CNS Core: Small: Rethinking Runtime Software Security Hardening in the Context of Hybrid Instruction Set Architecture

CNS 核心：小型：重新思考混合指令集架构背景下的运行时软件安全强化

基本信息

批准号：
2127491
负责人：
Binoy Ravindran
金额：
$ 50万
依托单位：
Virginia Polytechnic Institute and State University
依托单位国家：
美国
项目类别：
Standard Grant
财政年份：
2021
资助国家：
美国
起止时间：
2021-10-01 至 2024-09-30
项目状态：
已结题

来源：
https://www.nsf.gov/awardsearch/showAward?AWD_ID=2127491&HistoricalAwards=false
关键词：
CNS Core Small Rethinking Runtime

项目摘要

Computing is increasingly heterogeneous (e.g., CPU/GPUs, CPU/FPGAs) to meet the ever-increasing performance demands of applications, necessitated in part by the end of Moore's law. The latest trend in this direction is CPUs with different instruction-set-architectures (or ISAs), especially in mobile computing and Internet-of-Things (IoT) settings. Applications for heterogeneous computers are often developed by dividing them across the ISA boundary: software for each ISA is separately developed due to the intrinsic architecture differences. As a result, application programmers often cannot fully leverage ISA-specific hardware security features. In addition, existing software security techniques are largely ISA-specific: threat models and exploit mitigations are usually developed for a target ISA. This project addresses this problem by developing a software infrastructure that allows applications to transparently utilize ISA-specific security features. The infrastructure includes a compiler and a run-time framework that hides ISA differences and exposes an ISA-agnostic abstraction through code generation for multiple ISAs, dynamic process state transformations for security hardening across ISAs, and cross-ISA unified shared memory. Several security techniques will be developed using this infrastructure to demonstrate effectiveness including adaptive attack surface reduction, code and data space randomization, and dynamic software patching. The project’s software infrastructure will allow programmers to develop more secure application software for emerging computers without additional programming effort, and thereby meet the pressing societal need for secure computing infrastructures. The project's software artifacts and experimental results will be publicly available under a permissive open-source license at the project website for at least five years after the project completion.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

计算越来越多的异质（例如CPU/GPU，CPU/FPGA）可以满足应用程序不断增强的应用要求，这是在摩尔定律结束时所必需的。这个方向的最新趋势是CPU具有不同的指令集 - 构造（或ISA），尤其是在移动计算和图像互联网（IoT）设置中。异质计算机的应用通常是通过在ISA边界上划分的：由于内在体系结构的差异，每个ISA的软件都是分别开发的。结果，应用程序程序员通常无法完全利用ISA特定的硬件安全功能。此外，现有的软件安全技术在很大程度上是特定于ISA的：威胁模型和利用缓解通常是针对目标ISA开发的。该项目通过开发软件基础架构来解决此问题，该软件基础架构允许应用程序透明地利用ISA特定的安全功能。基础架构包括一个编译器和一个运行时框架，该框架掩盖了ISA差异，并通过代码生成代码生成多个ISA，动态过程状态转换，用于跨ISA的安全性硬化以及交叉ISA统一共享内存。将使用此基础架构开发几种安全技术，以证明有效性，包括自适应攻击表面降低，代码和数据空间随机化以及动态软件修补。该项目的软件基础架构将使程序员无需其他编程工作就可以为新兴计算机开发更安全的应用程序软件，从而满足了对安全计算基础架构的紧迫需求。项目完成后至少五年，该项目的软件工件和实验结果将在项目网站的允许性开源许可下公开获得。该奖项反映了NSF的法定任务，并被认为是通过基金会的知识分子优点和更广泛的审查标准通过评估来评估的支持。