comprehensive protection for speculatively accessed data. In *Proceedings of the 52nd Annual IEEE/ACM International Symposium on Microarchitecture*, pages 954–968, 2019.