PAGURUS: Low-Overhead Dynamic Information Flow Tracking on Loosely Coupled Accelerators

TL;DR

PAGURUS introduces a low-overhead, flexible DIFT shell for accelerators, enhancing security in heterogeneous systems without modifying accelerator design, and evaluates its performance, security, and applicability on FPGA and embedded platforms.

Contribution

It proposes a coarse-grain DIFT shell for accelerators that requires no modifications to their implementation, enabling secure heterogeneous systems with low overhead.

Findings

The DIFT shell adds minimal area and performance overhead on FPGA.

The security metric 'information leakage' effectively measures security guarantees.

Case study demonstrates effective security enhancement on embedded platforms.

Abstract

Software-based attacks exploit bugs or vulnerabilities to get unauthorized access or leak confidential information. Dynamic information flow tracking (DIFT) is a security technique to track spurious information flows and provide strong security guarantees against such attacks. To secure heterogeneous systems, the spurious information flows must be tracked through all their components, including processors, accelerators (i.e., application-specific hardware components) and memories. We present PAGURUS, a flexible methodology to design a low-overhead shell circuit that adds DIFT support to accelerators. The shell uses a coarse-grain DIFT approach, thus not requiring to make modifications to the accelerator's implementation. We analyze the performance and area overhead of the DIFT shell on FPGAs and we propose a metric, called information leakage, to measure its security guarantees. We perform a design-space exploration to show that we can synthesize accelerators with different characteristics in terms of performance, cost and security guarantees. We also present a case study where we use the DIFT shell to secure an accelerator running on a embedded platform with a DIFT-enhanced RISC-V core.