WO2018056997A1 - Method and apparatus for implementing a programmable security unit for a computer system - Google Patents
Method and apparatus for implementing a programmable security unit for a computer system Download PDFInfo
- Publication number
- WO2018056997A1 WO2018056997A1 PCT/US2016/053349 US2016053349W WO2018056997A1 WO 2018056997 A1 WO2018056997 A1 WO 2018056997A1 US 2016053349 W US2016053349 W US 2016053349W WO 2018056997 A1 WO2018056997 A1 WO 2018056997A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- memory
- application
- security unit
- code
- kernel
- Prior art date
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F12/00—Accessing, addressing or allocating within memory systems or architectures
- G06F12/02—Addressing or allocation; Relocation
- G06F12/08—Addressing or allocation; Relocation in hierarchically structured memory systems, e.g. virtual memory systems
- G06F12/0802—Addressing of a memory level in which the access to the desired data or data block requires associative addressing means, e.g. caches
- G06F12/0806—Multiuser, multiprocessor or multiprocessing cache systems
- G06F12/0815—Cache consistency protocols
- G06F12/0831—Cache consistency protocols using a bus scheme, e.g. with bus monitoring or watching means
- G06F12/0833—Cache consistency protocols using a bus scheme, e.g. with bus monitoring or watching means in combination with broadcast means (e.g. for invalidation or updating)
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/78—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
- G06F21/79—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data in semiconductor storage media, e.g. directly-addressable memories
Definitions
- Embodiments of the present disclosure pertain to providing security in a computer system. More specifically, embodiments of the present disclosure relate to a method and apparatus for implementing a programmable security unit for a computer system.
- Antivirus software was originally developed to detect and remove computer viruses. As computer viruses evolve and continue to become increasingly sophisticated and as the proliferation of new kinds of malware continue, antivirus software has evolved to provide protection from other computer threats. In particular, modem antivirus software can protect from malicious browser helper objects (BHOs), browser highjackers, keyloggers, backdoors, rootkits, Trojan horses, worms, adware, and spyware. Some antivirus software also provide protection from other computer threats, such as infected and malicious URLs, spam, scam and phishmg attacks.
- BHOs browser helper objects
- keyloggers keyloggers
- backdoors rootkits
- Trojan horses worms
- adware adware
- Antivirus software may perform a number of different types of checks.
- One type of checking performed by antivirus software may include performing a comparison to detect for known viruses, worms, and other types of malware.
- Another type of checking performed by antivirus software may include performing a comparison to identify bad types of behavior that may be markers or flags for new types of threats.
- a number of approaches have been researched to address the different types of checks performed by antivirus software. For example, learning techniques, such as machine learning, may be used to observe, identify, and predict malicious behavior. Depending on the complexity of the tasks performed by antivirus software, the computations required by the antivirus software may require a large amount of computing resources.
- Figure 1 is a block diagram of a computer system implementing a programmable security unit according to an exemplar ⁇ - embodiment of the present disclosure.
- Figure 2 is a block diagram illustrating subcomponents of a computer system implementing a programmable security unit according to an exemplary embodiment of the present disclosure.
- Figure 3 illustrates a security kernel table according to an exemplaiy embodiment of the present disclosure.
- Figure 4 is a flow chart illustrating a method for managing a system security unit according to an exemplar ⁇ ' embodiment of the present disclosure.
- FIG. 5 is a flow chart illustrating a method for managing a security kernel management unit according to an exemplary' embodiment of the present disclosure.
- Figure 6 is a block diagram of a system security unit according to an exemplary embodiment of the present disclosure.
- Figure 7 is a block diagram of a security kernel management unit according to an exemplary embodiment of the present disclosure.
- Figure 8 illustrates an exemplaiy field programmable gate array (FPGA) that is used to implement a programmable security unit according to an exemplary embodiment of the present disclosure.
- FPGA field programmable gate array
- Antivirus software may be intrusive from a computing standpoint.
- the antivirus software may require a large number of computing cycles. When executed on a processor shared with user applications to monitor a user application during run time, the antivirus software may interfere with the user's experience.
- a programmable security unit is disclosed that resides external to a memory and a processor of a computer system.
- the programmable security unit monitors code in the rnemoiy that is executed by the processor.
- the programmable security unit provides the potential advantage of supplying additional computing resources that allow for the monitoring of threats in code associated with an application executed by the processor without interfering with the execution of the application.
- the programmable security unit also provides the potential advantage of monitoring a plurality of applications in parallel, and being configurable to allow an application programmer or user to specif)' for each application 1 ) a procedure to use to monitor code and data corresponding to the application in memory, 2) a memory range in the memory corresponding to the application, 3) a limit for bandwidth of the memory used for monitoring the application, and 4) an action to perform in response to detecting a threat in the code and data.
- FIG 1 is a block diagram, of a computer system 100 according to an exemplary embodiment of the present disclosure.
- Hie computer system 100 may be implemented by a desktop, laptop, smart phone, tablet, smart appliance, or other computing device.
- the computer system 100 includes a processor 101 that processes data signals.
- Figure 1 shows the computer system 100 with a single processor. However, it is understood that the computer system 100 may operate with multiple processors.
- the processor 101 may be implemented by a single or multi- core processor(s).
- the processor 101 is coupled to an input/output (I/O) subsystem 110.
- the I/O subsystem 1 10 may include memory controller hubs, I/O control hubs, communication links, and/or other components and subsystems to facilitate I/O operations.
- the I/O subsystem 110 transmits data signals between components in the computing device 100.
- the I/O subsystem 1 10 may include a single bus or a combination of multiple buses.
- the computing de vice 100 includes a memory 102.
- the memory 102 is coupled to the I/O subsystem 110.
- the memory 102 may be a dynamic random access memory device, a static random access memory device, and/or other memory device.
- the memory 102 may store instructions and code represented by data signals that may be executed by the processor 101.
- a data storage device 103 is coupled to the I/O subsystem 110.
- the data storage device 103 may be implemented with a device configured for short-term or long-term storage of data such as a solid state drive, memory card or other mass storage device.
- Peripheral devices 104 are coupled to the I/O subsystem 1 10.
- the peripheral devices 104 may include various I/O devices such as devices that support communication and display.
- the peripheral devices 1 4 may include display and touch screens, buttons, switches, keyboard, mouse, speakers, microphone, and/or other peripheral devices.
- a network controller 105 is coupled to the I/O subsystem 110.
- the network controller may link the computer system 100 to a network of computers (not shown) and supports communication among the machines. It should be appreciated that computing devices having a different architecture or having different components may also be used to implement the computer system 100.
- one or more applications 120 may be allocated in memory 102 and executed by the processor 101.
- the code and data corresponding io the applications in memory may be monitored by programmable security unit 130 to identify potential threats.
- the programmable security unit 130 resides external to the processor 101 and memory 102 and may apply specified procedures to monitor code and data corresponding to the one or more applications.
- the programmable security unit 130 scans lines in memor ' 102 using non-coherent memory reads in order to avoid snooping other processors or processor cores accessing the lines.
- the programmable security unit 130 provides the computer system 100 with an engine to perform security monitoring during the runtime of applications without unduly burdening the processor 101 while the processor 101 is running the applications.
- the programmable security unit 130 may be implemented by a field programmable gate array (FPGA) or other computing device.
- FPGA field programmable gate array
- Figure 2 is a block diagram illustrating subcomponents in a computer sy stem 200 implementing a programmable security unit 220 according to an exemplary embodiment of the present disclosure.
- the processor 210, programmable security unit 220, and memory 230 illustrated in Figure 2 may be used to implement the processor 101, programmable security unit 130, and memory 102 illustrated in Figure 1.
- the processor 210 includes a system security unit 211.
- the system security unit 211 registers applications that are to be monitored by the programmable security unit 220. For each application to be monitored, the system security unit 21 1 identifies a memory range or region in memory 230 where code and data corresponding to the application is to be monitored.
- the system security unit 211 identifies a procedure to utilize to monitor the application.
- the procedure may include one or more algorithms to compare the code and data with other code and data known to be malicious or to observe, identify, and predict malicious behavior from the code and data.
- the procedure may be referred to as a "bit stream".
- the system security unit 211 also identifies an action to perform in response to detecting a threat in the code and data.
- the action may include transmitting an identified notification, such as an interrupt, to an identified component and/or program.
- the system security unit 211 may also identify a class of sendee or quality of service (QoS) to allocate for monitoring an application.
- QoS quality of service
- the quality of sendee operates to establish a limit to a bandwidth of memory used when monitoring the code and data.
- the system security unit 211 may identify the i formation described from information provided by a user, an operating system, and/or the application being monitored itself. It should be appreciated that the system security unit 2 1 maybe a program stored in memory 200 and executed by the processor 210.
- the programmable security unit 220 includes a security kernel management unit 221.
- the security kernel management unit 221 receives information from the security registration unit 211 regarding applications to monitor, memory ranges of code and data corresponding to the applications to monitor, procedures to utilize in the monitoring, actions to perform, and a quality of service to allocate for monitoring.
- the security kernel management unit 221 writes the information to a security kernel table 222 in the programmable security unit 220 and generates a kernel for each application identified to be monitored.
- Each kernel generated by the security kernel management unit 221 is executed by the programmable security unit 220 and operates to monitor an application within the parameters specified by the information in the security kernel table 222.
- kernel 1 225, kernel 2 226, and kernel 3 227 are generated by the security kernel management unit 221 to monitor three applications executing in processor 210.
- the security kernel management unit 221 also regulates a quality of sen'ice of data flow between a kernel and memory 230. According to an embodiment of the present disclosure, the security kernel management unit 221 controls the amount of traffic permitted between a kernel and memory 230 to comply with a limit recorded in the kernel table 222. The security kernel management unit 221 may also control the type of traffic permitted between a kernel and memory 230 such that a kernel may only access memory ranges or regions in memory associated with it as recorded in the kernel table 222. Memory access between the programmable security unit 220 and memory 230 may be conducted via memory interface 223. The memory interface 223 routes memory- access request through the processor 210 using a coherency memory channel . According to an embodiment of the present disclosure, the coherency memory channel may utilize tunneled memory access procedures. It should be appreciated that the security kernel management unit 221 may be implemented by software executed on a processor, hardware components, or a combination of hardware and software.
- the memory 230 stores code and data associated with the applications executed by the processor 210. As shown in this example, the memory 230 includes three memory regions 231-233 that store code and data associated with the three applications executing in processor 210. According to an embodiment of the present disclosure, a coherent address space in memory 230 is maintained between the processor 210 and programmable security unit 220.
- FIG. 3 illustrates a representation of a security kernel table 300 according to an exemplary embodiment of the present disclosure.
- the security kernel table 300 may be used to implement the security kernel table 222 illustrated in Figure 2.
- the security kernel table 300 lists an identifier in column 315 that identifies the kernel for the application.
- the security kernel table 300 includes a column 313 that identifies a memory range where code and data associated with the application is located and is to be monitored.
- the security kernel table 300 includes a column 314 that identifies an action to perform or notification to generate when a threat is detected.
- the security kernel table 300 includes a column 311 that identifies an agent to receive the action or notification identified from column 314.
- the security kernel table 300 includes a column 312 to identify a class of service which limits a bandwidth of memory to allocate for monitoring an application.
- the security kernel table 300 For each application to be monitored, the security kernel table 300 also identifies a procedure or "bit-stream" to utilize for performing the monitoring. It should be appreciated that the procedure may be uploaded to the programmable security unit externally from a different component. Alternatively, the procedure may be available on the programmable security unit and selectable from a plurality of procedures listed on the kernel table 300. As shown in Figure 3, a plurality of machine learning optimized bit-streams are available to be selected to be used as procedures for monitoring code and data corresponding to applications. The list of available procedures may include information such as machine state registers (MSRs) 321 or other mechanisms that may be used to setup a bit-stream, bit-stream identifiers 322, class of service
- MSRs machine state registers
- kernel 0 is shown to utilize bit-stream 0
- kernel 1 is shown to utilize bit-stream 1
- kernel 2 is shown to utilize ML bit-stream 0.
- the security kernel table 300 may list other information and may be formatted or arranged in a manner different from what is shown in Figure " ⁇
- FIG. 4 is a flow chart illustrating a method for managing a system security unit according to an exemplar ⁇ ' embodiment of the present disclosure.
- the method described may be performed by a system security unit implemented by a processor.
- registration information is identified for applications to be monitored.
- the registration information may include a memory range or regions in memory where code and data corresponding to the applications are to be monitored.
- the registration information may include procedures (bit-streams) to utilize to monitor the applications.
- the registration information may include an action to perform in response to detecting a threat in the code and data and a recipient of the action.
- the registration information may include a class of service or quality of service (QoS) to allocate for monitoring the applications.
- QoS quality of service
- Tire quality of service operates to establish a limit to a bandwidth of memory used when monitoring the code and data.
- the registration information may be identified from information provided by a user, an operating system, and/or the applications being monitored themselves.
- the registration information is transmitted to a programmable security unit.
- the programmable security unit resides on a component external to and separate from the processor.
- the registration information may be transmitted to the programmable security unit using a dedicated channel.
- the registration information may be used by the programmable security unit to generate kernels to monitor the applications.
- a kernel executing in the programmable security unit may utilize an identified procedure that requests access to regions in memory to monitor code and data corresponding to an application.
- the programmable security unit may request the memory access by utilizing a non-coherent read command.
- the noncoherent memory read allows memory access while avoiding snooping of processor cores that have access to the memory. If it is determined that the programmable security unit is requesting a memory access, control proceeds to 404. If it is determined that the programmable security unit is not requesting a memory access, control returns to 403.
- memory access is allowed.
- memory access is coordinated through the processor using a coherency memory channel.
- the memory access is conducted without requiring memory coherency. This allows the programmable security unit to read data from memory without generating invalidations and without performing snooping. As a result, the memory accesses do not impact the performance of the memory to other applications.
- a procedure used by a kernel running on the programmable security unit may detect a threat from analyzing information from the memory access. A notification would be received from the programmable security unit if a threat were detected. If a threat is detected, control proceeds to 406. If a threat is not detected, control proceeds to 407. [0033] At 406, a specified action received from the programmable security unit is performed. According to an embodiment of the present disclosure, the specified action may include a notification to a component or program..
- a change in the kernel may result from updating or de- registering a kernel or changing registration information associated with a kernel. If it is determined that a change has been made to the kernel, control returns to 401 to identify the registration information of the kernel. If it is determined that no change has been made to the kernel, control returns to 403.
- FIG. 5 is a flow chart illustrating a method for managing a security kernel management unit according to an exemplary embodiment of the present disclosure.
- the method described may be performed by a programmable security unit residing external to a processor executing an application that is being monitored.
- the security kernel management unit may be implemented by hardware components, software, or a combination of hardware and software.
- a security kernel table is updated.
- the security kernel table may be updated whenever new registration information is received from a system security unit.
- the registration information may include memory ranges or regions in memory where code and data corresponding to the applications is to be monitored.
- the registration information may include procedures (bit-streams) to utilize to monitor the applications.
- the registration information may include an action to perform, in response to detecting a threat in the code and data and a recipient of the action.
- the registration information may include a class of sendee or quality of sendee (QoS) to allocate for monitoring the applications.
- QoS quality of sendee
- the quality of sendee operates to establish a limit to a bandwidth of memory used when monitoring the code and data.
- the registration information may be identified from information provided by a user, an operating system, and/or the applications being monitored themselves.
- a kernel is generated for each application to be monitored.
- the kernel is a program that is run on the programmable security unit. The kernel is generated using registration information associated with the application to be monitored.
- the memory access may be requested from one or more of the kernels executing in the programmable security unit. If a memory access is requested, control proceeds to 504. If a memory access is not requested, control returns to 503.
- a memory range associated with the memory access is compared with a memory range associated with an application that the kernel is monitoring to determine whether the memory access is allowed.
- the security kernel table may be accessed to look-up the relevant information for comparison. If the memory access is allowed, control proceeds to 505. If the memory access is not allowed, control returns to 503 to determine whether another memory access is requested.
- a bandwidth required for the memory access is compared with a permitted limit of bandwidth of memory allocated for the kernel .
- the security kernel table may be accessed to look-up the relevant information for comparison. If sufficient bandwidth has not been allocated, control proceeds to 506.
- the memory access is throttled.
- the memory access may be throttled by partitioning the memory range for the memory access request, and requesting access for the partitioned memory range over a period of time. This would allow the memory access to be performed within the bandwidth allocated for memory use.
- a read request is generated for the memory access.
- the read request is made using a non-coherent read command. The non-coherent read command allows data to be fetched from memory without generating any invalidation and without performing snooping.
- a threat may be detected by one or more kernels executing in the programmable security unit.
- a kernel may detect a threat in response to analyzing code and data received from the memory access. If it is determined that a threat has been detected, control proceeds to 509. If it is determined that a threat has not been detected, control returns to 503.
- an action is performed upon detection of a threat.
- the security kernel table may be referenced to identify an appropriate action to perform in response to the detection.
- the action may include providing a notification to a specified program or component.
- Figures 4 and 5 are flow charts that illustrate embodiments of the present disclosure.
- the procedures described in these figures may be performed may be performed by software executed on a processor, by hardware components, or a combination of hardware and software. Some of the techniques illustrated may be performed sequentially, in parallel or in an order other than that which is described and that the procedures described may be repeated. It is appreciated that not all of the techniques described are required to be performed, that additional techniques may be added, and that some of the illustrated techniques may be substituted with other techniques.
- FIG. 6 is a block diagram of a system security unit 600 according to an exemplary embodiment of the present disclosure.
- the system security unit 600 may be used to implement the system security unit 21 1 illustrated in Figure 2, Figure 6 illustrates modules implementing an embodiment of the system security unit 600.
- the modules represent software modules and providing system security may be performed by a processor such as the one illustrated in Figure 1 executing sequences of instructions represented by the modules shown in Figure 6. Execution of the sequences of instructions causes the processor to provide system security.
- hard-wire circuitry may be used in place of or in combination with software instructions to implement embodiments of present disclosure.
- embodiments of present disclosure are not limited to any specific combination of hardware circuitry and software.
- the system security unit 600 includes a system security unit manager 610.
- the system security unit manager 610 is connected to and transmits data between the components of the system security unit 600.
- the system security unit 600 includes a registration information identifier unit 620.
- the registration information identifier unit 620 identifies registration information for an application to be monitored.
- the registration information may be identified from information provided by a user, an operating system, and/or the application being monitored itself.
- the registration information may include memory ranges or regions in memory where code and data corresponding to the application is to be monitored.
- the registration information may include procedures (bit-streams) to utilize to monitor the applications.
- the registration information may include an action to perform in response to detecting a threat in the code and data and a recipient of the action.
- the registration information may include a class of sendee or quality of sendee (QoS) to allocate for monitoring the application.
- the quality of service operates to establish a limit to a bandwidth of memory used when monitoring the code and data.
- the system security unit 600 includes a registration information transmission unit 630.
- the registration information transmission unit 630 transmits the registration information to a programmable security unit residing on a component external to and separate from the processor. According to an embodiment of the present disclosure, the registration information may be transmitted to the programmable security unit using a dedicated channel.
- the system security unit 600 includes a memory access unit 640. In response to determining that the programmable security unit is requesting a memor ' access a read to the memory is coordinated. According to an embodiment of the present disclosure, a request to access memory from the programmable security unit may be recognized by receiving a noncoherent read command. The read to the memory may be performed using a coherency memory channel . The memory access may be conducted without requiring memory coherency. This allows the programmable security unit to read data from memory without generating invalidations and without performing snooping. As a result, the memory accesses would not impact the availability of the memory to other applications.
- the system security unit 600 includes a notification unit 650.
- a notification from the programmable security unit would be forwarded to a specified component or program.
- FIG. 7 is a block diagram of a security kernel management unit 700 according to an exemplary embodiment of the present disclosure.
- the security kernel management unit 700 may be used to implement the security kernel management unit 221 illustrated in Figure 2.
- Figure 7 illustrates modules implementing an embodiment of the security kernel management unit 700.
- the modules represent software modules and managing a security kernel may be performed by a processor executing sequences of instructions represented by the modules shown in Figure 7. Execution of the sequences of instructions causes the processor to manage a security kernel.
- hard-wire circuitry may be used in place of or in combination with software instructions to implement embodiments of present disclosure.
- embodiments of present disclosure are not limited to any specific combination of hardware circuitry and software.
- the security kernel management unit 700 includes a security kernel manager 710.
- the security kernel manager 710 is connected to and transmits data between the components of the security kernel management unit 700.
- the security kernel management unit 700 includes a security control unit 720.
- the security control unit 720 updates a security kerne! table whenever new registration information is received from a system security unit.
- the registration information may include memory ranges or regions in memory where code and data corresponding to the applications is to be monitored.
- the registration mfonnation may include procedures (bit-streams) to utilize to monitor the applications.
- the registration information may include an action to perform in response to detecting a threat in the code and data and a recipient of the action.
- the registration information may include a class of service or quality of service (QoS) to allocate for monitoring the applications.
- the security control unit 720 generates a kernel for each application to be monitored according to the registration information associated with the application.
- the kernel is a program that is run on the programmable security unit.
- the security kernel management unit 700 includes a quality of sen-ice (QOS) bandwidth control unit 730.
- QOS quality of sen-ice
- the QOS bandwidth control unit 730 determines whether memory access is allowed for a requesting kernel by comparing a memory range associated with the memory access request with a memory range associated with an application that the kernel is monitoring.
- the QOS bandwidth control unit 730 may also determine whether sufficient bandwidth has been allocated for the memory access by comparing the bandwidth required for the memory access with a permitted bandwidth of memory set for the kernel.
- the QOS bandwidth control unit 730 may throttled the memory access by partitioning the memory range for the memory access request, and requesting access for the partitioned memory range over a period of time.
- the QOS bandwidth control unit 730 generates a read request for the memory access using a non-coherent read command.
- the non-cohereni read command allows data to be fetched from memory without generating any invalidation and without performing snooping.
- the security kernel management unit 700 includes an action generation unit 740.
- the action generation unit 740 may forward an action specified by the kernel or perform an action specified in the security kernel table.
- the action may include providing a notification to a specified program or component.
- Figure 8 illustrates an exemplary field programmable gate array (FPGA) that is used to implement a programmable security unit according to an exemplary embodiment of the present disclosure.
- the FPGA 900 may be used to implement the programmable security unit 220 illustrated in Figure 2.
- the FPGA 800 includes a plurality of logic-array blocks (LABs).
- the FPGA 800 may be implemented on a single integrated circuit.
- Each LAB may be formed from a plurality of logic blocks, carry chains, LAB control signals, look up table (LUT) chain, and register chain connection lines.
- a logic block is a small unit of logic providing efficient implementation of user logic functions.
- a logic block includes one or more combinational cells, where each combinational cell has a single output, and registers.
- the logic block may operate similarly to a logic element (LE), such as those found in the Stratix or Cy clone devices manufactured by Altera Corporation, now owned by Intel Corporation.
- LABs are grouped into rows and columns across the device 900. Columns of LABs are shown as 811-816. It should be appreciated that the logic block may include additional or alternate components.
- the FPGA 800 includes memory blocks.
- the memory blocks may be, for example, dual port random access memory (RAM) blocks that provide dedicated true dual-port, simple dual- port, or single port memory up to various bits wide at up to various frequencies.
- the memory blocks may be grouped into columns across the device in between selected LABs or located individually or in pairs within the FPGA 800. Columns of memory blocks are shown as 821-824.
- the FPGA 800 includes digital signal processing (DSP) blocks.
- the DSP blocks rnay be used to implement multipliers of various configurations with add or subtract features.
- the DSP blocks include shift registers, multipliers, adders, and accumulators.
- the DSP blocks may be grouped into columns across the FPGA 800 and are shown as 831.
- the FPGA 800 includes a plurality of input output elements (!OEs) 840. Each IOE feeds an 10 pin (not shown) on the FFPGA 800.
- the !OEs 840 are located at the end of LAB rows and columns around the periphery of the FPGA 800.
- Each IOE may include a bidirectional 10 buffer and a plurality of registers for registering input, output, and output-enable signals.
- the FPGA 800 may include routing resources such as LAB local interconnect lines, row interconnect lines ( ⁇ -type wires”), and column interconnect lines ("V-type wires”) (not shown) to route signals between components on the FPGA 800.
- routing resources such as LAB local interconnect lines, row interconnect lines ( ⁇ -type wires"), and column interconnect lines ("V-type wires") (not shown) to route signals between components on the FPGA 800.
- the FPGA 800 may be programmed to implement a security kernel management unit, security kernel table, and memor - interface.
- the FPGA 800 may include an on-chip processor or utilize its programmable resources to implement a soft processor to execute one or more components in the security kernel management unit or kernels generated by the security kernel management unit.
- a computer system includes a memory.
- the computer system includes a processor.
- the computer system includes a programmable security unit, residing external to the memory and the processor, that monitors code in the memory executed by the processor and data in the memory accessed by the code.
- the programmable security unit is configurable by a user to specify a procedure to monitor the code and data.
- the procedure comprises a machine/deep learning procedure.
- the programmable security unit is configurable by a user to specify a memory range in the memor ' to monitor the code and data.
- the programmable security unit is configurable by the user to limit a bandwidth of the memory used when monitoring the code and data.
- the programmable security unit is configurable by the user to specify an action to perform in response to detecting a threat in the code and data.
- the action comprises transmitting a system interrupt to an operating system of the processor.
- the action comprises transmitting an interrupt to an application associated with the code and data.
- the programmable security unit accesses the memory' via the processor using a tunneled memory access procedure.
- the programmable security unit accesses the memory with a non-coherent reads without requiring invalidation or snooping.
- the programmable security unit monitors code and data corresponding to a plurality of applications in parallel.
- the programmable security unit is configurable to specify for each of the plurality of applications 1) a procedure used to monitor code and data
- the programmable security unit is implemented by a field programmable gate array.
- a non-transitory computer-readable medium having sequences of instructions, the sequences of instructions including instructions which, when executed, cause a processor to perform a method for managing a system security unit that includes identifying an application to monitor. Registration information associated with the application is identified. The application and the registration information are registered with a programmable security unit residing external to a processor executing the application .
- identifying the registration information associated with the application comprises identifying a range in memory that stores code and data corresponding to the application.
- identifying the registration information associated with the application comprises identifying a limit to memory access bandwidth for monitoring the application.
- identifying the registration information associated with the application comprises identifying a procedure to monitor the application .
- the application to monitor and the registration information is specified by one of a user, operating system, and the application.
- the method further comprises coordinating an access to memory by the programmable security unit without requiring memory coherency .
- a programmable security unit includes a processor that executes a kernel that monitors code corresponding to an application executed on an external processor and stored on an external memory, and that monitors data associated with the application and stored on the external memory.
- the programmable security unit also includes a quality of service bandwidth control unit that controls an amount of bandwidth from the external memory used by the kernel.
- the programmable security unit further comprises a security control unit that generates the kernel .
- the security control unit updates a security kernel table with memory range information for the code and data, an identity of a procedure for monitoring the code and data, and action information that specifies an action to perform in response to the kernel detecting a threat in the code and data.
- the programmable security unit is implemented by a field programmable logic device.
- a programmable security unit includes a processor means that executes a kernel that monitors code corresponding to an application executed on an external processor and stored on an external memor -, and that monitors data associated with the application and stored on the external memory.
- the programmable security unit also includes a quality of service bandwidth control means that controls an amount of bandwidth from the external memory used by the kernel.
- the programmable security unit further comprises a security controi means that generates the kernel.
- a method for managing a system security unit includes identifying an application to monitor. Registration information associated with the application is identified. The application and the registration information are registered with a programmable security unit residing external to a processor executing the application.
- identifying the registration information associated with the application comprises identifying a range in memory that stores code and data corresponding to the application.
- identifying the registration information associated with the application comprises identifying a limit to memor ⁇ ' access bandwidth for monitoring the application.
- identifying the registration information associated with the application comprises identifying a procedure to monitor the application.
- the application to monitor and the registration information is specified by one of a user, operating system, and the application.
- the method further comprises coordinating an access to memory by the programmable security unit without requiring memory coherency,
- a non-transitory computer-readable medium having sequences of instructions, the sequences of instructions including instructions which, when executed, causes a processor to perform the method of any one of the previous embodiments.
- Embodiments of the present disclosure may be provided as a computer program product, or software, that may include an article of manufacture on a machine accessible or machine readable medium having instructions.
- the instructions on the machine accessible or machine readable medium may be used to program a computer system or other electronic device.
- the machine-readable medium may include, but is not limited to, floppy diskettes, optical disks, CD-ROMs, and magneto -optical disks or other type of raedia/machine-readable medium suitable for storing or transmitting electronic instructions.
- the techniques described herein are not limited to any particular software configuration. They may find applicability in any computing or processing environment.
- machine accessible medium or “machine readable medium” used herein shall include any medium that is capable of storing or encoding a sequence of instructions for execution by the machine and that cause the machine to perform any one of the methods described herein.
- machine readable medium used herein shall include any medium that is capable of storing or encoding a sequence of instructions for execution by the machine and that cause the machine to perform any one of the methods described herein.
- software in one form or another (e.g., code, program, procedure, process, application, module, unit, logic, block, and so on) as taking an action or causing a result.
- Such expressions are merely a shorthand way of stating that the execution of the software by a processing system causes the processor to perform an action to produce a result.
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Storage Device Security (AREA)
- Microcomputers (AREA)
Abstract
A computer system includes a memory, a processor, and a programmable security unit. The programmable security unit resides external to the memory and the processor, and monitors code in the memory executed by the processor and data in the memory accessed by the code.
Description
METHOD AND APPARATUS FOR IMPLEMENTING A PROGRAMMABLE SECURITY I'M Γ FOR A COMPUTER SYSTEM
TECHNICAL FIELD
[0001] Embodiments of the present disclosure pertain to providing security in a computer system. More specifically, embodiments of the present disclosure relate to a method and apparatus for implementing a programmable security unit for a computer system.
BACKGROUND
[0002] Security is a major consideration for modern computing systems. Monitoring for viruses and threats is a critical activity that is currently being performed by computer antivirus software. Antivirus software was originally developed to detect and remove computer viruses. As computer viruses evolve and continue to become increasingly sophisticated and as the proliferation of new kinds of malware continue, antivirus software has evolved to provide protection from other computer threats. In particular, modem antivirus software can protect from malicious browser helper objects (BHOs), browser highjackers, keyloggers, backdoors, rootkits, Trojan horses, worms, adware, and spyware. Some antivirus software also provide protection from other computer threats, such as infected and malicious URLs, spam, scam and phishmg attacks.
[0003] Antivirus software may perform a number of different types of checks. One type of checking performed by antivirus software may include performing a comparison to detect for known viruses, worms, and other types of malware. Another type of checking performed by antivirus software may include performing a comparison to identify bad types of behavior that may be markers or flags for new types of threats.
[0004] A number of approaches have been researched to address the different types of checks performed by antivirus software. For example, learning techniques, such as machine learning, may be used to observe, identify, and predict malicious behavior. Depending on the
complexity of the tasks performed by antivirus software, the computations required by the antivirus software may require a large amount of computing resources.
BRIEF DESCRIPTION OF THE DRAWINGS
[Θ005] The features and advantages of embodiments of the present disclosure are illustrated by way of example and are not intended to limit the embodiments of the present disclosure to the particular embodiments shown.
[0006] Figure 1 is a block diagram of a computer system implementing a programmable security unit according to an exemplar}- embodiment of the present disclosure.
[0007] Figure 2 is a block diagram illustrating subcomponents of a computer system implementing a programmable security unit according to an exemplary embodiment of the present disclosure.
[0008] Figure 3 illustrates a security kernel table according to an exemplaiy embodiment of the present disclosure.
[0009] Figure 4 is a flow chart illustrating a method for managing a system security unit according to an exemplar}' embodiment of the present disclosure.
[001 Θ] Figure 5 is a flow chart illustrating a method for managing a security kernel management unit according to an exemplary' embodiment of the present disclosure.
[0011] Figure 6 is a block diagram of a system security unit according to an exemplary embodiment of the present disclosure.
[0012] Figure 7 is a block diagram of a security kernel management unit according to an exemplary embodiment of the present disclosure.
[0013] Figure 8 illustrates an exemplaiy field programmable gate array (FPGA) that is used to implement a programmable security unit according to an exemplary embodiment of the present disclosure.
DETAILED DESCRIPTION
[Θ014] In the following description, for purposes of explanation, specific nomenclature is set forth to provide a thorough understanding of embodiments of the present disclosure. It will be apparent to one skilled in the art that specific details in the description may not be required to practice the embodiments of the present disclosure. In other instances, well-known circuits, devices, procedures, and programs are shown in block diagram form, to avoid obscuring embodiments of the present disclosure unnecessarily.
[0015] Antivirus software may be intrusive from a computing standpoint. The antivirus software may require a large number of computing cycles. When executed on a processor shared with user applications to monitor a user application during run time, the antivirus software may interfere with the user's experience. According to an embodiment of the present disclosure, a programmable security unit is disclosed that resides external to a memory and a processor of a computer system. The programmable security unit monitors code in the rnemoiy that is executed by the processor. The programmable security unit provides the potential advantage of supplying additional computing resources that allow for the monitoring of threats in code associated with an application executed by the processor without interfering with the execution of the application. The programmable security unit also provides the potential advantage of monitoring a plurality of applications in parallel, and being configurable to allow an application programmer or user to specif)' for each application 1 ) a procedure to use to monitor code and data corresponding to the application in memory, 2) a memory range in the memory corresponding to the application, 3) a limit for bandwidth of the memory used for monitoring the application, and 4) an action to perform in response to detecting a threat in the code and data.
[0016] Figure 1 is a block diagram, of a computer system 100 according to an exemplary embodiment of the present disclosure. Hie computer system 100 may be implemented by a desktop, laptop, smart phone, tablet, smart appliance, or other computing device. The computer system 100 includes a processor 101 that processes data signals. Figure 1 shows the computer
system 100 with a single processor. However, it is understood that the computer system 100 may operate with multiple processors. The processor 101 may be implemented by a single or multi- core processor(s).
[0017] The processor 101 is coupled to an input/output (I/O) subsystem 110. The I/O subsystem 1 10 may include memory controller hubs, I/O control hubs, communication links, and/or other components and subsystems to facilitate I/O operations. According to an embodiment of the computing device 100, the I/O subsystem 110 transmits data signals between components in the computing device 100. In this embodiment, the I/O subsystem 1 10 may include a single bus or a combination of multiple buses. The computing de vice 100 includes a memory 102. The memory 102 is coupled to the I/O subsystem 110. The memory 102 may be a dynamic random access memory device, a static random access memory device, and/or other memory device. The memory 102 may store instructions and code represented by data signals that may be executed by the processor 101. A data storage device 103 is coupled to the I/O subsystem 110. The data storage device 103 may be implemented with a device configured for short-term or long-term storage of data such as a solid state drive, memory card or other mass storage device.
[0018] Peripheral devices 104 are coupled to the I/O subsystem 1 10. The peripheral devices 104 may include various I/O devices such as devices that support communication and display. The peripheral devices 1 4 may include display and touch screens, buttons, switches, keyboard, mouse, speakers, microphone, and/or other peripheral devices. A network controller 105 is coupled to the I/O subsystem 110. The network controller may link the computer system 100 to a network of computers (not shown) and supports communication among the machines. It should be appreciated that computing devices having a different architecture or having different components may also be used to implement the computer system 100.
[001 ] According to an embodiment of the present disclosure, one or more applications 120 may be allocated in memory 102 and executed by the processor 101. The code and data
corresponding io the applications in memory may be monitored by programmable security unit 130 to identify potential threats. The programmable security unit 130 resides external to the processor 101 and memory 102 and may apply specified procedures to monitor code and data corresponding to the one or more applications. According to an embodiment of the present disclosure, the programmable security unit 130 scans lines in memor ' 102 using non-coherent memory reads in order to avoid snooping other processors or processor cores accessing the lines.
[0020] The programmable security unit 130 provides the computer system 100 with an engine to perform security monitoring during the runtime of applications without unduly burdening the processor 101 while the processor 101 is running the applications. According to an embodiment of the present disclosure, the programmable security unit 130 may be implemented by a field programmable gate array (FPGA) or other computing device.
[0021] Figure 2 is a block diagram illustrating subcomponents in a computer sy stem 200 implementing a programmable security unit 220 according to an exemplary embodiment of the present disclosure. The processor 210, programmable security unit 220, and memory 230 illustrated in Figure 2 may be used to implement the processor 101, programmable security unit 130, and memory 102 illustrated in Figure 1.
[0022] The processor 210 includes a system security unit 211. The system security unit 211 registers applications that are to be monitored by the programmable security unit 220. For each application to be monitored, the system security unit 21 1 identifies a memory range or region in memory 230 where code and data corresponding to the application is to be monitored. The system security unit 211 identifies a procedure to utilize to monitor the application. The procedure may include one or more algorithms to compare the code and data with other code and data known to be malicious or to observe, identify, and predict malicious behavior from the code and data. The procedure may be referred to as a "bit stream". The system security unit 211 also identifies an action to perform in response to detecting a threat in the code and data. The action may include transmitting an identified notification, such as an interrupt, to an identified
component and/or program. The system security unit 211 may also identify a class of sendee or quality of service (QoS) to allocate for monitoring an application. The quality of sendee operates to establish a limit to a bandwidth of memory used when monitoring the code and data.
According to an embodiment of the present disclosure, the system security unit 211 may identify the i formation described from information provided by a user, an operating system, and/or the application being monitored itself. It should be appreciated that the system security unit 2 1 maybe a program stored in memory 200 and executed by the processor 210.
[0023] The programmable security unit 220 includes a security kernel management unit 221. The security kernel management unit 221 receives information from the security registration unit 211 regarding applications to monitor, memory ranges of code and data corresponding to the applications to monitor, procedures to utilize in the monitoring, actions to perform, and a quality of service to allocate for monitoring. The security kernel management unit 221 writes the information to a security kernel table 222 in the programmable security unit 220 and generates a kernel for each application identified to be monitored. Each kernel generated by the security kernel management unit 221 is executed by the programmable security unit 220 and operates to monitor an application within the parameters specified by the information in the security kernel table 222. As shown in this example, kernel 1 225, kernel 2 226, and kernel 3 227 are generated by the security kernel management unit 221 to monitor three applications executing in processor 210.
[0024] The security kernel management unit 221 also regulates a quality of sen'ice of data flow between a kernel and memory 230. According to an embodiment of the present disclosure, the security kernel management unit 221 controls the amount of traffic permitted between a kernel and memory 230 to comply with a limit recorded in the kernel table 222. The security kernel management unit 221 may also control the type of traffic permitted between a kernel and memory 230 such that a kernel may only access memory ranges or regions in memory associated with it as recorded in the kernel table 222. Memory access between the programmable security
unit 220 and memory 230 may be conducted via memory interface 223. The memory interface 223 routes memory- access request through the processor 210 using a coherency memory channel . According to an embodiment of the present disclosure, the coherency memory channel may utilize tunneled memory access procedures. It should be appreciated that the security kernel management unit 221 may be implemented by software executed on a processor, hardware components, or a combination of hardware and software.
[0025] The memory 230 stores code and data associated with the applications executed by the processor 210. As shown in this example, the memory 230 includes three memory regions 231-233 that store code and data associated with the three applications executing in processor 210. According to an embodiment of the present disclosure, a coherent address space in memory 230 is maintained between the processor 210 and programmable security unit 220.
[0026] Figure 3 illustrates a representation of a security kernel table 300 according to an exemplary embodiment of the present disclosure. The security kernel table 300 may be used to implement the security kernel table 222 illustrated in Figure 2. For each application registered to be monitored by a programmable security unit, the security kernel table 300 lists an identifier in column 315 that identifies the kernel for the application. The security kernel table 300 includes a column 313 that identifies a memory range where code and data associated with the application is located and is to be monitored. The security kernel table 300 includes a column 314 that identifies an action to perform or notification to generate when a threat is detected. The security kernel table 300 includes a column 311 that identifies an agent to receive the action or notification identified from column 314. The security kernel table 300 includes a column 312 to identify a class of service which limits a bandwidth of memory to allocate for monitoring an application.
[0027] For each application to be monitored, the security kernel table 300 also identifies a procedure or "bit-stream" to utilize for performing the monitoring. It should be appreciated that the procedure may be uploaded to the programmable security unit externally from a different
component. Alternatively, the procedure may be available on the programmable security unit and selectable from a plurality of procedures listed on the kernel table 300. As shown in Figure 3, a plurality of machine learning optimized bit-streams are available to be selected to be used as procedures for monitoring code and data corresponding to applications. The list of available procedures may include information such as machine state registers (MSRs) 321 or other mechanisms that may be used to setup a bit-stream, bit-stream identifiers 322, class of service
323, and meta-data 324 associated with the procedure. As shown in this example, kernel 0 is shown to utilize bit-stream 0, kernel 1 is shown to utilize bit-stream 1, and kernel 2 is shown to utilize ML bit-stream 0. It should be appreciated that the security kernel table 300 may list other information and may be formatted or arranged in a manner different from what is shown in Figure "·
[0028] Figure 4 is a flow chart illustrating a method for managing a system security unit according to an exemplar}' embodiment of the present disclosure. The method described may be performed by a system security unit implemented by a processor. At 401, registration information is identified for applications to be monitored. According to an embodiment of the present disclosure, the registration information may include a memory range or regions in memory where code and data corresponding to the applications are to be monitored. The registration information may include procedures (bit-streams) to utilize to monitor the applications. The registration information may include an action to perform in response to detecting a threat in the code and data and a recipient of the action. The registration information may include a class of service or quality of service (QoS) to allocate for monitoring the applications. Tire quality of service operates to establish a limit to a bandwidth of memory used when monitoring the code and data. According to an embodiment of the present disclosure, the registration information may be identified from information provided by a user, an operating system, and/or the applications being monitored themselves.
[0029] At 402, the registration information is transmitted to a programmable security unit. According to an embodiment of the present disclosure, the programmable security unit resides on a component external to and separate from the processor. The registration information may be transmitted to the programmable security unit using a dedicated channel. The registration information may be used by the programmable security unit to generate kernels to monitor the applications.
[0030] At 403, it is determined whether the programmable security unit is requesting a memory access. According to an embodiment of the present disclosure, a kernel executing in the programmable security unit may utilize an identified procedure that requests access to regions in memory to monitor code and data corresponding to an application. The programmable security unit may request the memory access by utilizing a non-coherent read command. The noncoherent memory read allows memory access while avoiding snooping of processor cores that have access to the memory. If it is determined that the programmable security unit is requesting a memory access, control proceeds to 404. If it is determined that the programmable security unit is not requesting a memory access, control returns to 403.
[0031] At 404, memory access is allowed. According to an embodiment of the present disclosure, memory access is coordinated through the processor using a coherency memory channel. However, the memory access is conducted without requiring memory coherency. This allows the programmable security unit to read data from memory without generating invalidations and without performing snooping. As a result, the memory accesses do not impact the performance of the memory to other applications.
[0032] At 405, it is determined whether a threat has been detected. According to an embodiment of the present disclosure, a procedure used by a kernel running on the programmable security unit may detect a threat from analyzing information from the memory access. A notification would be received from the programmable security unit if a threat were detected. If a threat is detected, control proceeds to 406. If a threat is not detected, control proceeds to 407.
[0033] At 406, a specified action received from the programmable security unit is performed. According to an embodiment of the present disclosure, the specified action may include a notification to a component or program..
[0034] At 407, it is determined whether a change has been made to the kernel. According to an embodiment of the present disclosure, a change in the kernel may result from updating or de- registering a kernel or changing registration information associated with a kernel. If it is determined that a change has been made to the kernel, control returns to 401 to identify the registration information of the kernel. If it is determined that no change has been made to the kernel, control returns to 403.
[0035] Figure 5 is a flow chart illustrating a method for managing a security kernel management unit according to an exemplary embodiment of the present disclosure. The method described may be performed by a programmable security unit residing external to a processor executing an application that is being monitored. The security kernel management unit may be implemented by hardware components, software, or a combination of hardware and software. At 501, a security kernel table is updated. According to an embodiment of the present disclosure, the security kernel table may be updated whenever new registration information is received from a system security unit. The registration information may include memory ranges or regions in memory where code and data corresponding to the applications is to be monitored. The registration information may include procedures (bit-streams) to utilize to monitor the applications. The registration information may include an action to perform, in response to detecting a threat in the code and data and a recipient of the action. The registration information may include a class of sendee or quality of sendee (QoS) to allocate for monitoring the applications. The quality of sendee operates to establish a limit to a bandwidth of memory used when monitoring the code and data. According to an embodiment of the present disclosure, the registration information may be identified from information provided by a user, an operating system, and/or the applications being monitored themselves.
[0036] At 502, a kernel is generated for each application to be monitored. According to an embodiment of the present disclosure, the kernel is a program that is run on the programmable security unit. The kernel is generated using registration information associated with the application to be monitored.
[0037] At 503, it is determined whether a memory access is requested. According to an embodiment of the present disclosure, the memory access may be requested from one or more of the kernels executing in the programmable security unit. If a memory access is requested, control proceeds to 504. If a memory access is not requested, control returns to 503.
[0038] At 504, it is determined whether the memory access is allowed. According to an embodiment of the present disclosure, a memory range associated with the memory access is compared with a memory range associated with an application that the kernel is monitoring to determine whether the memory access is allowed. The security kernel table may be accessed to look-up the relevant information for comparison. If the memory access is allowed, control proceeds to 505. If the memory access is not allowed, control returns to 503 to determine whether another memory access is requested.
[0039] At 505, it is determined whether sufficient bandwidth has been allocated for the memory access. According to an embodiment of the present disclosure, a bandwidth required for the memory access is compared with a permitted limit of bandwidth of memory allocated for the kernel . The security kernel table may be accessed to look-up the relevant information for comparison. If sufficient bandwidth has not been allocated, control proceeds to 506.
If sufficient bandwidth has been allocated, control proceeds to 507.
[0040] At 506, the memory access is throttled. According to an embodiment of the present disclosure, the memory access may be throttled by partitioning the memory range for the memory access request, and requesting access for the partitioned memory range over a period of time. This would allow the memory access to be performed within the bandwidth allocated for memory use.
[0041] At 507, a read request is generated for the memory access. According to an embodiment of the present disclosure, the read request is made using a non-coherent read command. The non-coherent read command allows data to be fetched from memory without generating any invalidation and without performing snooping.
[0042] At 508, it is determined whether a threat has been detected. According to an embodiment of the present disclosure, a threat may be detected by one or more kernels executing in the programmable security unit. A kernel may detect a threat in response to analyzing code and data received from the memory access. If it is determined that a threat has been detected, control proceeds to 509. If it is determined that a threat has not been detected, control returns to 503.
[0043] At 509, an action is performed upon detection of a threat. According to an embodiment of the present disclosure, the security kernel table may be referenced to identify an appropriate action to perform in response to the detection. The action may include providing a notification to a specified program or component.
[0044] Figures 4 and 5 are flow charts that illustrate embodiments of the present disclosure. The procedures described in these figures may be performed may be performed by software executed on a processor, by hardware components, or a combination of hardware and software. Some of the techniques illustrated may be performed sequentially, in parallel or in an order other than that which is described and that the procedures described may be repeated. It is appreciated that not all of the techniques described are required to be performed, that additional techniques may be added, and that some of the illustrated techniques may be substituted with other techniques.
[0045] Figure 6 is a block diagram of a system security unit 600 according to an exemplary embodiment of the present disclosure. The system security unit 600 may be used to implement the system security unit 21 1 illustrated in Figure 2, Figure 6 illustrates modules implementing an embodiment of the system security unit 600. According to one embodiment, the modules
represent software modules and providing system security may be performed by a processor such as the one illustrated in Figure 1 executing sequences of instructions represented by the modules shown in Figure 6. Execution of the sequences of instructions causes the processor to provide system security. In alternate embodiments, hard-wire circuitry may be used in place of or in combination with software instructions to implement embodiments of present disclosure. Thus, embodiments of present disclosure are not limited to any specific combination of hardware circuitry and software. The system security unit 600 includes a system security unit manager 610. The system security unit manager 610 is connected to and transmits data between the components of the system security unit 600.
[0046] The system security unit 600 includes a registration information identifier unit 620. The registration information identifier unit 620 identifies registration information for an application to be monitored. According to an embodiment of the present disclosure, the registration information may be identified from information provided by a user, an operating system, and/or the application being monitored itself. The registration information may include memory ranges or regions in memory where code and data corresponding to the application is to be monitored. The registration information may include procedures (bit-streams) to utilize to monitor the applications. The registration information may include an action to perform in response to detecting a threat in the code and data and a recipient of the action. The registration information may include a class of sendee or quality of sendee (QoS) to allocate for monitoring the application. The quality of service operates to establish a limit to a bandwidth of memory used when monitoring the code and data.
[0047] The system security unit 600 includes a registration information transmission unit 630. The registration information transmission unit 630 transmits the registration information to a programmable security unit residing on a component external to and separate from the processor. According to an embodiment of the present disclosure, the registration information may be transmitted to the programmable security unit using a dedicated channel.
[0048] The system security unit 600 includes a memory access unit 640. In response to determining that the programmable security unit is requesting a memor ' access a read to the memory is coordinated. According to an embodiment of the present disclosure, a request to access memory from the programmable security unit may be recognized by receiving a noncoherent read command. The read to the memory may be performed using a coherency memory channel . The memory access may be conducted without requiring memory coherency. This allows the programmable security unit to read data from memory without generating invalidations and without performing snooping. As a result, the memory accesses would not impact the availability of the memory to other applications.
[0049] The system security unit 600 includes a notification unit 650. In response to determining that a threat has been detected by the programmable security unit from the memory access, a notification from the programmable security unit would be forwarded to a specified component or program.
[0050] Figure 7 is a block diagram of a security kernel management unit 700 according to an exemplary embodiment of the present disclosure. The security kernel management unit 700 may be used to implement the security kernel management unit 221 illustrated in Figure 2. Figure 7 illustrates modules implementing an embodiment of the security kernel management unit 700. According to one embodiment, the modules represent software modules and managing a security kernel may be performed by a processor executing sequences of instructions represented by the modules shown in Figure 7. Execution of the sequences of instructions causes the processor to manage a security kernel. In alternate embodiments, hard-wire circuitry may be used in place of or in combination with software instructions to implement embodiments of present disclosure. Thus, embodiments of present disclosure are not limited to any specific combination of hardware circuitry and software. The security kernel management unit 700 includes a security kernel manager 710. The security kernel manager 710 is connected to and transmits data between the components of the security kernel management unit 700.
[0051] The security kernel management unit 700 includes a security control unit 720.
According to an embodiment of the present disclosure, the security control unit 720 updates a security kerne! table whenever new registration information is received from a system security unit. The registration information may include memory ranges or regions in memory where code and data corresponding to the applications is to be monitored. The registration mfonnation may include procedures (bit-streams) to utilize to monitor the applications. The registration information may include an action to perform in response to detecting a threat in the code and data and a recipient of the action. The registration information may include a class of service or quality of service (QoS) to allocate for monitoring the applications. The security control unit 720 generates a kernel for each application to be monitored according to the registration information associated with the application. According to an embodiment of the present disclosure, the kernel is a program that is run on the programmable security unit.
[0052] The security kernel management unit 700 includes a quality of sen-ice (QOS) bandwidth control unit 730. According to an embodiment of the present disclosure, upon determining that a memory access is requested, the QOS bandwidth control unit 730 determines whether memory access is allowed for a requesting kernel by comparing a memory range associated with the memory access request with a memory range associated with an application that the kernel is monitoring. The QOS bandwidth control unit 730 may also determine whether sufficient bandwidth has been allocated for the memory access by comparing the bandwidth required for the memory access with a permitted bandwidth of memory set for the kernel. The QOS bandwidth control unit 730 may throttled the memory access by partitioning the memory range for the memory access request, and requesting access for the partitioned memory range over a period of time. This would allow the memory access to conducted within the bandwidth allocated for memory use. According to an embodiment of the present disclosure, the QOS bandwidth control unit 730 generates a read request for the memory access using a non-coherent
read command. The non-cohereni read command allows data to be fetched from memory without generating any invalidation and without performing snooping.
[0053] The security kernel management unit 700 includes an action generation unit 740. In response to the kernel detecting a threat from analyzing content from the memory access, the action generation unit 740 may forward an action specified by the kernel or perform an action specified in the security kernel table. The action may include providing a notification to a specified program or component.
[0054] Figure 8 illustrates an exemplary field programmable gate array (FPGA) that is used to implement a programmable security unit according to an exemplary embodiment of the present disclosure. The FPGA 900 may be used to implement the programmable security unit 220 illustrated in Figure 2. The FPGA 800 includes a plurality of logic-array blocks (LABs).
According to an embodiment of the present disclosure, the FPGA 800 may be implemented on a single integrated circuit. Each LAB may be formed from a plurality of logic blocks, carry chains, LAB control signals, look up table (LUT) chain, and register chain connection lines. A logic block is a small unit of logic providing efficient implementation of user logic functions. A logic block includes one or more combinational cells, where each combinational cell has a single output, and registers. According to one embodiment of the present disclosure, the logic block may operate similarly to a logic element (LE), such as those found in the Stratix or Cy clone devices manufactured by Altera Corporation, now owned by Intel Corporation. LABs are grouped into rows and columns across the device 900. Columns of LABs are shown as 811-816. It should be appreciated that the logic block may include additional or alternate components.
[0055] The FPGA 800 includes memory blocks. The memory blocks may be, for example, dual port random access memory (RAM) blocks that provide dedicated true dual-port, simple dual- port, or single port memory up to various bits wide at up to various frequencies. The memory blocks may be grouped into columns across the device in between selected LABs or located individually or in pairs within the FPGA 800. Columns of memory blocks are shown as 821-824.
|0Θ56] The FPGA 800 includes digital signal processing (DSP) blocks. The DSP blocks rnay be used to implement multipliers of various configurations with add or subtract features. The DSP blocks include shift registers, multipliers, adders, and accumulators. The DSP blocks may be grouped into columns across the FPGA 800 and are shown as 831.
[0057] The FPGA 800 includes a plurality of input output elements (!OEs) 840. Each IOE feeds an 10 pin (not shown) on the FFPGA 800. The !OEs 840 are located at the end of LAB rows and columns around the periphery of the FPGA 800. Each IOE may include a bidirectional 10 buffer and a plurality of registers for registering input, output, and output-enable signals.
[0058] The FPGA 800 may include routing resources such as LAB local interconnect lines, row interconnect lines (Ή-type wires"), and column interconnect lines ("V-type wires") (not shown) to route signals between components on the FPGA 800.
[0059] According to an embodiment of the present disclosure, the FPGA 800 may be programmed to implement a security kernel management unit, security kernel table, and memor - interface. In particular, the FPGA 800 may include an on-chip processor or utilize its programmable resources to implement a soft processor to execute one or more components in the security kernel management unit or kernels generated by the security kernel management unit.
[0060] The following examples pertain to further embodiments. In one embodiment, a computer system includes a memory. The computer system includes a processor. The computer system includes a programmable security unit, residing external to the memory and the processor, that monitors code in the memory executed by the processor and data in the memory accessed by the code.
[0061 ] Tn a further embodiment, the programmable security unit is configurable by a user to specify a procedure to monitor the code and data.
[0062] In a further embodiment, the procedure comprises a machine/deep learning procedure.
[0063] In a further embodiment, the programmable security unit is configurable by a user to specify a memory range in the memor ' to monitor the code and data.
[0064] In a further embodiment, the programmable security unit is configurable by the user to limit a bandwidth of the memory used when monitoring the code and data.
[0065] In a further embodiment, the programmable security unit is configurable by the user to specify an action to perform in response to detecting a threat in the code and data.
[0066] In a further embodiment, the action comprises transmitting a system interrupt to an operating system of the processor.
[0067] In a further embodiment, the action comprises transmitting an interrupt to an application associated with the code and data.
[0068] In a further embodiment, the programmable security unit accesses the memory' via the processor using a tunneled memory access procedure.
[0069] In a further embodiment, the programmable security unit accesses the memory with a non-coherent reads without requiring invalidation or snooping.
[0070] In a further embodiment, the programmable security unit monitors code and data corresponding to a plurality of applications in parallel.
[0071] In a further embodiment, the programmable security unit is configurable to specify for each of the plurality of applications 1) a procedure used to monitor code and data
corresponding to an application, 2) a memory range in the memory- corresponding to the application, 3) a limit for bandwidth of the memory used for monitoring the application, and 4) an action to perform in response to detecting a threat in the code and data.
[0072] In a further embodiment, the programmable security unit is implemented by a field programmable gate array.
[0073] In another embodiment, a non-transitory computer-readable medium having sequences of instructions, the sequences of instructions including instructions which, when executed, cause a processor to perform a method for managing a system security unit that
includes identifying an application to monitor. Registration information associated with the application is identified. The application and the registration information are registered with a programmable security unit residing external to a processor executing the application .
[0074] In a further embodiment, identifying the registration information associated with the application comprises identifying a range in memory that stores code and data corresponding to the application.
[0075] In a further embodiment, identifying the registration information associated with the application comprises identifying a limit to memory access bandwidth for monitoring the application.
[0076] In a further embodiment, identifying the registration information associated with the application comprises identifying a procedure to monitor the application .
[0077] In a further embodiment, the application to monitor and the registration information is specified by one of a user, operating system, and the application.
[0078] In a further embodiment, the method further comprises coordinating an access to memory by the programmable security unit without requiring memory coherency .
[0079] In another embodiment, a programmable security unit includes a processor that executes a kernel that monitors code corresponding to an application executed on an external processor and stored on an external memory, and that monitors data associated with the application and stored on the external memory. The programmable security unit also includes a quality of service bandwidth control unit that controls an amount of bandwidth from the external memory used by the kernel.
[0080] In a further embodiment, the programmable security unit further comprises a security control unit that generates the kernel .
[0081] In a further embodiment, the security control unit updates a security kernel table with memory range information for the code and data, an identity of a procedure for monitoring the
code and data, and action information that specifies an action to perform in response to the kernel detecting a threat in the code and data.
[0082] In a further embodiment, the programmable security unit is implemented by a field programmable logic device.
[0083] Tn another embodiment, a programmable security unit includes a processor means that executes a kernel that monitors code corresponding to an application executed on an external processor and stored on an external memor -, and that monitors data associated with the application and stored on the external memory. The programmable security unit also includes a quality of service bandwidth control means that controls an amount of bandwidth from the external memory used by the kernel.
[0084] Tn a further embodiment, the programmable security unit further comprises a security controi means that generates the kernel.
[0085] In another embodiment, a method for managing a system security unit includes identifying an application to monitor. Registration information associated with the application is identified. The application and the registration information are registered with a programmable security unit residing external to a processor executing the application.
[0086] In a further embodiment, identifying the registration information associated with the application comprises identifying a range in memory that stores code and data corresponding to the application.
[0087] In a further embodiment, identifying the registration information associated with the application comprises identifying a limit to memor}' access bandwidth for monitoring the application.
[0088] In a further embodiment, identifying the registration information associated with the application comprises identifying a procedure to monitor the application.
[0089] In a further embodiment, the application to monitor and the registration information is specified by one of a user, operating system, and the application.
[0090] In a further embodiment, the method further comprises coordinating an access to memory by the programmable security unit without requiring memory coherency,
[0091] In a further embodiment, a non-transitory computer-readable medium having sequences of instructions, the sequences of instructions including instructions which, when executed, causes a processor to perform the method of any one of the previous embodiments.
[0092] Embodiments of the present disclosure may be provided as a computer program product, or software, that may include an article of manufacture on a machine accessible or machine readable medium having instructions. The instructions on the machine accessible or machine readable medium may be used to program a computer system or other electronic device. The machine-readable medium may include, but is not limited to, floppy diskettes, optical disks, CD-ROMs, and magneto -optical disks or other type of raedia/machine-readable medium suitable for storing or transmitting electronic instructions. The techniques described herein are not limited to any particular software configuration. They may find applicability in any computing or processing environment. The terms "machine accessible medium." or "machine readable medium" used herein shall include any medium that is capable of storing or encoding a sequence of instructions for execution by the machine and that cause the machine to perform any one of the methods described herein. Furthermore, it is common in the art to speak of software, in one form or another (e.g., code, program, procedure, process, application, module, unit, logic, block, and so on) as taking an action or causing a result. Such expressions are merely a shorthand way of stating that the execution of the software by a processing system causes the processor to perform an action to produce a result.
[0093] In the foregoing specification embodiments of the disclosure have been described with reference to specific exemplary embodiments thereof. It will, however, be evident that various modifications and changes may be made thereto without departing from the embodiments of the disclosure. Furthermore, it should be appreciated that specifics in the examples presented may be used anywhere in one or more of the disclosed embodiments.
Claims
1. A computer system, comprising:
a memory;
a processor; and
a programmable security unit, residing external to the memory and the processor, that monitors code in the memory executed by the processor and data in the memory accessed by the code.
2. The computer system of claim 1, wherein the programmable security unit is configurable by a user to specify a procedure to monitor the code and data.
3. The computer system of claim 2, wherein the procedure comprises a machine/deep learning procedure.
4. The computer system of claim 1, wherein the programmable security unit is configurable by a user to specify a memory range in the memory to monitor the code and data.
5. The computer system of claim 1, wherein the programmable security unit is configurable by the user to limit a bandwidth of the memory used when monitoring the code and data.
6. The computer system of claim 1, wherein the programmable security unit is configurable by the user to specify an action to perform in response to detecting a threat in the code and data.
7. The computer system of claim 6, wherein the action comprises transmitting a system interrupt to an operating system of the processor.
8. The computer system of claim 6, wherein the action comprises transmitting an interrupt to an application associated with the code and data.
9. The computer system of claim 1, wherein the programmable security unit accesses the memory via the processor using a tunneled memory access procedure.
10. The computer system of claim 9, wherein the programmable security unit accesses the memory with a non-coherent reads without requiring invalidation or snooping.
1 1. The computer system of claim. 1 , wherein the programmable security unit monitors code and data corresponding to a plurality of applications in parallel.
12. The computer system of claim 11, wherein the programmable security unit is configurable to specify for each of the plurality of applications 1) a procedure used to monitor code and data corresponding to an application, 2) a memory range in the memory corresponding to the application, 3) a limit for bandwidth of the memory used for monitoring the application, and 4) an action to perform in response to detecting a threat in the code and data.
13. The computer system of claim 1 , wherein the programmable security unit is implemented by a field programmable gate array.
14. A non-transitory computer-readable medium having sequences of instructions, the sequences of instructions including instructions which, when executed, cause a processor to perform a method for managing a system security unit, comprising:
identifying an application to monitor:
identifying registration information associated with the application; and
registering the application and the registration information with a programmable security unit residing external to a processor executing the application.
15. The non-transitory computer-readable medium of claim 14, wherein identifying the registration information associated with the application comprises identifying a range in memory that stores code and data corresponding to the application .
16. The non-transitory computer-readable medium of claim. 14, wherein identifying the registration information associated with the application comprises identifying a limit to memory access bandwidth for monitoring the application.
17. The non-transitory computer-readable medium of claim 14, wherein identifying the registration information associated with the application comprises identifying a procedure to monitor the application.
18. The non-transitory computer-readable medium of claim 14, wherein the application to monitor and the registration information is specified by one of a user, operating system, and the application.
19. The non-transitory computer-readable medium of claim 14 further comprising coordinating an access to memory by the programmable security unit without requiring memory- coherency.
20. A programmable security unit, comprising:
a processor that executes a kernel that monitors code corresponding to an application executed on an external processor and stored on an external memory, and that monitors data associated with the application and stored on the external memory; and
a quality of service bandwidth control unit that controls an amount of bandwidth from the external memory used by the kernel.
21. The programmable security unit of claim 20 further comprising a security control unit that generates the kernel.
22. The programmable security unit of claim 21, wherein the security control unit updates a security kernel table with memory range information for the code and data, an identity of a procedure for monitoring the code and data, and action information that specifies an action to perform in response to the kernel detecting a threat in the code and data.
23. The programmable security unit of claim 20, wherein the programmable security unit is implemented by a field programmable logic device.
24. A programmable security unit, comprising:
processor means that executes a kernel that monitors code corresponding to an application executed on an external processor and stored on an external memory, and that monitors data associated with the application and stored on the external memory; and
quality of service bandwidth control means that controls an amount of bandwidth from the external memory used by the kernel,
25. The programmable security unit of claim 20 further comprising a security control means that generates the kernel.
Priority Applications (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
DE112016007258.9T DE112016007258T5 (en) | 2016-09-23 | 2016-09-23 | METHOD AND DEVICE FOR IMPLEMENTING A PROGRAMMABLE SAFETY UNIT FOR A COMPUTER SYSTEM |
PCT/US2016/053349 WO2018056997A1 (en) | 2016-09-23 | 2016-09-23 | Method and apparatus for implementing a programmable security unit for a computer system |
JP2019510275A JP2019530066A (en) | 2016-09-23 | 2016-09-23 | Method, apparatus and program for implementing a programmable security unit for a computer system |
CN201680088681.9A CN109564605A (en) | 2016-09-23 | 2016-09-23 | Method and apparatus for realizing programmable safe unit for computer system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/US2016/053349 WO2018056997A1 (en) | 2016-09-23 | 2016-09-23 | Method and apparatus for implementing a programmable security unit for a computer system |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2018056997A1 true WO2018056997A1 (en) | 2018-03-29 |
Family
ID=61689683
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/US2016/053349 WO2018056997A1 (en) | 2016-09-23 | 2016-09-23 | Method and apparatus for implementing a programmable security unit for a computer system |
Country Status (4)
Country | Link |
---|---|
JP (1) | JP2019530066A (en) |
CN (1) | CN109564605A (en) |
DE (1) | DE112016007258T5 (en) |
WO (1) | WO2018056997A1 (en) |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040210320A1 (en) * | 2002-06-11 | 2004-10-21 | Pandya Ashish A. | Runtime adaptable protocol processor |
US20090307457A1 (en) * | 2008-06-09 | 2009-12-10 | Pafumi James A | Systems and Methods for Entitlement of Virtual Real Memory for Applications |
US20100191961A1 (en) * | 2002-05-13 | 2010-07-29 | Qst Holdings, Inc. | Method and system achieving individualized protected space in an operating system |
WO2015179120A1 (en) * | 2014-05-20 | 2015-11-26 | Ooma, Inc. | Security monitoring and control |
US20160239065A1 (en) * | 2015-02-13 | 2016-08-18 | Victor W. Lee | Performing power management in a multicore processor |
-
2016
- 2016-09-23 DE DE112016007258.9T patent/DE112016007258T5/en not_active Withdrawn
- 2016-09-23 WO PCT/US2016/053349 patent/WO2018056997A1/en active Application Filing
- 2016-09-23 JP JP2019510275A patent/JP2019530066A/en active Pending
- 2016-09-23 CN CN201680088681.9A patent/CN109564605A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20100191961A1 (en) * | 2002-05-13 | 2010-07-29 | Qst Holdings, Inc. | Method and system achieving individualized protected space in an operating system |
US20040210320A1 (en) * | 2002-06-11 | 2004-10-21 | Pandya Ashish A. | Runtime adaptable protocol processor |
US20090307457A1 (en) * | 2008-06-09 | 2009-12-10 | Pafumi James A | Systems and Methods for Entitlement of Virtual Real Memory for Applications |
WO2015179120A1 (en) * | 2014-05-20 | 2015-11-26 | Ooma, Inc. | Security monitoring and control |
US20160239065A1 (en) * | 2015-02-13 | 2016-08-18 | Victor W. Lee | Performing power management in a multicore processor |
Also Published As
Publication number | Publication date |
---|---|
DE112016007258T5 (en) | 2019-06-06 |
CN109564605A (en) | 2019-04-02 |
JP2019530066A (en) | 2019-10-17 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Paccagnella et al. | Lord of the ring (s): Side channel attacks on the {CPU}{On-Chip} ring interconnect are practical | |
US10169574B2 (en) | Using trusted execution environments for security of code and data | |
US9813445B2 (en) | Taint injection and tracking | |
US9443085B2 (en) | Intrusion detection using taint accumulation | |
US9460290B2 (en) | Conditional security response using taint vector monitoring | |
US8955111B2 (en) | Instruction set adapted for security risk monitoring | |
US11184373B2 (en) | Cryptojacking detection | |
US20190108332A1 (en) | Taint injection and tracking | |
EP3311324B1 (en) | Enhanced security of power management communications and protection from side channel attacks | |
US11556646B2 (en) | Identifying and responding to a side-channel security threat | |
US20150128262A1 (en) | Taint vector locations and granularity | |
WO2017112106A1 (en) | Service assurance and security of computing systems using fingerprinting | |
US11194908B2 (en) | Synthesizing sanitization code for applications based upon probabilistic prediction model | |
CN111324891A (en) | System and method for container file integrity monitoring | |
US20230262076A1 (en) | Malicious domain generation algorithm (dga) detection in memory of a data processing unit using machine learning detection models | |
US20220108004A1 (en) | Trusted execution environment (tee) detection of systemic malware in a computing system that hosts the tee | |
WO2018182885A1 (en) | Secure software defined storage | |
Side et al. | Lockeddown: Exploiting contention on host-gpu pcie bus for fun and profit | |
US20230259614A1 (en) | Malicious activity detection in memory of a data processing unit using machine learning detection models | |
US20230259625A1 (en) | Ransomware detection in memory of a data processing unit using machine learning detection models | |
US20230319108A1 (en) | Malicious uniform resource locator (url) detection in memory of a data processing unit using machine learning detection models | |
US11822651B2 (en) | Adversarial resilient malware detector randomization method and devices | |
US20190340366A1 (en) | Cybersecurity by i/o inferred from execution traces | |
WO2018056997A1 (en) | Method and apparatus for implementing a programmable security unit for a computer system | |
US11106788B2 (en) | Security for active data request streams |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 16916963 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 2019510275 Country of ref document: JP Kind code of ref document: A |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 16916963 Country of ref document: EP Kind code of ref document: A1 |