CNS Core: Small: Rethinking Runtime Software Security Hardening in the Context of Hybrid Instruction Set Architecture

CNS 核心：小型：重新思考混合指令集架构背景下的运行时软件安全强化

基本信息

批准号：
2127491
负责人：
Binoy Ravindran
金额：
$ 50万
依托单位：
Virginia Polytechnic Institute and State University
依托单位国家：
美国
项目类别：
Standard Grant
财政年份：
2021
资助国家：
美国
起止时间：
2021-10-01 至 2024-09-30
项目状态：
已结题

来源：
https://www.nsf.gov/awardsearch/showAward?AWD_ID=2127491&HistoricalAwards=false
关键词：
CNS Core Small Rethinking Runtime

项目摘要

Computing is increasingly heterogeneous (e.g., CPU/GPUs, CPU/FPGAs) to meet the ever-increasing performance demands of applications, necessitated in part by the end of Moore's law. The latest trend in this direction is CPUs with different instruction-set-architectures (or ISAs), especially in mobile computing and Internet-of-Things (IoT) settings. Applications for heterogeneous computers are often developed by dividing them across the ISA boundary: software for each ISA is separately developed due to the intrinsic architecture differences. As a result, application programmers often cannot fully leverage ISA-specific hardware security features. In addition, existing software security techniques are largely ISA-specific: threat models and exploit mitigations are usually developed for a target ISA. This project addresses this problem by developing a software infrastructure that allows applications to transparently utilize ISA-specific security features. The infrastructure includes a compiler and a run-time framework that hides ISA differences and exposes an ISA-agnostic abstraction through code generation for multiple ISAs, dynamic process state transformations for security hardening across ISAs, and cross-ISA unified shared memory. Several security techniques will be developed using this infrastructure to demonstrate effectiveness including adaptive attack surface reduction, code and data space randomization, and dynamic software patching. The project’s software infrastructure will allow programmers to develop more secure application software for emerging computers without additional programming effort, and thereby meet the pressing societal need for secure computing infrastructures. The project's software artifacts and experimental results will be publicly available under a permissive open-source license at the project website for at least five years after the project completion.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

计算日益异构化（例如 CPU/GPU、CPU/FPGA），以满足应用程序不断增长的性能需求，这在一定程度上是摩尔定律终结所必需的。这个方向的最新趋势是具有不同指令集的 CPU。架构（或 ISA），尤其是在移动计算和物联网 (IoT) 设置中，异构计算机的应用程序通常是通过跨越 ISA 边界来开发的：由于内在架构差异，每个 ISA 的软件都是单独开发的，因此，应用程序程序员通常无法充分利用 ISA 特定的硬件安全功能。此外，现有的软件安全技术主要是 ISA 特定的：威胁模型和漏洞缓解措施都是不同的。通常是为目标 ISA 开发的。该项目通过开发一个软件基础设施来解决这个问题，该基础设施允许应用程序透明地利用 ISA 特定的安全功能。该基础设施包括一个编译器和一个隐藏 ISA 差异并公开与 ISA 无关的运行时框架。通过代码进行抽象多个 ISA 的生成、跨 ISA 安全强化的动态进程状态转换以及跨 ISA 统一共享内存将使用该基础设施开发多种安全技术来展示其有效性，包括自适应攻击面减少、代码和数据空间随机化以及动态软件。该项目的软件基础设施将允许程序员为新兴计算机开发更安全的应用软件，而无需额外的编程工作，从而满足社会对安全计算基础设施的迫切需求。该项目的软件工件和实验结果将在许可的情况下公开。项目完成后至少五年在项目网站上获得开源许可。该奖项反映了 NSF 的法定使命，并通过使用基金会的智力价值和更广泛的影响审查标准进行评估，被认为值得支持。