PAGURUS: Low-Overhead Dynamic Information Flow Tracking on Loosely Coupled Accelerators
This work addresses security for heterogeneous systems with accelerators, but it is incremental as it builds on existing DIFT techniques with a novel shell approach.
The authors tackled the problem of securing heterogeneous systems against software-based attacks by developing PAGURUS, a low-overhead shell circuit for dynamic information flow tracking (DIFT) on accelerators, which enables flexible design-space exploration for performance, cost, and security without modifying accelerator implementations.
Software-based attacks exploit bugs or vulnerabilities to get unauthorized access or leak confidential information. Dynamic information flow tracking (DIFT) is a security technique to track spurious information flows and provide strong security guarantees against such attacks. To secure heterogeneous systems, the spurious information flows must be tracked through all their components, including processors, accelerators (i.e., application-specific hardware components) and memories. We present PAGURUS, a flexible methodology to design a low-overhead shell circuit that adds DIFT support to accelerators. The shell uses a coarse-grain DIFT approach, thus not requiring to make modifications to the accelerator's implementation. We analyze the performance and area overhead of the DIFT shell on FPGAs and we propose a metric, called information leakage, to measure its security guarantees. We perform a design-space exploration to show that we can synthesize accelerators with different characteristics in terms of performance, cost and security guarantees. We also present a case study where we use the DIFT shell to secure an accelerator running on a embedded platform with a DIFT-enhanced RISC-V core.