CAREER: Enabling Robust and Adaptive Architectures through a Decoupled Security-Centric Hardware/Software Stack

职业：通过解耦的以安全为中心的硬件/软件堆栈实现鲁棒性和自适应架构

• 批准号: 2238548
• 负责人: Ashish Venkat
• 金额: $ 50.96万
• 依托单位: University of Virginia Main Campus
• 依托单位国家: 美国
• 项目类别: Continuing Grant
• 财政年份: 2023
• 资助国家: 美国
• 起止时间: 2023-10-01 至 2028-09-30
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2238548&HistoricalAwards=false
• 关键词: CAREER; Enabling; Robust; Adaptive; Architectures

The growing complexity in modern systems has placed substantial limits on our ability to comprehensively assess threats and deploy timely mitigations. According to Google’s Project Zero, a new exploit is discovered in the wild every 17 days, although it takes an average of 15 days across all vendors to patch a vulnerability, highlighting the inability of existing solutions to scale with the rapidly evolving threat landscape. This project takes a radically new approach by developing a holistic security-centric hardware/software stack that is decoupled from the Instruction Set Architecture (ISA), so as to empower software to dynamically push expressive security policies to hardware, where they can be transparently and efficiently enforced on-demand and in-the-field through novel hardware design mechanisms, without the need for recompilation, redeployment, and frequent hardware upgrades. This work is expected to significantly enhance robustness, versatility, flexibility, and adaptability of modern architectures in the range and types of exploits they can mitigate, while simultaneously minimizing both the time to mitigation and the cost of deployment. This project will also address the urgent need to boost the nation’s cybersecurity workforce through (a) curriculum development and ethical hacking workshops targeted at high school, college, and professional students, (b) development of community research infrastructure and evaluation testbeds for rapid assessment of security policies, and (c) research mentorship of undergraduate and underrepresented students on security-related projects. This project entails three synergistic research thrusts that together enable a holistic full system across-the-stack solution for timely mitigation of exploits. The first thrust will develop a decoupled security-centric hardware/software interface to allow software to capture interactions and relationships among the different subjects and objects in the system and specify an expressive set of security policies in the form of logic formulas, to mitigate a wide range of hardware and software attacks ranging from memory and type safety to transient execution attacks. The second thrust will develop novel hardware design mechanisms and microcode primitives to evaluate and enforce the security policies specified in software, while maintaining high levels of performance with minimal impact on power and area. The third thrust will develop innovative hardware-based attribute tracking mechanisms to transparently track the flow of high-level software attributes, during execution, to enhance the effectiveness of the underlying hardware enforcement mechanisms.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

现代系统日益复杂，严重限制了我们全面评估威胁和及时部署缓解措施的能力，根据 Google 的零计划，每 17 天就会发现一个新的漏洞，尽管整个过程平均需要 15 天。该项目采用了一种全新的方法，开发与指令集架构 (ISA) 分离的以安全为中心的整体硬件/软件堆栈。 ,从而使软件能够动态地将表达性安全策略推送到硬件，通过新颖的硬件设计机制，可以在现场透明、高效地按需执行这些策略，而无需重新编译、重新部署和频繁的硬件升级。这项工作预计将显着增强现代架构在可缓解的漏洞利用范围和类型方面的稳健性、多功能性、灵活性和适应性，同时最大限度地减少缓解时间和部署成本。该项目还将解决紧迫的问题。需要通过以下方式增强国家网络安全劳动力：（a）针对高中、大学和专业学生的课程开发和道德黑客研讨会，（b）开发社区研究基础设施和快速评估安全政策的评估测试平台，以及（c）该项目需要三个协同研究重点，共同实现全面的完整系统跨堆栈解决方案，以及时缓解漏洞利用。以安全为中心的硬件/软件接口，允许软件捕获系统中不同主体和对象之间的交互和关系，并以逻辑公式的形式指定一组富有表现力的安全策略，以减轻各种硬件和软件范围攻击从内存和类型安全到瞬态执行攻击，第二个重点将开发新颖的硬件设计机制和微代码原语，以评估和执行软件中指定的安全策略，同时保持高水平的性能，同时对功耗和面积的影响最小。基于硬件的属性跟踪机制可透明地跟踪执行过程中高级软件属性的流动，以增强底层硬件执行机制的有效性。该奖项反映了 NSF 的法定使命，并通过使用基金会的智力价值和更广泛的影响审查标准进行评估，被认为值得支持。