JP4374476B2 - Cache memory and control method thereof - Google Patents

Description

  The present invention relates to a defense method against stack smashing, and more particularly to a cache memory and a control method thereof that are dynamic detection type defense methods that do not require analysis / conversion.

  In recent years, the damage caused by malicious programs using the buffer overflow vulnerability has increased rapidly. For example, typical examples are Code Red, which raged in 2001, and Blaster in 2003. The malicious program causes a buffer overflow while the computer to be attacked is executing a legitimate application, forcibly taking over the execution control of the program. Therefore, if a buffer overflow occurs during execution in privileged mode, the malicious program will be executed in privileged mode. As a result, the file can be deleted or altered, resulting in great damage. Figure 10 shows the proportion of recommendations issued by CERT (1996-2001) related to buffer overflow. As can be seen from the diagram, many malicious programs use the buffer overflow vulnerability, and its countermeasures are extremely important.

  The malicious program causes a buffer overflow after the function call and destroys the stack (called stack smashing). Then, the program execution control is taken over by altering the return address to the function call side to the head address of the malicious program code. The buffer overflow vulnerability that causes such stack smashing exists in C standard libraries such as strcpy and strcat. These functions do not check the region size when assigning a character string to a local variable. Therefore, when a character string larger than the buffer size specified by the local variable is substituted, writing is performed across the boundary of the reserved local variable memory area.

  FIG. 11 shows the situation when stack smashing occurs. Here, it is assumed that the function g that performs string copy using strcpy is called by the function f. Normally, when the function g is called, the return address to the function f is saved on the stack. Then, after the processing in the function g is completed, the execution control is transferred to the function calling side by restoring the return address to the PC. On the other hand, when stack smashing occurs due to a character string copy that does not check the buffer boundary, the malicious program code is overwritten on the stack area. In addition, the return address to the function f is altered to the head address of the malicious code. As a result, when returning to the caller function f, the altered return address is used, and as a result, execution control is transferred to the malicious program code in the stack.

  So far, various defense methods against stack smashing have been proposed. These can be classified as follows according to the presence or absence of code analysis and conversion for avoiding buffer overflow, and the detection timing of stack smashing.

  (1) Static analysis and static detection type: A program code is statically analyzed to check a place where a buffer overflow can occur. For example, there is a method for checking whether the “copy source character string size” exceeds the “copy destination local variable area size” or not (Reference 1: D. Wagner, JSFoster, EABrewer, and A. Aiken, "A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities," Proc. Of the Network and Distributed System Security Symposium, Feb. 2000.).

  (2) Static analysis / conversion and dynamic detection type: Code conversion for detecting stack smashing is performed at compile time by static analysis of a program. SASI proposed in Reference 2 (U. Erlingsson and FB Schneider, "SASI Enforcement of Security Policies: A Retrospective," Proc. Of the workshop on New security paradigm, 1999.) Insert the monitor (RM) into the code. For example, an RM code for performing a region check is inserted into a code portion where there is a risk of buffer overflow. Reference 3 (C. Cowan, C. Pu, D. Maier, H. Hinton, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang, "StackGuard: In StackGuard proposed by Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks, "Proc. Of 7th USENIX Security Symposium, Jan, 1998.", a random number called a canary word is generated and stored in a stack along with a return address. Since canary is pushed immediately after the return address, the canary value is also altered when stack smashing occurs. Therefore, by comparing the canary value at the time of function call and return, alteration of the return address can be inspected.

  (3) Dynamic analysis / conversion and dynamic detection type: Analyzes and converts code during program execution. Unlike the static analysis and conversion methods described above, object code compatibility can be maintained. Specifically, there is a method of dynamically generating a buffer overflow check code corresponding to a reference monitor by performing binary conversion (Reference 4: A. Baratloo, N. Singh, and T.). Tsai, "Transparent Run-Time Defense Against Stack Smashing Attacks," Proc. Of 2000 USENIX Annual Technical Conference, June 2000. (Reference 5: K. Scott and J. Davidson, "Safe Virtual Execution Using Software Dynamic Translation," Proc. Of the 18th Computer Security Applications Conference, Dec. 2002.).

(4) Dynamic detection type that does not require analysis / conversion: A method for realizing return address protection without code analysis or conversion. As a software approach, a method of providing a C library (called libsafe) that guarantees safety, a method of dynamically adding canary through the intervention of the OS, etc. have been proposed (see Reference 4) (reference) Reference 6: M. Frantzen and M. Shuey, "StackGhost: Hardware Facilitated Stack Protection," Proc. Of the 10th USENIX Security Symposium, Aug. 2001.). On the other hand, as a hardware approach, a method of mounting a secure return address stack (SRAS) which is a return address dedicated stack inside the processor has been proposed (reference 7: R. B. Lee, D. K. Karig. , J. P. McGregor, and Z. Shi, "Enlisting Hardware Architecture to Thwart Malicious Code Injection," Proc. Of the Int. Conf. On Security in Pervasive Computing, Mar. 2003.). When pushing the return address, write the return address to SRAS at the same time. When returning from the function, the return addresses popped from the memory stack and SRAS are compared. If the comparison results do not match, stack smashing has occurred.
R. B. Lee, D. K. Karig, J. P. McGregor, and Z. Shi, "Enlisting Hardware Architecture to Thwart Malicious Code Injection," Proc. of the Int. Conf. on Security in Pervasive Computing, Mar. 2003.

  In the present invention, attention is paid to the SRAS, which is one of the dynamic detection type hardware approaches that do not require analysis / conversion during the classification (4). According to SRAS, object code compatibility can be maintained completely, and system software such as C library and OS is not changed. However, as described above, SRAS is implemented as a small-capacity stack memory inside the processor, and when capacity is insufficient due to nesting of function calls, entry of entries to and from the protected safe main storage area is performed. / Has the problem of being refilled. Further, since SRAS is a stack, it has a problem that it cannot cope with function control (for example, setjmp or longjmp) different from LIFO operation by itself. Furthermore, there is a problem that the internal structure of the processor is greatly affected, and there is a difficulty in introducing an actual product.

  The present invention has been made to solve the above-mentioned problems, and a cache memory capable of discriminating stack smashing by mainly improving the cache memory without greatly affecting the internal structure of the processor and its control It aims to provide a method.

  In the cache memory control method according to the present invention, when there is data to be written to the cache memory from the processor, if the data to be written is a function return address value, the data to be written to the cache memory is normally written as usual. Write data as data, create replica data with the same contents as the original data, write it to the cache memory in association with the original data, and when the original data is read out as a function return address from the processor, the replica data corresponding to the original data And compare whether or not the original data and the replica data match. Thus, in the present invention, when there is data to be written from the processor to the cache memory, if the data to be written is a function return address value, the data to be written to the cache memory is written as original data as usual. In addition, replica data having the same content as the original data is created and written in the cache memory in association with the original data.When the original data is read out as a function return address from the processor, the replica data corresponding to the original data is read out, Since it is compared whether or not the original data and the replica data match, the original data is falsified when stack smashing is performed, and the original data and the replica data are not matched when compared with the replica data. That Tsu can be determined. In particular, the present invention is made by improving the cache memory control method, has little influence on the internal structure of the processor, and is easy to introduce. Therefore, it can be easily applied to a complex processor equipped with out-of-order execution and an advanced branch prediction mechanism. Further, unlike the SRAS, even in the case of function control (for example, setjmp or longjmp) different from the LIFO operation, it is possible to cope with no software intervention. Further, unlike the SRAS described above, since the replica data in the cache memory is created, a large amount of return addresses can be stored and it is difficult to correspond to eviction.

  The cache memory control method according to the present invention prohibits the replica data from being purged from the cache memory as necessary. As described above, in the present invention, since the eviction of replica data from the cache memory is prohibited, there is no eviction of the replica data from the cache memory, and the replica data always exists on the cache memory, A comparison can always be made, that is, the occurrence of stack thrashing can always be determined.

  Further, the cache memory control method according to the present invention is such that when there is data to be written from the processor to the cache memory, if the data to be written is a function return address value, the data to be written to the cache memory as usual. Is created as original data, and a plurality of replica data having the same contents as the original data are created and written in the cache memory in association with the original data, and when the original data is read out from the processor as a function return address, Corresponding replica data is read, and it is compared whether or not the original data matches at least one replica data. Thus, in the present invention, when there is data to be written from the processor to the cache memory, if the data to be written is a function return address value, the data to be written to the cache memory is written as original data as usual. In addition, a plurality of replica data having the same contents as the original data are created and written in the cache memory in association with the original data, and when the original data is read out from the processor as a function return address, the replica data corresponding to the original data is Since reading and comparing whether or not the original data and at least one replica data match each other, a plurality of replica data are created and associated with the original data and written to the cache memory. Replica data can improve the reliability as can be compared with the original data in the remaining of the replica data even when the flush is made from the cache memory, it is compared with the original data. Here, as the number of multiple replica data to be created increases, the reliability can be improved. However, it is necessary to secure an area on the cache memory, which increases the occurrence rate of eviction.

  In addition, the cache memory control method according to the present invention performs data eviction from the cache memory based on the LRU or MRU algorithm and writes the replica data to the eviction portion as needed when the replica data is written. Is. When eviction is performed based on the MRU algorithm, the replica data is less likely to be evicted, so safety is improved. However, the cache hit rate decreases. On the other hand, when the eviction is performed based on the LRU algorithm, the replica data is likely to be a target of the eviction, so the safety is lowered but the cache hit rate is improved.

  The cache memory control method according to the present invention preferentially targets such replica data to be expelled when there is replica data that has been compared with the original data, if necessary. As described above, in the present invention, when there is replica data that has been compared with the original data, the replica data is preferentially evicted. Therefore, the normal cache memory is based on the LRU algorithm employed. Although data to be evicted is specified, it is unlikely that replica data that has already played a role will be used again. By making such replica data to be evicted, the cache hit rate can be improved.

  Further, the cache memory according to the present invention is provided with an instruction monitoring means for monitoring an instruction sequence executed by the processor, if necessary, and the instruction monitoring means indicates that the current memory access is for a function return address. It is to detect. As described above, in the present invention, the instruction monitoring means for monitoring the instruction sequence executed by the processor is provided, and the instruction monitoring means detects that the current memory access is for the function return address. Without the output signal being sent to the cache memory to inform the cache memory that the memory access is targeted for the return address, the cache memory becomes the main component, and the memory access from the processor is returned to the function by the instruction monitoring means. It is possible to determine whether or not the address is intended, and it is not necessary for the processor to perform an operation peculiar to the cache memory according to the present invention, that is, the processor can be easily introduced without a design change.

(First embodiment of the present invention)
A cache memory control method according to the first embodiment of the present invention will be described with reference to FIGS. 1 is a configuration diagram of a general set associative cache memory, FIG. 2 is a configuration diagram of a set associative cache memory according to the present embodiment, and FIGS. 3 and 4 are cache caches according to the present embodiment. It is an operation | movement flowchart of memory.

  In the cache memory control method according to the present embodiment, when there is data to be written from the processor to the cache memory, if the data to be written is a function return address value, the data to be written to the cache memory is changed as usual. When the original data is written as the original data, the replica data having the same contents as the original data is created and associated with the original data and written to the cache memory. When the original data is read out from the processor as the function return address value, the replica corresponding to the original data In this configuration, the data is read and whether or not the original data and the replica data match each other.

  The case where this cache memory control method is applied to a set associative cache memory, which is one of the cache memory concatenation methods, will be specifically described. Here, first, a general set-associative cache memory will be described with reference to FIG. 1 from the viewpoint of a control method. Note that the present invention can also be applied to other cache / memory combination schemes, for example, a full-associative cache / memory combination scheme.

  As shown in FIG. 1, a general set-associative cache memory has a tag unit 12 having a plurality of tags 11 (tags) as array elements and a predetermined data area corresponding to the tags 11. A plurality of ways 31 (way) including a data area portion 22 having the data area 21 as an array element. Also, indexes are assigned in the order of array element numbers of the tag 11 (or data area). Then, the cache memory writes the data of the memory indicated by the memory reference address with the tag as the upper bit and the index as the lower bit in the data area 21. The operation of the set associative cache memory will be described in order by dividing it into a store operation and a load operation. First, in the store, a memory reference address is sent to the cache memory together with data from the processor. The cache memory uses the memory reference address as a predetermined upper bit as a tag and the remaining lower bits as an index. A set 41 is specified based on the index, and if there is a way 31 having the same tag, the same way 31 is selected. If there is not, the way 31 is appropriately selected. The data is written to the tag portion 12 of the selected way 31 and the data from the processor is overwritten on the data area 21 corresponding to the tag portion 12. Here, the write method of the cache memory is a write back method. Next, the memory reference address is sent from the processor to the cache memory. The cache memory divides this memory reference address into a tag and an index in the same manner as the store, reads out the set 41 corresponding to the index, and in the comparator of the data in each data area 21 read out, refers to the tag and memory of each data The tag in the address is compared and the corresponding data is sent to the processor. At the same time, the tag of each data sent out by the comparator is compared with the tag in the memory reference address, and the processor is notified whether there is corresponding data.

Next, the cache memory of the present invention will be described with reference to FIG. 2 in comparison with the general set associative cache memory (hereinafter referred to as a general cache memory). In the cache memory of the present invention, read-only replica data (in the set associative method, the data in each data area 21 may be referred to as a line, and according to this designation, it becomes a replica line) is the same set 41. A point created inside, a point provided with a replica data flag (R-flag) for each tag of the way 31 and the data area 21, a point equipped with a replica data multiplexer (Replica-MUX), The comparator includes not only the tag verification but also the replica data flag verification, and further includes a data content comparator 51 for comparing the original data read by the comparator with the replica data. However, this is different from the general cache memory. Due to this difference, in the set associative method, it becomes possible to associate the replica data as described above with the original data, and to compare whether the original data and the replica data match. However, it is only one mounting format, and the present invention is not limited to this mounting method.
The replica data flag indicates whether or not the data in the corresponding data area 21 is replica data, and consists of 1 bit.

  The general cache memory stores or loads in the same manner regardless of whether the object to be written to or read from the data area 21 is a function return address. However, the cache memory of the present invention performs writing. When the data to be processed is a function return address value, the process is separated when it is read as the function return address value. Therefore, it is necessary to determine whether the target data is a function return address value. Since the processor performs its own operation, it is possible to easily determine whether or not the cache memory is the function return address value by notification from the processor. More preferably, the cache memory alone is not notified of the processor, for example, based on the instruction type of the processor, or the register dedicated to the function return address in the processor is watched and data is stored in the register. Is written and sent to the cache memory. According to such a realization method, there is an advantage that the specification change by the cache memory of the processor can be minimized.

  Next, the operation of the cache memory according to the present embodiment will be described with reference to FIGS. Here, the case of a cache hit will be described, but the same operation is performed except that a line replacement is performed even in the case of a miss.

  First, based on the notification from the processor, the cache memory determines whether it is a store or load that targets the function return address value (step 101), and determines that it is not intended for the function return address value. In such a case, the general cache memory is operated as described above to store or load. Here, unless the function return address value is targeted, the operation for replica data is not performed. If it is determined in step 101 that the function return address value is targeted by the cache memory, it is determined whether the operation instruction is a store or load (step 102). When it is determined that the cache memory is a store, the set 41 to be accessed (reference set) is specified using the index in the memory reference address as in the case of a general cache memory (step 103). Then, in the identified reference set, the function return address value is written as original data in the data area 21 having the same tag 11 and invalid replica data flag (step 104).

  In the operation description so far, a cache miss is not assumed. However, when it is assumed that a cache miss occurs in the original data, the same reference tag 11 is included in the identified reference set, and the replica data It is determined whether there is a data area 21 for which the flag for use is invalid. If it is determined that there is a data area 21, the function return address value is written as original data. The operation of selecting and writing the function return address value as the original data in the data area 21 of the way 31 is inserted.

  Next, it is determined whether or not there is a data area 21 for replica data having the same tag 11 and having a valid replica data flag in the reference set (step 201). If it is determined that there is a data area 21 for such replica data, the same function return address value as that of the original data is written in the data area 21 for such replica data (step 202). If it is determined in step 201 that there is no data area 21 for such replica data, the way 31 is selected based on the MRU algorithm, and the same function return address value as that of the original data is set in the data area 21 of the way 31. Write (step 203). Here, when the replica data flag corresponding to the written data area 21 is invalid, it is made valid. The MRU algorithm is selected because the replica data becomes difficult to be subject to line replacement, and the safety is improved. However, the cache hit rate may be reduced. On the other hand, if the LRU algorithm is employed, replica data is likely to be subject to line replacement, and although the safety is reduced, the reduction in the cache hit rate can be reduced.

  If it is determined in step 102 that the operation instruction is a load, an index is derived from the memory reference address from the processor, and a reference set is specified from the index (step 301). Data in all the data areas 21 of the reference set and the tag 11 are read (step 302). In the comparator, the tag of the memory reference address is compared with the read tag 11, and data having the same tag is sent to the processor (step 303). Here, when a cache miss occurs, line replacement is performed.

  Next, in the reference set, it is determined whether or not there is a data area 21 for replica data having the same tag and having a valid replica data flag (step 401). If there is no data area 21 for such replica data, that fact (not only there is no replica data, but it may be that there is no replica data and safety cannot be guaranteed) is transmitted to the processor. (Step 402). If there is such a data area 21 for replica data, the replica data of the data area 21 is output to the data content comparator 51 (step 403). The data content comparator 51 also receives the original data output to the processor and compares it with the input replica data (step 404). If the data content comparator 51 determines that the original data and the replica data match, the process ends without doing anything (step 405). If the data content comparator 51 determines in step 404 that the original data and the replica data do not match, the processor (not only does not match, but stack smashing occurs). Is output) and the process ends (step 406).

  In the step 405, a Safe signal indicating that it is safe may be output to the processor. Even in this case, it is not necessary for the processor to wait until the Safe signal is input, as long as the processor can recognize at least before the control is transferred to the malicious code. Even when the Safe signal is introduced in this way, the cache access time hardly increases.

  As described above, according to the cache memory control method according to the present embodiment, when there is data to be written to the cache memory from the processor, when the data to be written is a function return address value, the cache memory is normally used. The data to be written to the memory is written as original data, and replica data having the same contents as the original data is created and associated with the original data and written to the cache memory. When the original data is read from the processor as a function return address, The replica data corresponding to the original data is read and compared to determine whether the original data and the replica data match. Therefore, if stack smashing is performed, the original data is falsified and compared with the replica data. If you can judge that there has been tampering not matched.

  In the present embodiment, the replica data flag is not used when the store does not target the function return address value. However, when the way 31 after specifying the reference set is selected, such a replica is used. It is also possible to look at the data flag, that is, when the replica data flag is valid, the data area 21 can be configured not to write data, and the replica data is always set. Is guaranteed to be in the cache memory, and comparison between the original data and the replica data is always possible. At this time, after the load for the function return address is completed, the replica data flag related to the function return address needs to be invalidated. This is because such a flag for replica data does not cause line replacement in such a line, and the cache memory is not released until the end of the process.

  In this embodiment, the cache memory can determine the line to be replaced based on the LRU algorithm, but the function return address has already been loaded and there is used replica data. In this case, such replica data can be preferentially targeted for line replacement. This realization can be realized by changing the flag constituting the LRU algorithm or the contents of the table. According to this, a line including replica data that is unlikely to be written again becomes a target of line replacement, and the cache hit rate can be improved.

(Second embodiment of the present invention)
A cache memory control method according to the second embodiment of the present invention will be described with reference to FIGS.
In the cache memory control method according to the present embodiment, when there is data to be written from the processor to the cache memory, if the data to be written is a function return address value, the data to be written to the cache memory is changed as usual. In addition to writing as original data, multiple replica data with the same contents as the original data are created and associated with the original data and written to the cache memory. When the original data is read out from the processor as a function return address, it corresponds to the original data. The replica data to be read is read, and whether or not the original data matches at least one replica data is compared. The difference from the cache memory control method according to the first embodiment is that a plurality of replica data for the original data is created and written in association with the original data.

  The case where the cache memory according to the present embodiment is applied to a set-associative cache memory which is one of the cache memory concatenation system according to the first embodiment will be described. Since the sum of the original data and the plurality of replica data cannot exceed the association degree, “association degree-1” [pieces] can be generated from the replica data. In this way, unlike the cache memory according to the first embodiment, by generating a plurality of replica data, even if one replica data is overwritten with other data by causing line replacement, Since other replica data remains, it is possible to compare the original data with the replica data, and there is an advantage that the reliability can be improved.

  Next, the operation of the cache memory according to this embodiment will be described. Since most of the operations overlap with the operation according to the first embodiment, only the steps that are different will be pointed out. In the store, the operation is the same up to step 105, and it is necessary to perform steps 201 to 203 in a loop according to the number of replica data to generate the number of replica data. In loading, in step 401, if there is one replica data, it can be compared with the original data. Therefore, when a plurality of replica data is on the cache memory, the replica data is selected from the plurality of replica data. One replica data is selected. The other operations are the same.

  As described above, according to the cache memory control method according to the present embodiment, when there is data to be written from the processor to the cache memory, when the data to be written is a function return address value, the cache memory is normally used. In addition to writing the data to be written as original data, creating a plurality of replica data having the same contents as the original data and writing them to the cache memory in association with the original data, when the original data is read from the processor as a function return address, Since replica data corresponding to the original data is read out and compared with whether or not the original data matches at least one replica data, a plurality of replica data is created and associated with the original data and cached. Even if some replica data is evicted from the cache memory, the remaining replica data can be compared with the original data and reliability can be compared with the original data. Can be improved. Here, as the number of multiple replica data to be created increases, the reliability can be improved. However, it is necessary to secure an area on the cache memory, which increases the occurrence rate of eviction.

Hereinafter, an experiment corresponding to the implementation of the cache memory according to the present invention was performed, which will be described below. First, the experimental environment will be explained. In order to evaluate the effectiveness of the proposed method, SimpleScalar tool set Ver.3.0d was improved and the cache memory according to the present invention (hereinafter referred to as SCache) was implemented (reference: SimpleScalar Tool Sets, http: // www.simplescalar.com/). In addition, a cycle level simulation of out-of-order execution was performed from the SPEC2000 benchmark site using seven integer programs and four floating point programs (reference: SPEC (Standard Performance Evaluation Corporation, http: // www .specbench.org /) Small input provided by SPEC is used as input data, assuming that L1 data cache size is 16KB, line size is 32B, association level is 4, and other processor configurations The default parameters of Simplescalar are used for the detailed parameters of SCache, and when the return address is loaded, safety can be guaranteed if a replica line exists.

Here, Nrald is the total number of IRA loads in program execution. Here, the IRA (Issued Return Address) load is a return address load issued to the cache memory. Nv-rald indicates the total number of IRA loads in which return address alteration cannot be detected (security cannot be guaranteed). On the other hand, energy consumption is evaluated by the following formula.

  Here, Erd and Ewt are the total read / write energy consumption of the L1 cache memory, respectively. Ewb represents the total write-back energy consumption associated with the creation of the replica line. Further, Emp indicates the energy consumed when a cache miss occurs. Actually, layout design and load capacity extraction of SRAM array for 1 way (4KB) was performed using 0.18μm CMOS process, and read / write energy consumption per bit including precharge operation was measured. Based on the results, energy consumption for cash access was converted. The value of Emp largely depends on the memory hierarchical structure. Therefore, it is assumed that the energy required for one access to the lower memory hierarchy is 10 times the average read energy consumption in the conventional cache memory.

  (Experimental result (safety)) In this evaluation, it is assumed that the association degree of the cache memory is 4, so that a maximum of 3 replica lines can be generated based on the LRU or MRU algorithm. Therefore, safety was evaluated for these combinations. The experimental results are shown in FIG. FIG. 8 shows the miss rate and the number of IRA loads (Nrald) in the conventional cache (CONV), and the miss rate in each SCache model. Here, LRU1R and LRU2R are models that generate one or two replica lines based on the LRU placement algorithm, respectively. Similarly, MRU1R and MRU2R use the MRU method for the placement algorithm. ALL generates replica lines for all lines in the reference set (except the master line).

  In this simulation, the LRU method is adopted as the line replacement algorithm at L1 cache miss. Therefore, the replica line created by LRU1R is easily removed from the cache memory by another access. On the other hand, LRU2R achieves higher security because the cache lifetime of the replica line is longer. For the same reason, the safety is improved by adopting the MRU method. When all SCache models were compared, ALL achieved the highest level of safety, and many programs were able to guarantee an IRA road safety of more than 99.7%. On the other hand, as shown in FIG. 8, the cache miss rate has increased with the increase in the number of replica lines to be generated or the adoption of the MRU method. Therefore, when performance is important, it is considered appropriate to select MRU1R in consideration of lowering the error rate and improving safety. When writing a return address in SCache, as described above, if a replica line having the same tag already exists, it is overwritten. Therefore, when such a replica line exists in the LRU area, MRU1R performs the same operation as LRU1R. Therefore, even in the MRU system, safety is improved by increasing the number of replica lines to be created.

  (Experimental result (consumed energy)) FIG. 6 shows the result of evaluation based on the consumed energy model. Here, FIG. 6 shows a way prediction cache that avoids unnecessary way access (reference: K. Inoue, T. Ishihara, and K. Murakami, “Way-Predicting Set-Associative Cache for High Performance and Low Energy. Consumption, "Proc. Of the Int. Symp.on Low Power Electronics and Design, pp. 273--275, Aug. 1999.). As can be seen from FIG. 6, the overhead increases as the number of replica lines increases. In particular, ALL, which generates the most replica lines, generated a maximum energy consumption overhead of about 23% (197.parser).

  In order to analyze the energy consumption in detail, the breakdown of the equation (2) was measured. The result is shown in FIG. Here, due to space limitations, two integer programs (197.parser, 255.vortex) and floating point programs (177.mesa, 183.equake) with the largest energy consumption overhead and two with the smallest overhead The result in the program (181.mcf, 179.art) is shown. Compared with the conventional cache (CONV), the read consumption energy Erd is almost the same rate of increase in all SCache models. This is because all ways are activated when a return address load is issued regardless of the number of replica lines created and the placement algorithm. On the contrary, the write energy consumption Ewt increases in proportion to the number of replica lines created. In addition, Emp is increasing as the miss rate increases. In particular, in 177.mesa, when compared with the conventional method, the ALL model causes a significant decrease in the hit rate (see FIG. 8), and the increase in Emp due to the influence appears remarkably.

When comparing 181.mcf and 190.art, which have a small overhead, with these two programs, energy consumption due to cache misses accounts for a large percentage. In fact, as shown in FIG. 8, the error rate of these programs is extremely high. Thus, when the increase in the miss rate due to SCache is sufficiently small compared to the conventional miss rate, the energy consumption overhead related to Emp is concealed. Further, in the way prediction method used as a reference in this evaluation, the energy consumption reduction effect by way prediction is reduced as the miss rate increases. For these reasons, the energy overhead associated with the adoption of SCache has been reduced.
On the other hand, in all programs, when comparing LRU1R and MRU1R, and LRU2R and MRU2R, respectively, there is almost no difference in energy consumption. When the number of replica lines to be generated is the same, the cache consumption energy is almost the same regardless of the placement algorithm. On the other hand, in the case of the MRU method, the hit rate is lowered, but the energy consumption overhead is relatively small. Considering these results, we consider that the MRU method is suitable for the replica line placement algorithm.

  (Experimental Result (Performance)) In SCache, a replica line is generated in a set in the cache, so that a performance overhead is accompanied by an increase in the cache miss rate. The performance overhead in each benchmark is shown in FIG. In the ALL model that generates the maximum number of replica lines, the performance degradation is 1.1% (177.mesa) even in the worst case. For other models, all programs except 197.paser have a performance overhead of 0.2% or less. This is because the data cache memory has a sufficient capacity for the number of return addresses to be protected. From the above, the performance degradation due to the proposed method is considered to be negligible.

  (Conclusion) In this paper, we proposed Secure Cache (SCache) as an architectural approach to stack smashing. SCache uses a large area of cache memory to protect the return address. As a result of experiments, many programs were able to guarantee safety for return address loads of 99.7% or more. In addition, as a result of energy consumption analysis, when safety is a priority, the ALL model that generates duplicates for all lines requires low energy consumption while maintaining a certain level of safety. It was found that MRU1R based on MRU method is appropriate.

It is a block diagram of a general set associative cache memory. 1 is a configuration diagram of a set associative cache memory according to a first embodiment. FIG. 3 is an operation flowchart of the cache memory according to the first embodiment of the present invention. 3 is an operation flowchart of the cache memory according to the first embodiment of the present invention. It is a graph which shows the dangerous return address load incidence rate of an Example. It is a graph which shows the energy consumption overhead of an Example. It is a graph which shows the breakdown of the energy consumption of an Example. It is a table | surface of the cache miss rate of an Example. It is a graph which shows the overhead of the performance of an Example. It is a graph which shows a buffer overflow. It is a figure which shows the operation | movement principle of stack | smashing.

Explanation of symbols

11 Tag 12 Tag part 21 Data area 22 Data area part 31 Way 41 Set 51 Data content comparator

Claims (6)

When there is data to be written to the cache memory from the processor, if the data to be written is a function return address value, the data to be written to the cache memory is written as the original data as usual, and the same contents as the original data Create replica data of and write it to the cache memory in association with the original data.
A cache memory control method, wherein when original data is read from a processor as a function return address, replica data corresponding to the original data is read, and whether or not the original data and the replica data match is compared. In the cache memory control method according to claim 1,
A cache memory control method, which prohibits eviction of the replica data from the cache memory. When there is data to be written to the cache memory from the processor, if the data to be written is a function return address value, the data to be written to the cache memory is written as the original data as usual, and the same contents as the original data Create multiple replica data of each and write them to the cache memory in association with the original data,
When the original data is read from the processor as a function return address, the replica data corresponding to the original data is read, and whether or not the original data matches at least one replica data is compared. Control method. In the cache memory control method according to claim 1 or 3,
A cache memory control method comprising: purging data from a cache memory based on an LRU or MRU algorithm and writing replica data to the eviction portion when replica data is written. In the cache memory control method according to any one of claims 1 to 4,
A cache memory control method characterized in that when there is replica data for which comparison with the original data has been completed, the replica data is preferentially ejected. Instruction monitoring means for monitoring the instruction sequence executed by a processor provided, cache according to any one of the claims 1 detects that the instruction monitor means the current memory access is directed to the function return address 5 -Cache memory to which memory control method is applied.

Images