Slides from the first public presentation on lowRISC, a project to produce a fully open-source SoC. This presentation was given at ORConf in Munich on Sat 11th October 2014.
CPU ◦ Initially targeting 40 or 28nm ◦ Released under an open, permissive license ◦ Novel security features ◦ Programmable I/O ◦ AMBA bus ◦ Performance: run Linux ‘well’ • A Community Interest Company (i.e., we are not-for- profit) ◦ Intend to manufacture the SoC in volume and produce low-cost development boards
of Cambridge, co- founder of Raspberry Pi • Gavin Ferris - Dreamworks, Radioscape (co-founder), Aspect Capital (former CIO) • Alex Bradbury - Computer Laboratory, University of Cambridge and Raspberry Pi Technical advisory board: • Krste Asanovic (UC Berkeley) • Julius Baxter (OpenRISC) • Bunnie Huang (Hacker) • Dominic Rizzo (Google ATAP) • Michael Taylor (UCSD)
innovation and semiconductor startups • Research platform • The opportunity for contributors to see their HDL used in a mass produced SoC ◦ Regular tape-outs
initial private donation • Work with collaborators (e.g. Berkeley) • Additional funding (e.g. research councils) • Community • OpenCores IP and tools • Build the core dev team. Just advertised and filled two positions
Next 6 months • Production of a test chip. End of 2015 • Tape out of production silicon. 2016 • Produce low cost development boards. “Raspberry Pi for grown-ups” :)
of Raspberry Pi sales • Hackers, tinkerers, researchers, the OSHW community • Target the embedded, connected world. IoT • Security is essential. We would be negligent to not consider how to improve on security features available in shipping processors ◦ Tagged memory ◦ Traditional features: RNG, crypto accelerator, encrypted off-chip memory, secure boot • Flexible IO. Flexibility of a Zynq-like platform but in software. ◦ Vendors incentivized to make low level peripherals arbitrarily different for lock-in and ‘differentiation’.
the stack, heap, functions • Stack canaries: put a secret value on the stack and detect if it is overwritten • Software sandboxing (e.g. Android, iPhone, browser sandboxes)
this class of attacks control flow hijack attacks • All of these attacks (so far) require violating spatial memory safety, i.e. writing beyond the bounds of an object ◦ More specifically, they require overwriting a code pointer Aim: protect code pointers from overwrites
• Problem: we can protect the vtable pointer for the lifetime of an object, but if the object is used after it was freed, the attacker could control the contents of that memory location. • Solution: Check presence of tag bits. Augment with existing segregated allocator techniques • A good example of the effort attackers are willing to go to: http://blog.exodusintel.com/2013/11/26/browser- weakest-byte/
memory that can be configured for use in a wide range of different scenarios: • Infinite memory watchpoints • Better version of traditional canaries • Garbage collection • Accelerate AddressSanitizer/ThreadSanitizer/MemorySanitizer ◦ If larger tags are required, update shadow memory in the exception handler • Locks on every word • Apply tag bits to instructions to mark valid targets of indirect branches
cache and widening of cache lines • New instructions to manipulate tags • Compiler modifications to protect and check RA and vtable pointers • Modify memory allocator to clear tags upon free, and modify memcpy and memmove to copy tags • Update kernel virtual memory system to persist tag bits when moving a page to secondary storage Compatibility: metadata in binaries can be used to rewrite instructions at load time
new interfaces • Ease to program (vs programmable logic) • Off-load work from main core ◦ Do more work close to I/O ◦ Combine with tagged memory for more complex security policies/checks • Filter I/O to only wake up the main core when needed • Avoid writing HDL for all controllers and interfaces.
would be painful. ◦ Provide a small amount of configurable logic, buffers, timers, and clocks to reduce overheads ◦ Support routing physical pins to different cores • Timing/events ◦ Execute out of scratchpads to help provide bounded execution time ◦ Precise timing (e.g. wait for counter) • Considering multi-threaded operation and low-latency communication with main core (e.g. FIFO links) • Minions are not coherent between themselves, but are coherent with main processors.
IO + memory controller + tagged memory. Reusable research BGA package from UCSD • V1: Complete, secure embedded SoC appropriate for headless applications. • Ultimate ambition is an SoC with a broad set of features including GPU, appropriate for a mobile phone or set-top box. V1 is a stepping stone towards that goal. What is success for a project like lowRISC?