We wish to re-architect current computer input/output (I/O) systems with security as a first-class design constraint. Existing I/O has evolved organically over the decades and now faces a 'perfect storm' of security vulnerabilities, which we aim to address.
Computers today are full of processors: advertised, hidden and even unintentional. Processors, in the form of embedded microcontrollers, are hidden in 'devices' that we name as 'wireless card' or 'system management controller', but fundamentally they form a heterogenous distributed system. The software these processors run is often poorly scrutinised and may be actively malicious. As this field becomes more visible, vulnerabilities are being discovered with increasing frequency.
Worse still, the trend is for 'pluggable' devices via interfaces such as USB Type-C and Thunderbolt 3: users are being trained to pick up processors, thinking they are innocuous because they
are shaped like chargers or dongles. For instance, many buildings, aircraft, trains and buses now provide 'USB charging', but, without protection, the Type-C user may be exposing themselves to unexpected threats. Such threats are of substantial and increasing concern to businesses, government and consumers. By redesigning I/O with security at the core, we aim to considerably improve on today's weaknesses. We will investigate the weaknesses of current I/O and propose safer alternatives through three threads of research:
1. We will begin by performing a survey of the state-of-the-art of access-control protections in current hardware and software designs, to understand the limits of current pluggable-device security. We will focus in particular on current utilisation of Input/Output Memory Management Units (IOMMUs), which are the primary current defence that prevents devices from having unlimited Direct Memory Access (DMA) - the 'key to the kingdom' of system security that otherwise permits total compromise of firmware, OS, and applications from malicious devices. We will characterise current security-performance tradeoffs to establish a performance baseline. We will systemise new vulnerability classes and develop a corpus of vector-specific attack techniques which future defences must prevent or mitigate.
Our existing preliminary results investigating IOMMU use in modern operating systems, and a growing attack literature, suggest substantial security and performance shortcomings. We therefore propose two strands of research to develop and evaluate technical approaches to defend against I/O-based attackers:
2. Many I/O devices (e.g., USB and network cards) communicate with the host operating system through messages sent and received via DMA. We will develop new techniques to restructure CPU-to-I/O interconnects to provide a message-based abstraction for untrustworthy devices, rather than depending on DMA, as is current (and highly vulnerable) best practice.
3. To address devices for which a memory-oriented semantic is intrinsic (e.g., GPUs and Remote-DMA enabled network cards), we will explore new distributed-memory protection techniques that avoid the granularity and performance limitations of IOMMU-oriented approaches. This will enable greater control of device access to host memory while improving security-performance tradeoffs. For instance we might delegate specific memory access rights to devices, with policy and unforgeability enforced by the interconnect bridges.
All research will be performed via hardware-software co-design methodology and FPGA prototyping, with evaluation relative to performance, complexity, compatibility, and security metrics for both hardware and software. We will pursue these goals in close collaboration with ARM Ltd, who provide key insights into industry requirements and a transition path into commercial technologies.
|