Secure System Architecture Progression Framework Overview

Slide Note
Embed
Share

Explore the evolution of secure system architectures, including multicore analysis and components like Cell Broadband Engine, Intel Core i, Freescale P4080. Dive into centralized processing systems, memory management, and hardware evaluations for improved processing power and security measures.

dorothy
dorothy Follow

Uploaded on Jul 01, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. Ryan Bradetich Center for Secure and Dependable Systems University of Idaho

  2. Problem Statement Secure System Architecture Progression Framework Introduction MulticoreArchitecture Analysis Cell Broadband Engine Architecture (CBEA) Intel Core i (Nehalem) Freescale P4080 Question and Answers

  3. Centralized processing System High Improved processing power MLS Commodity hardware System High Multicore architectures MILS

  4. Memory I/O MIC SPE SPE SPE SPE IOIF0 I/O PPE SPE SPE SPE SPE IOIF1 L2 Cache Local Store L1 D L1 I SMT Core SPU Core

  5. CPU-0 SMT CPU-1 SMT CPU-2 SMT CPU-3 SMT L1 D L1 I L1 D L1 I L1 D L1 I L1 D L1 I L2 Cache L2 Cache L2 Cache L2 Cache Shared L3 Cache DDR3 Memory Controller Quick Path Interconnect I/O Memory

  6. Core Core Core Core L2 Cache e500mc Core Core Core Core Core SDRAM Controller Memory L3 Cache L1 D L1 I SDRAM Controller CoreNet Coherency Fabric L3 Cache I/O eLBC Controller Peripheral Controllers SEC PME RIO MU 2 x DMA QMan BMan On Chip Network Real-Time Debug 3 x PCIe 2 x sRIO FMan FMan 4 x 1GE 4 x 1GE 10GE 10GE SerDes

  7. Framework Steps 1. Identify components 2. Analyze information flows and identify safeguards 3. Apply security policy

  8. Red Red Networks Networks Top Secret Network Top Secret Network Black Network Secret Network Secret Network Guard Guard Confidential Network Confidential Network

  9. Memory I/O MIC SPE SPE SPE SPE IOIF0 I/O PPE SPE SPE SPE SPE IOIF1 L2 Cache Local Store L1 D L1 I SMT Core SPU Core

  10. Hardware Component Evaluated PowerPC Processor Element No Synergistic Processor Elements (8) Yes Element Interconnect Bus Yes Cell Broadband Engine Interface Units (2) Yes Memory Interface Controller Yes Pervasive Yes

  11. Memory I/O MIC SPE SPE SPE SPE IOIF0 Element Interconnect Bus I/O PPE SPE SPE SPE SPE IOIF1

  12. Not recommended for general purpose MILS multicore architecture SPE are not intended for general purpose processing. PPE must be trusted Blocking MFC communication channels provide covert communication channels.

  13. CPU-0 SMT CPU-1 SMT CPU-2 SMT CPU-3 SMT L1 D L1 I L1 D L1 I L1 D L1 I L1 D L1 I L2 Cache L2 Cache L2 Cache L2 Cache Shared L3 Cache DDR3 Memory Controller Quick Path Interconnect I/O Memory

  14. Hardware Component Evaluated Processor Cores (4) Partial Shared L3 Cache No Quick Path Interconnect No DDR3 Memory Controller No

  15. CPU-0 CPU-1 CPU-2 CPU-3 Shared L3 Cache DDR3 Memory Controller Quick Path Interconnect I/O Memory

  16. Processor Core Processor Core SMM (ring -2) SMM (ring -2) Hypervisor (ring -1) (VMX Extensions) Hypervisor (ring -1) (VMX Extensions) Guest OS (ring 0 3) Guest OS (ring 0 3)

  17. * SIPI Attack discovered by Invisible Things Labs

  18. CPU #0 (BSP) CPU #1 (AP) CPU #2 (AP) CPU #3 (AP) Shell Code 0xVV000 SIPI Network Interface Untrusted Driver (Malware)

  19. Not recommended for general purpose MILS multicore architecture 35 years of backwards compatibility VMM (ring -1) added via VMX extensions VMX extensions complex and error prone VMX extensions do not address timing channels SMM (ring -2) runs higher privilege than VMM Microcode updates provide reconfigurability TXT-trusted boot does not protect against SMM SMM subject to cache poisoning via MTRR

  20. Core Core Core Core L2 Cache e500mc Core Core Core Core Core SDRAM Controller Memory L3 Cache L1 D L1 I SDRAM Controller CoreNet Coherency Fabric L3 Cache I/O eLBC Controller Peripheral Controllers SEC PME RIO MU 2 x DMA QMan BMan On Chip Network Real-Time Debug 3 x PCIe 2 x sRIO FMan FMan 4 x 1GE 4 x 1GE 10GE 10GE SerDes

  21. Control Plane SMP OS Data Plane AMP OS Other Services AMP OS Core Core Core Core Core Core Core Core MMU MMU MMU MMU MMU MMU MMU MMU CoreNet Coherency Fabric PAMU PAMU PAMU CoreNet Platform Caches Peripheral Peripheral Peripheral Peripheral Peripheral Peripheral

  22. Hardware Component Evaluated e500mc Processor Cores (8) Yes CoreNet CoreNet Coherency Fabric CoreNet Platform Cache Yes DDR2/DDR3 SDRAM Controllers (2) Yes Enhanced Local Bus Controller Peripheral controllers Yes High Speed Peripheral Interface Complex PCI Express Controllers (3) RapidIO Message Unit Serial RapidIO Endpoints (2) Direct Memory Access Controllers (2) Yes

  23. Hardware Component Evaluated Data Path Acceleration Architecture Buffer Manager Queue Manager Frame Manager (2) Pattern Match Engine Security Encryption Engine Yes Real Time Debug Yes

  24. Core Core Core Core Core Core Core Core SDRAM Controller Memory L3 Cache SDRAM Controller CoreNet Coherency Fabric L3 Cache I/O eLBC Controller Peripheral Controllers SEC PME RIO MU 2 x DMA QMan BMan On Chip Network Real-Time Debug 3 x PCIe 2 x sRIO FMan FMan 4 x 1GE 4 x 1GE 10GE 10GE SerDes

  25. BMan requires QMan to mediate access to CoreNet. DPAA provides direct portal access between DPAA components. Covert communication channel using the Portal Query command.

  26. Core Core Core Core Core Core Core Memory CoreNet + SDRAM Controllers I/O eLBC Controller + Peripheral Controllers DPAA + Processor Core On Chip Network Real-Time Debug SerDes

  27. Not recommended for general purpose MILS multicore architecture Logical Partitioning architecture looked promising. Peripherals is where the architecture fell down.

  28. This framework shows how and why the hardware analysis can be separated from the security policy analysis. Initial component identification provides a roadmap and can foster intra-team and cross-team collaborations. Focus on information flows, safeguards, and shared components simplifies the analysis process. Consistent, reproducible, and peer- reviewable reports facilitate incremental analysis for minor hardware revisions. Safeguards organize and focus experiments on critical areas.

Related


Managing Student Progression in Academic Registry

Managing Student Progression in Academic Registry

zayne
Decoupled SMO Architecture Overview

Decoupled SMO Architecture Overview

jayda
Digital Architecture for Supporting UNICEF's High-Impact Interventions

Digital Architecture for Supporting UNICEF's High-Impact Interventions

tammy
Overview of External Wireless Communication System on International Space Station (ISS)

Overview of External Wireless Communication System on International Space Station (ISS)

jang395
PowerPC Architecture Overview and Evolution

PowerPC Architecture Overview and Evolution

adoff
Overview of 5G System Architecture and User Plane Functionality

Overview of 5G System Architecture and User Plane Functionality

bel_del
Exploring Modern Architecture Trends: Expressionism and Bauhaus Movement

Exploring Modern Architecture Trends: Expressionism and Bauhaus Movement

hansendi
Understanding Memory Hierarchy and Different Computer Architecture Styles

Understanding Memory Hierarchy and Different Computer Architecture Styles

iqra_9
Understanding Multiple Sclerosis: Symptoms, Progression, and Treatment Options

Understanding Multiple Sclerosis: Symptoms, Progression, and Treatment Options

yunus
Software Architecture Design for Document Filter System: A Case Study

Software Architecture Design for Document Filter System: A Case Study

prat_t
Progress of Network Architecture Work in FG IMT-2020

Progress of Network Architecture Work in FG IMT-2020

lonan
Proposed Way Forward for Service-Oriented Architecture (SOA) in Space Missions

Proposed Way Forward for Service-Oriented Architecture (SOA) in Space Missions

tyo_dia
Understanding Unified Architecture Framework (UAF) for Enterprise Analysis

Understanding Unified Architecture Framework (UAF) for Enterprise Analysis

nata_o
Oklahoma Transfer Student Progression Analysis

Oklahoma Transfer Student Progression Analysis

brackeen_g
Understanding Computer Organization and Architecture

Understanding Computer Organization and Architecture

alexei
Overview of .NET Framework and CLR Architecture at Amity School of Engineering

Overview of .NET Framework and CLR Architecture at Amity School of Engineering

jaylah
English Language Learning Progression Assessment and Standards Overview

English Language Learning Progression Assessment and Standards Overview

emmilia
Designing System Architecture Before Requirements: Importance and Best Practices

Designing System Architecture Before Requirements: Importance and Best Practices

urij_309
Tamper-Evident Pairing (TEP) Protocol for Secure Wireless Pairing Without Passwords

Tamper-Evident Pairing (TEP) Protocol for Secure Wireless Pairing Without Passwords

quer_sna
Are we making progress?

Are we making progress?

alia
Enhancing Curriculum Design for Progression in Learning

Enhancing Curriculum Design for Progression in Learning

janelle
Understanding Epistemic Progression in Learning: A Humanities Perspective

Understanding Epistemic Progression in Learning: A Humanities Perspective

ettie
Principles of Training: Overload, Specificity, and Progression

Principles of Training: Overload, Specificity, and Progression

arun
Academic Progression Guidelines for Undergraduate Students

Academic Progression Guidelines for Undergraduate Students

jeliana

More Related Content