CPU ◦ Initially targeting 40 or 28nm ◦ Released under an open, permissive license ◦ Novel security features ◦ Programmable I/O ◦ AMBA bus ◦ Performance: run Linux ‘well’ • A Community Interest Company (i.e., we are not-for- profit) ◦ Intend to manufacture the SoC in volume and produce low-cost development boards
of Cambridge, co- founder of Raspberry Pi • Gavin Ferris - Dreamworks, Radioscape (co-founder), Aspect Capital (former CIO) • Alex Bradbury - Computer Laboratory, University of Cambridge and Raspberry Pi Technical advisory board: • Krste Asanovic (UC Berkeley) • Julius Baxter (OpenRISC) • Bunnie Huang (Hacker) • Dominic Rizzo (Google ATAP) • Michael Taylor (UCSD)
initial private donation • Work with collaborators (e.g. Berkeley) • Additional funding (e.g. research councils) • Community • OpenCores IP and tools • Build the core dev team. Just advertised and filled two positions
of Raspberry Pi sales • Hackers, tinkerers, researchers, the OSHW community • Target the embedded, connected world. IoT • Security is essential. We would be negligent to not consider how to improve on security features available in shipping processors ◦ Tagged memory ◦ Traditional features: RNG, crypto accelerator, encrypted off-chip memory, secure boot • Flexible IO. Flexibility of a Zynq-like platform but in software. ◦ Vendors incentivized to make low level peripherals arbitrarily different for lock-in and ‘differentiation’.
this class of attacks control flow hijack attacks • All of these attacks (so far) require violating spatial memory safety, i.e. writing beyond the bounds of an object ◦ More specifically, they require overwriting a code pointer Aim: protect code pointers from overwrites
• Problem: we can protect the vtable pointer for the lifetime of an object, but if the object is used after it was freed, the attacker could control the contents of that memory location. • Solution: Check presence of tag bits. Augment with existing segregated allocator techniques • A good example of the effort attackers are willing to go to: http://blog.exodusintel.com/2013/11/26/browser- weakest-byte/
memory that can be configured for use in a wide range of different scenarios: • Infinite memory watchpoints • Better version of traditional canaries • Garbage collection • Accelerate AddressSanitizer/ThreadSanitizer/MemorySanitizer ◦ If larger tags are required, update shadow memory in the exception handler • Locks on every word • Apply tag bits to instructions to mark valid targets of indirect branches
cache and widening of cache lines • New instructions to manipulate tags • Compiler modifications to protect and check RA and vtable pointers • Modify memory allocator to clear tags upon free, and modify memcpy and memmove to copy tags • Update kernel virtual memory system to persist tag bits when moving a page to secondary storage Compatibility: metadata in binaries can be used to rewrite instructions at load time
new interfaces • Ease to program (vs programmable logic) • Off-load work from main core ◦ Do more work close to I/O ◦ Combine with tagged memory for more complex security policies/checks • Filter I/O to only wake up the main core when needed • Avoid writing HDL for all controllers and interfaces.
would be painful. ◦ Provide a small amount of configurable logic, buffers, timers, and clocks to reduce overheads ◦ Support routing physical pins to different cores • Timing/events ◦ Execute out of scratchpads to help provide bounded execution time ◦ Precise timing (e.g. wait for counter) • Considering multi-threaded operation and low-latency communication with main core (e.g. FIFO links) • Minions are not coherent between themselves, but are coherent with main processors.
IO + memory controller + tagged memory. Reusable research BGA package from UCSD • V1: Complete, secure embedded SoC appropriate for headless applications. • Ultimate ambition is an SoC with a broad set of features including GPU, appropriate for a mobile phone or set-top box. V1 is a stepping stone towards that goal. What is success for a project like lowRISC?