ECE 382N-Sec (FA25):

# L12: Information-Flow Tracking in Hardware

Neil Zhao neil.zhao@utexas.edu

### Recap: Speculative Taint Tracking (STT)

## Recap: Speculative Taint Tracking (STT)

#### **Leakage through implicit channels**

# Information Flow for Confidentiality



# Information Flow for Integrity



### **Explicit Information Flow**

```
(H) R1 = load ptr_to_secret;
(H) R2 = R1 + 10;
(H) R3 = R2 & R1;
store R3 → addr1;

Conservatively taint the output if either inputs is tainted

???? R4 = load addr2;

Can depend on runtime states. Difficult for static analysis to handle
```

# **Implicit Information Flow**

```
(H) R1 = secret;
store 10 → R1;
```

Can taint the entire address space!



# Complete Information Flow Tracking from the Gates Up\*

#### Complete Information Flow Tracking from the Gates Up

Mohit Tiwari Hassan M G Wassel Bita Mazloom Shashidhar Mysore Frederic T Chong Timothy Sherwood

Department of Computer Science, University of California, Santa Barbara {tiwari,hwassel,betamaz,shashimc,chong,sherwood}@cs.ucsb.edu

<sup>\*</sup>Tiwari et al., "Complete Information Flow Tracking from the Gates Up," ASPLOS '09

# A Sound and Precise Taint Propagation Policy for AND Gates



| lainted b and untainted a |   |                  |                |                  |
|---------------------------|---|------------------|----------------|------------------|
| а                         | b | $\mathbf{a}_{t}$ | $\mathbf{b_t}$ | out <sub>t</sub> |
| 0                         | 0 | 0                | 1              | 0                |
| 0                         | 1 | 0                | 1              | 0                |
| 1                         | 0 | 0                | 1              | 1                |
| 1                         | 1 | 0                | 1              | 1                |

<sup>\*</sup>Tiwari et al., "Complete Information Flow Tracking from the Gates Up," ASPLOS '09

# A Sound and Precise Taint Propagation Policy for AND Gates



<sup>\*</sup>Tiwari et al., "Complete Information Flow Tracking from the Gates Up," ASPLOS '09

### A One-Bit Counter



 $<sup>^*\</sup>mbox{Tiwari}$  et al., "Complete Information Flow Tracking from the Gates Up," ASPLOS '09

# Multiplexer



 $^*\mbox{Tiwari}$  et al., "Complete Information Flow Tracking from the Gates Up," ASPLOS '09

# Multiplexer



\*Tiwari et al., "Complete Information Flow Tracking from the Gates Up," ASPLOS '09

### Prevent Taint Explosion: Covert Implicit Flow into Explicit Flow



<sup>\*</sup>Tiwari et al., "Complete Information Flow Tracking from the Gates Up," ASPLOS '09

### Prevent Taint Explosion: Covert Implicit Flow into Explicit Flow



```
0x1: P1 = (X == 0);
0x2: (P1) R1 = 10;
0x3: R2 = 10;
```

<sup>\*</sup>Tiwari et al., "Complete Information Flow Tracking from the Gates Up," ASPLOS '09

# Prevent Taint Explosion: Covert Implicit Flow into Explicit Flow

#### **Bounding Loops**

```
0x1: ...
```

. . .

0xa: countjump (0x1), 100

The number of loop iterations is statically determined

"countjump" cannot be predicated

#### **Constraining Loads/Stores**

```
0x1: init-counter C0
```

$$0x2: R1 = load 0x200 + C0$$

0x3: inc-counter C0

0x4: inc-counter C0

• •

0xa: countjump (0x2), 100

Because the PC cannot be tainted, the addresses are guaranteed to be untainted

<sup>\*</sup>Tiwari et al., "Complete Information Flow Tracking from the Gates Up," ASPLOS '09

## Putting All Pieces Together

#### **Summary:**

- ISA-level restriction that prevents programmer from writing code that can potentially lead to taint explosion
- An FPGA prototype (information-flow tracking at the bit granularity)
- Good for security-sensitive programs
- Area overhead (+70%)
- Performance overhead
- Limited programmability

<sup>\*</sup>Tiwari et al., "Complete Information Flow Tracking from the Gates Up," ASPLOS '09

# Speculative Privacy Tracking (SPT)

#### **AES Flow**



```
for (size_t r = 1; r <= 10; r++) {
  eax, ..., edx = AES_Round(eax, ..., edx, rnd_key);
}
if (/* false */) {
  transmit(eax); // transmitter
}
Not protected by STT!</pre>
```

<sup>\*</sup>Choudhary et al., "Speculative Privacy Tracking (SPT): Leaking Information From Speculative Execution Without Compromising Privacy," MICRO '21

### Key Idea of SPT: Leaked in Non-Spec Exec → Not a Secret

```
1  v1, v2 = ...;
2  transmit(v1);
3  if (/* false */) {
4   transmit(v1);
5   transmit(v1 + 10);
6   transmit(v1 + v2);
7  }
```

Everything is a secret until it's leaked/declassified by a non-speculative transmitter

<sup>\*</sup>Choudhary et al., "Speculative Privacy Tracking (SPT): Leaking Information From Speculative Execution Without Compromising Privacy,"

MICRO '21

### **Backward Untaint Propagation**

This example assumes that the program and PC are public



<sup>\*</sup>Choudhary et al., "Speculative Privacy Tracking (SPT): Leaking Information From Speculative Execution Without Compromising Privacy," MICRO '21

# **Blocking Implicit Channels**

# Similar to STT, if a branch's predicate is tainted:

- Delay branch resolution
- Delay predictor updates

 $\Rightarrow$  PC is not tainted

<sup>\*</sup>Choudhary et al., "Speculative Privacy Tracking (SPT): Leaking Information From Speculative Execution Without Compromising Privacy," MICRO '21

### **Untaint Propagation Through Memory**

```
store R1 \rightarrow addr1;

store R2 \rightarrow addr2;

store R3 \rightarrow addr3;

R4 = R3;

else if (alias(addr, addr2, ...))

R4 = R2;

else if (alias(addr, addr1, ...))

R4 = R1;

else

R4 = R1;

else

R4 = R1;
```

Whether "load addr" issues leaks addr1, addr2, and addr3

<sup>\*</sup>Choudhary et al., "Speculative Privacy Tracking (SPT): Leaking Information From Speculative Execution Without Compromising Privacy,"

MICRO '21

### **Untaint Propagation Through Memory**

```
store R1 → addr1;
store R2 → addr2;
store R3 → addr3;

R4 = R3;
else if (alias(addr, addr2, ...))
R4 = R2;
R4 = load addr;

R4 = R1;
else
R4 = Tmp;
```

<sup>\*</sup>Choudhary et al., "Speculative Privacy Tracking (SPT): Leaking Information From Speculative Execution Without Compromising Privacy," MICRO '21

## **Untaint Propagation Through Memory**

```
Untainted
                    Tainted
                                         Tmp = load addr;
                                         if (alias(addr, addr3, ...))
            → addr1;
  store R1
                                           R4 = R3;
  store R2
            → addr2;
                                         else if (alias(addr, addr2, ...))
  store R3
                                          R4 = R2;
                                         else if (alias(addr, addr1, ...))
  R4 = load addr;
                                           R4 = R1;
                                         else
  transmit(R4);
                                           R4 = Tmp;
Leaks tainted addr2 and addr3
```

<sup>\*</sup>Choudhary et al., "Speculative Privacy Tracking (SPT): Leaking Information From Speculative Execution Without Compromising Privacy," MICRO '21

## Solution: Delay Untaint Propagation in STL Forwarding



<sup>\*</sup>Choudhary et al., "Speculative Privacy Tracking (SPT): Leaking Information From Speculative Execution Without Compromising Privacy," MICRO '21

# Untaint Propagation Through Memory (Shadow L1D)



<sup>\*</sup>Choudhary et al., "Speculative Privacy Tracking (SPT): Leaking Information From Speculative Execution Without Compromising Privacy," MICRO '21

#### Performance Overhead

- gem5 evaluation
- Futuristic model (consider all forms of speculation)
  - $3.6 \times$  overhead  $\rightarrow 45\%$
- Spectre model (consider only control-flow speculation)
  - $3 \times$  overhead  $\rightarrow 11\%$
  - STT: 8%

### Some Questions for Discussion

- [GLIFT] How does GLIFT differ from other tagging/tainting methods discussed earlier in the course, like STT?
- [GLIFT] Could GLIFT serve as the basis for "verifiable secure enclaves" where secrets are provably isolated at the hardware level?
- [GLIFT] Microarchitectural optimization?
- [SPT] Often times paper's like these employ a hardware only or software only solution, if the authors
  opened up the ability to co-design with software, what kind of solution would SPT now look like?
  (+ a similar question)
- [SPT] Is there ever any reason to use STT over SPT?
- [SPT] The paper shows 45% overhead in the Futuristic model but only 11% in the Spectre model. Why such a large difference? Which model is more realistic for defending against real-world attacks?