[Script Info]
Title: 
[Events]
Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text
Dialogue: 0,0:00:00.00,0:00:13.64,Default,,0000,0000,0000,,{\i1}34c3 intro{\i0}
Dialogue: 0,0:00:13.64,0:00:19.89,Default,,0000,0000,0000,,Herald: The next talk will be about\Nembedded systems security and Pascal, the
Dialogue: 0,0:00:19.89,0:00:25.93,Default,,0000,0000,0000,,speaker, will explain how you can hijack\Ndebug components for embedded security in
Dialogue: 0,0:00:25.93,0:00:33.17,Default,,0000,0000,0000,,ARM processors. Pascal is not only an\Nembedded software security engineer but
Dialogue: 0,0:00:33.17,0:00:39.10,Default,,0000,0000,0000,,also a researcher in his spare time.\NPlease give a very very warm
Dialogue: 0,0:00:39.10,0:00:41.91,Default,,0000,0000,0000,,welcoming good morning applause to\NPascal.
Dialogue: 0,0:00:41.91,0:00:48.01,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:00:48.01,0:00:54.49,Default,,0000,0000,0000,,Pascal: OK, thanks for the introduction.\NAs it was said, I'm an engineer by day in
Dialogue: 0,0:00:54.49,0:00:59.48,Default,,0000,0000,0000,,a French company where I work as an\Nembedded system security engineer. But
Dialogue: 0,0:00:59.48,0:01:04.46,Default,,0000,0000,0000,,this talk is mainly about my spare-time\Nactivity which is researcher, hacker or
Dialogue: 0,0:01:04.46,0:01:10.66,Default,,0000,0000,0000,,whatever you call it. This is because I\Nwork with a PhD student called Muhammad
Dialogue: 0,0:01:10.66,0:01:17.64,Default,,0000,0000,0000,,Abdul Wahab. He's a third year PhD student\Nin a French lab. So, this talk will be
Dialogue: 0,0:01:17.64,0:01:23.07,Default,,0000,0000,0000,,mainly a representation on his work about\Nembedded systems security and especially
Dialogue: 0,0:01:23.07,0:01:29.99,Default,,0000,0000,0000,,debug components available in ARM\Nprocessors. Don't worry about the link. At
Dialogue: 0,0:01:29.99,0:01:34.19,Default,,0000,0000,0000,,the end, there will be also the link with\Nall the slides, documentations and
Dialogue: 0,0:01:34.19,0:01:42.48,Default,,0000,0000,0000,,everything. So, before the congress, I\Ndidn't know about what kind of background
Dialogue: 0,0:01:42.48,0:01:46.78,Default,,0000,0000,0000,,you will need for my talk. So, I\Nput there some links, I mean some
Dialogue: 0,0:01:46.78,0:01:51.71,Default,,0000,0000,0000,,references of some talks where you will\Nhave all the vocabulary needed to
Dialogue: 0,0:01:51.71,0:01:57.49,Default,,0000,0000,0000,,understand at least some parts of my talk.\NAbout computer architecture and embedded
Dialogue: 0,0:01:57.49,0:02:03.08,Default,,0000,0000,0000,,system security, I hope you had attended\Nthe talk by Alastair about the formal
Dialogue: 0,0:02:03.08,0:02:09.44,Default,,0000,0000,0000,,verification of software and also the talk\Nby Keegan about Trusted Execution
Dialogue: 0,0:02:09.44,0:02:17.61,Default,,0000,0000,0000,,Environments (TEEs such as TrustZone).\NAnd, in this talk, I will also talk about
Dialogue: 0,0:02:17.61,0:02:25.88,Default,,0000,0000,0000,,FPGA stuff. About FPGAs, there was a talk\Non day 2 about FPGA reverse engineering.
Dialogue: 0,0:02:25.88,0:02:31.18,Default,,0000,0000,0000,,And, if you don't know about FPGAs, I hope\Nthat you had some time to go to the
Dialogue: 0,0:02:31.18,0:02:37.89,Default,,0000,0000,0000,,OpenFPGA assembly because these guys are\Ndoing a great job about FPGA open-source
Dialogue: 0,0:02:37.89,0:02:46.95,Default,,0000,0000,0000,,tools. When you see this slide, the first\Nquestion is that why I put "TrustZone is
Dialogue: 0,0:02:46.95,0:02:53.59,Default,,0000,0000,0000,,not enough"? Just a quick reminder about\Nwhat TrustZone is. TrustZone is about
Dialogue: 0,0:02:53.59,0:03:03.60,Default,,0000,0000,0000,,separating a system between a non-secure\Nworld in red and a secure world in green.
Dialogue: 0,0:03:03.60,0:03:09.29,Default,,0000,0000,0000,,When we want to use the TrustZone\Nframework, we have lots of hardware
Dialogue: 0,0:03:09.29,0:03:16.70,Default,,0000,0000,0000,,components, lots of software components\Nallowing us to, let's say, run separately
Dialogue: 0,0:03:16.70,0:03:24.75,Default,,0000,0000,0000,,a secure OS and a non-secure OS. In our\Ncase, what we wanted to do is to use the
Dialogue: 0,0:03:24.75,0:03:31.45,Default,,0000,0000,0000,,debug components (you can see it on the\Nleft side of the picture) to see if we can
Dialogue: 0,0:03:31.45,0:03:39.30,Default,,0000,0000,0000,,make some security with it. Furthermore,\Nwe wanted to use something else than
Dialogue: 0,0:03:39.30,0:03:45.46,Default,,0000,0000,0000,,TrustZone because if you have attended the\Ntalk about the security in the Nintendo
Dialogue: 0,0:03:45.46,0:03:51.15,Default,,0000,0000,0000,,Switch, you can see that the TrustZone\Nframework can be bypassed under specific
Dialogue: 0,0:03:51.15,0:03:58.97,Default,,0000,0000,0000,,cases. Furthermore, this talk is something\Nquite complimentary because we will do
Dialogue: 0,0:03:58.97,0:04:07.90,Default,,0000,0000,0000,,something at a lower level, at the\Nprocessor architecture level. I will talk
Dialogue: 0,0:04:07.90,0:04:14.73,Default,,0000,0000,0000,,in a later part of my talk about what we\Ncan do between TrustZone and the approach
Dialogue: 0,0:04:14.73,0:04:21.25,Default,,0000,0000,0000,,developed in this work. So, basically, the\Npresentation will be a quick introduction.
Dialogue: 0,0:04:21.25,0:04:27.32,Default,,0000,0000,0000,,I will talk about some works aiming to use\Ndebug components to make some security.
Dialogue: 0,0:04:27.32,0:04:33.57,Default,,0000,0000,0000,,Then, I will talk about ARMHEx which\Nis the name of the system we developed to
Dialogue: 0,0:04:33.57,0:04:37.64,Default,,0000,0000,0000,,use the debug components in a hardcore\Nprocessor. And, finally, some results and
Dialogue: 0,0:04:37.64,0:04:46.18,Default,,0000,0000,0000,,a conclusion. In the context of our\Nproject, we are working with System-on-
Dialogue: 0,0:04:46.18,0:04:54.03,Default,,0000,0000,0000,,Chips. So, System-on-Chips are a kind of\Ndevices where we have in the green part a
Dialogue: 0,0:04:54.03,0:04:58.78,Default,,0000,0000,0000,,processor. So it can be a single core,\Ndual core or even quad core processor.
Dialogue: 0,0:04:58.78,0:05:05.58,Default,,0000,0000,0000,,And another interesting part which is in\Nyellow in the image is the programmable
Dialogue: 0,0:05:05.58,0:05:09.53,Default,,0000,0000,0000,,logic. Which is also called an FPGA\Nin this case. And
Dialogue: 0,0:05:09.53,0:05:13.87,Default,,0000,0000,0000,,in this kind of System-on-\NChip, you have the hardcore processor,
Dialogue: 0,0:05:13.87,0:05:23.79,Default,,0000,0000,0000,,the FPGA and some links between those two\Nunits. You can see here, in the red
Dialogue: 0,0:05:23.79,0:05:32.84,Default,,0000,0000,0000,,rectangle, one of the two processors. This\Npicture is an image of a System-on-Chip
Dialogue: 0,0:05:32.84,0:05:38.50,Default,,0000,0000,0000,,called Zynq provided by Xilinx which is\Nalso a FPGA provider. In this kind of
Dialogue: 0,0:05:38.50,0:05:45.03,Default,,0000,0000,0000,,chip, we usually have 2 Cortex-A9\Nprocessors and some FPGA logic to work
Dialogue: 0,0:05:45.03,0:05:53.91,Default,,0000,0000,0000,,with. What we want to do with the debug\Ncomponents is to work about Dynamic
Dialogue: 0,0:05:53.91,0:06:00.29,Default,,0000,0000,0000,,Information Flow Tracking. Basically, what\Nis information flow? Information flow is
Dialogue: 0,0:06:00.29,0:06:07.04,Default,,0000,0000,0000,,the transfer of information from an\Ninformation container C1 to C2 given a
Dialogue: 0,0:06:07.04,0:06:14.41,Default,,0000,0000,0000,,process P. In other words, if we take this\Nsimple code over there: if you have 4
Dialogue: 0,0:06:14.41,0:06:24.10,Default,,0000,0000,0000,,variables (for instance, a, b, w and x),\Nthe idea is that if you have some metadata
Dialogue: 0,0:06:24.10,0:06:31.99,Default,,0000,0000,0000,,in a, the metadata will be transmitted to\Nw. In other words, what kind of
Dialogue: 0,0:06:31.99,0:06:39.56,Default,,0000,0000,0000,,information will we transmit into the\Ncode? Basically, the information I'm
Dialogue: 0,0:06:39.56,0:06:48.21,Default,,0000,0000,0000,,talking in the first block is "OK, this\Ndata is private, this data is public" and
Dialogue: 0,0:06:48.21,0:06:55.25,Default,,0000,0000,0000,,we should not mix data which are public\Nand private together. Basically we can say
Dialogue: 0,0:06:55.25,0:07:00.44,Default,,0000,0000,0000,,that the information can be binary\Ninformation which is "public or private"
Dialogue: 0,0:07:00.44,0:07:08.62,Default,,0000,0000,0000,,but of course we'll be able to have\Nseveral levels of information. In the
Dialogue: 0,0:07:08.62,0:07:16.45,Default,,0000,0000,0000,,following parts, this information will be\Ncalled taint or even tags and to be a bit
Dialogue: 0,0:07:16.45,0:07:22.07,Default,,0000,0000,0000,,more simple we will use some colors to\Nsay "OK, my tag is red or green" just to
Dialogue: 0,0:07:22.07,0:07:33.93,Default,,0000,0000,0000,,say if it's private or public data. As I\Nsaid, if the tag contained in a is red,
Dialogue: 0,0:07:33.93,0:07:42.24,Default,,0000,0000,0000,,the data contained in w will be red as\Nwell. Same thing for b and x. If we have a
Dialogue: 0,0:07:42.24,0:07:48.92,Default,,0000,0000,0000,,quick example over there, if we look at a\Nbuffer overflow. In the upper part of the
Dialogue: 0,0:07:48.92,0:07:57.10,Default,,0000,0000,0000,,slide you have the assembly code and on\Nthe lower part, the green columns will be
Dialogue: 0,0:07:57.10,0:08:03.60,Default,,0000,0000,0000,,the color of the tags. On the right side\Nof these columns you have the status of
Dialogue: 0,0:08:03.60,0:08:10.94,Default,,0000,0000,0000,,the different registers. This code is\Nbasically: OK, when my input is red at the
Dialogue: 0,0:08:10.94,0:08:19.90,Default,,0000,0000,0000,,beginning, we just use the tainted input\Ninto the index variable. The register 2
Dialogue: 0,0:08:19.90,0:08:28.21,Default,,0000,0000,0000,,which contains the idx variable will be\Nred as well. Then, when we want to access
Dialogue: 0,0:08:28.21,0:08:36.98,Default,,0000,0000,0000,,buffer[idx] which is the second line in\Nthe C code at the beginning, the
Dialogue: 0,0:08:36.98,0:08:43.57,Default,,0000,0000,0000,,information we have there will be red as\Nwell. And, of course, the result of the
Dialogue: 0,0:08:43.57,0:08:50.10,Default,,0000,0000,0000,,operation which is x will be red as well.\NBasically, that means that if there is a
Dialogue: 0,0:08:50.10,0:08:57.05,Default,,0000,0000,0000,,tainted input at the beginning, we must\Nbe able to transmit this information until
Dialogue: 0,0:08:57.05,0:09:03.39,Default,,0000,0000,0000,,the return address of this code just to\Nsay "OK, if this tainted input is private,
Dialogue: 0,0:09:03.39,0:09:12.47,Default,,0000,0000,0000,,the return adress at the end of the code\Nshould be private as well". What can we do
Dialogue: 0,0:09:12.47,0:09:17.97,Default,,0000,0000,0000,,with that? There is a simple code over\Nthere. This is a simple code saying if you
Dialogue: 0,0:09:17.97,0:09:25.89,Default,,0000,0000,0000,,are a normal user, if in your code, you\Njust have to open the welcome file.
Dialogue: 0,0:09:25.89,0:09:33.33,Default,,0000,0000,0000,,Otherwise, if you are a root user, you\Nmust open the password file. So this is to
Dialogue: 0,0:09:33.33,0:09:38.68,Default,,0000,0000,0000,,say if we want to open the welcome file,\Nthis is a public information: you can do
Dialogue: 0,0:09:38.68,0:09:45.13,Default,,0000,0000,0000,,whatever you want with it. Otherwise, if\Nit's a root user, maybe the password will
Dialogue: 0,0:09:45.13,0:09:51.92,Default,,0000,0000,0000,,contain for instance a cryptographic key\Nand we should not go to the printf
Dialogue: 0,0:09:51.92,0:10:01.97,Default,,0000,0000,0000,,function at the end of this code. The idea\Nbehind that is to check that the fs
Dialogue: 0,0:10:01.97,0:10:08.29,Default,,0000,0000,0000,,variable containing the data of the file\Nis private or public. There are mainly
Dialogue: 0,0:10:08.29,0:10:13.90,Default,,0000,0000,0000,,three steps for that. First of all, the\Ncompilation will give us the assembly
Dialogue: 0,0:10:13.90,0:10:25.29,Default,,0000,0000,0000,,code. Then, we must modify system calls to\Nsend the tags. The tags will be as I said
Dialogue: 0,0:10:25.29,0:10:33.72,Default,,0000,0000,0000,,before the private or public information\Nabout my fs variable. I will talk a bit
Dialogue: 0,0:10:33.72,0:10:40.70,Default,,0000,0000,0000,,about that later: maybe, in future works,\Nthe idea is to make or at least to compile
Dialogue: 0,0:10:40.70,0:10:51.79,Default,,0000,0000,0000,,an Operating System with integrated\Nsupport for DIFT. There were already some
Dialogue: 0,0:10:51.79,0:10:58.46,Default,,0000,0000,0000,,works about Dynamic Information Flow\NTracking. So, we should do this kind of
Dialogue: 0,0:10:58.46,0:11:04.84,Default,,0000,0000,0000,,information flow tracking in two manners.\NThe first one at the application level
Dialogue: 0,0:11:04.84,0:11:14.92,Default,,0000,0000,0000,,working at the Java or Android level. Some\Nworks also propose some solutions at the
Dialogue: 0,0:11:14.92,0:11:21.10,Default,,0000,0000,0000,,OS level: for instance, KBlare. But what\Nwe wanted to do here is to work at a lower
Dialogue: 0,0:11:21.10,0:11:27.73,Default,,0000,0000,0000,,level so this is not at the application or\Nthe OS leve but more at the hardware level
Dialogue: 0,0:11:27.73,0:11:34.77,Default,,0000,0000,0000,,or, at least, at the processor\Narchitecture level. If you want to have
Dialogue: 0,0:11:34.77,0:11:39.54,Default,,0000,0000,0000,,some information about the OS level\Nimplementations of information flow
Dialogue: 0,0:11:39.54,0:11:47.18,Default,,0000,0000,0000,,tracking, you can go to blare-ids.org\Nwhere you have some implementations of an
Dialogue: 0,0:11:47.18,0:11:55.75,Default,,0000,0000,0000,,Android port and a Java port of intrusion\Ndetection systems. In the rest of my talk,
Dialogue: 0,0:11:55.75,0:12:05.07,Default,,0000,0000,0000,,I will just go through the existing works\Nand see what we can do about that. When we
Dialogue: 0,0:12:05.07,0:12:10.71,Default,,0000,0000,0000,,talk about dynamic information flow\Ntracking at a low level, there are mainly
Dialogue: 0,0:12:10.71,0:12:22.49,Default,,0000,0000,0000,,three approaches. The first one is the\None in the left-side of this slide. The idea is
Dialogue: 0,0:12:22.49,0:12:29.30,Default,,0000,0000,0000,,that in the upper-side of this figure, we\Nhave the normal processor pipeline:
Dialogue: 0,0:12:29.30,0:12:38.06,Default,,0000,0000,0000,,basically, decode stage, register file and\NArithmetic &amp; Logic Unit. The basic idea is
Dialogue: 0,0:12:38.06,0:12:44.41,Default,,0000,0000,0000,,that when we want to process with tags or\Ntaints, we just duplicate the processor
Dialogue: 0,0:12:44.41,0:12:54.13,Default,,0000,0000,0000,,pipeline (the grey pipeline under the\Nnormal one) just to process data. And, it
Dialogue: 0,0:12:54.13,0:12:58.01,Default,,0000,0000,0000,,implies two things: First of all, we must\Nhave the source code of the processor
Dialogue: 0,0:12:58.01,0:13:08.72,Default,,0000,0000,0000,,itself just to duplicate the processor\Npipeline and to make the DIFT pipeline.
Dialogue: 0,0:13:08.72,0:13:16.40,Default,,0000,0000,0000,,This is quite inconvenient because we\Nmust have the source code of the processor
Dialogue: 0,0:13:16.40,0:13:25.16,Default,,0000,0000,0000,,which is not really easy sometimes.\NOtherwise, the main advantage of this
Dialogue: 0,0:13:25.16,0:13:29.93,Default,,0000,0000,0000,,approach is that we can do nearly anything\Nwe want because we have access to all
Dialogue: 0,0:13:29.93,0:13:34.84,Default,,0000,0000,0000,,codes. So, we can pull all wires we need\Nfrom the processor just to get the
Dialogue: 0,0:13:34.84,0:13:41.47,Default,,0000,0000,0000,,information we need. On the second\Napproach (right side of the picture),
Dialogue: 0,0:13:41.47,0:13:47.13,Default,,0000,0000,0000,,there is something a bit more different:\Ninstead of having a single processor
Dialogue: 0,0:13:47.13,0:13:52.46,Default,,0000,0000,0000,,aiming to do the normal application flow +\Nthe information flow tracking, we should
Dialogue: 0,0:13:52.46,0:13:58.87,Default,,0000,0000,0000,,separate the normal execution and the\Ninformation flow tracking (this is the
Dialogue: 0,0:13:58.87,0:14:04.64,Default,,0000,0000,0000,,second approach over there). This approach\Nis not satisfying as well because you will
Dialogue: 0,0:14:04.64,0:14:15.02,Default,,0000,0000,0000,,have one core running the normal\Napplication but core #2 will be just able
Dialogue: 0,0:14:15.02,0:14:22.36,Default,,0000,0000,0000,,to make DIFT controls. Basically, it's a\Nshame to use a processor just to make DIFT
Dialogue: 0,0:14:22.36,0:14:29.83,Default,,0000,0000,0000,,controls. The best compromise we can do is\Nto make a dedicated coprocessor just to
Dialogue: 0,0:14:29.83,0:14:35.67,Default,,0000,0000,0000,,make the information flow tracking\Nprocessing. Basically, the most
Dialogue: 0,0:14:35.67,0:14:42.16,Default,,0000,0000,0000,,interesting work in this topic is to have\Na main core processor aiming to make the
Dialogue: 0,0:14:42.16,0:14:47.08,Default,,0000,0000,0000,,normal application and a dedicated\Ncoprocessor to make the IFT controls. You
Dialogue: 0,0:14:47.08,0:14:54.38,Default,,0000,0000,0000,,will have some communications between\Nthose two cores. If we want to make a
Dialogue: 0,0:14:54.38,0:15:01.04,Default,,0000,0000,0000,,quick comparison between different works.\NIf you want to run the dynamic information
Dialogue: 0,0:15:01.04,0:15:09.23,Default,,0000,0000,0000,,flow control in pure software (I will talk\Nabout that in the slide after), this is
Dialogue: 0,0:15:09.23,0:15:19.81,Default,,0000,0000,0000,,really painful in terms of time overhead\Nbecause you will see that the time to do
Dialogue: 0,0:15:19.81,0:15:25.33,Default,,0000,0000,0000,,information flow tracking in pure software\Nis really unacceptable. Regarding
Dialogue: 0,0:15:25.33,0:15:30.63,Default,,0000,0000,0000,,hardware-assisted approaches, the best\Nadvantage in all cases is that we have a
Dialogue: 0,0:15:30.63,0:15:38.27,Default,,0000,0000,0000,,low overhead in terms of silicon area: it\Nmeans that, on this slide, the overhead
Dialogue: 0,0:15:38.27,0:15:45.80,Default,,0000,0000,0000,,between the main core and the main core +\Nthe coprocessor is not so important. We
Dialogue: 0,0:15:45.80,0:16:00.97,Default,,0000,0000,0000,,will see that, in the case of my talk, the\Ndedicated DIFT coprocessor is also easier
Dialogue: 0,0:16:00.97,0:16:10.41,Default,,0000,0000,0000,,to get different security policies. As I\Nsaid in the pure software solution (the
Dialogue: 0,0:16:10.41,0:16:17.50,Default,,0000,0000,0000,,first line of this table), the basic idea\Nbehind that is to use instrumentation. If
Dialogue: 0,0:16:17.50,0:16:23.58,Default,,0000,0000,0000,,you were there on day 2, the\Ninstrumentation is the transformation of a
Dialogue: 0,0:16:23.58,0:16:30.05,Default,,0000,0000,0000,,program into its own measurement tool. It\Nmeans that we will put some sensors in all
Dialogue: 0,0:16:30.05,0:16:36.60,Default,,0000,0000,0000,,parts of my code just to monitor its\Nactivity and gather some information from
Dialogue: 0,0:16:36.60,0:16:42.87,Default,,0000,0000,0000,,it. If we want to measure the impact of\Ninstrumentation on the execution time of
Dialogue: 0,0:16:42.87,0:16:48.13,Default,,0000,0000,0000,,an application, you can see in this\Ndiagram over there, the normal application
Dialogue: 0,0:16:48.13,0:16:53.99,Default,,0000,0000,0000,,level which is normalized to 1. When we\Nwant to use instrumentation with it, the
Dialogue: 0,0:16:53.99,0:17:06.13,Default,,0000,0000,0000,,minimal overhead we have is about 75%. The\Ntime with instrumentation will be most of
Dialogue: 0,0:17:06.13,0:17:11.89,Default,,0000,0000,0000,,the time twice higher than the normal\Nexecution time. This is completely
Dialogue: 0,0:17:11.89,0:17:18.61,Default,,0000,0000,0000,,unacceptable because it will just run\Nslower your application. Basically, as I
Dialogue: 0,0:17:18.61,0:17:24.41,Default,,0000,0000,0000,,said, the main concern about my talk is\Nabout reducing the overhead of software
Dialogue: 0,0:17:24.41,0:17:29.88,Default,,0000,0000,0000,,instrumentation. I will talk also a bit\Nabout the security of the DIFT coprocessor
Dialogue: 0,0:17:29.88,0:17:36.68,Default,,0000,0000,0000,,because we can't include a DIFT\Ncoprocessor without taking care of its
Dialogue: 0,0:17:36.68,0:17:45.37,Default,,0000,0000,0000,,security. According to my knowledge, this\Nis the first work about DIFT in ARM-based
Dialogue: 0,0:17:45.37,0:17:53.38,Default,,0000,0000,0000,,system-on-chips. On the talk about the\Nsecurity of the Nintendo Switch, the
Dialogue: 0,0:17:53.38,0:17:59.46,Default,,0000,0000,0000,,speaker said that black-box testing is fun\N... except that it isn't. In our case, we
Dialogue: 0,0:17:59.46,0:18:05.38,Default,,0000,0000,0000,,have only a black-box because we can't\Nmodify the structure of the processor, we
Dialogue: 0,0:18:05.38,0:18:13.81,Default,,0000,0000,0000,,must make our job without, let's say,\Ndecaping the processor and so on. This is
Dialogue: 0,0:18:13.81,0:18:21.91,Default,,0000,0000,0000,,an overall schematic of our architecture.\NOn the left side, in light green, you have
Dialogue: 0,0:18:21.91,0:18:27.13,Default,,0000,0000,0000,,the ARM processor. In this case, this is a\Nsimplified version with only one core.
Dialogue: 0,0:18:27.13,0:18:32.63,Default,,0000,0000,0000,,And, on the right side, you have the\Nstructure of the coprocessor we
Dialogue: 0,0:18:32.63,0:18:40.72,Default,,0000,0000,0000,,implemented in the FPGA. You can notice,\Nfor instance, for the moment sorry, two
Dialogue: 0,0:18:40.72,0:18:48.07,Default,,0000,0000,0000,,things. The first is that you have some\Nlinks between the FPGA and the CPU. These
Dialogue: 0,0:18:48.07,0:18:54.16,Default,,0000,0000,0000,,links are already existing in the system-\Non-chip. And you can see another thing
Dialogue: 0,0:18:54.16,0:19:03.68,Default,,0000,0000,0000,,regarding the memory: you have separate\Nmemory for the processor and the FPGA. And
Dialogue: 0,0:19:03.68,0:19:08.62,Default,,0000,0000,0000,,we will see later that we can use\NTrustZone to add a layer of security, just
Dialogue: 0,0:19:08.62,0:19:17.47,Default,,0000,0000,0000,,to be sure that we won't mix the memory\Nbetween the CPU and the FPGA. Basically,
Dialogue: 0,0:19:17.47,0:19:24.24,Default,,0000,0000,0000,,when we want to work with ARM processors,\Nwe must use ARM datasheets, we must read
Dialogue: 0,0:19:24.24,0:19:29.66,Default,,0000,0000,0000,,ARM datasheets. First of all, don't be\Nafraid by the length of ARM datasheets
Dialogue: 0,0:19:29.66,0:19:36.59,Default,,0000,0000,0000,,because, in my case, I used to work with\Nthe ARM-v7 technical manual which is
Dialogue: 0,0:19:36.59,0:19:49.25,Default,,0000,0000,0000,,already 2000 pages. The ARM-v8 manual is\Nabout 6000 pages. Anyway. Of course, what
Dialogue: 0,0:19:49.25,0:19:54.69,Default,,0000,0000,0000,,is also difficult is that the information\Nis split between different documents.
Dialogue: 0,0:19:54.69,0:20:01.32,Default,,0000,0000,0000,,Anyway, when we want to use debug\Ncomponents in the case of ARM, we just
Dialogue: 0,0:20:01.32,0:20:07.74,Default,,0000,0000,0000,,have this register over there which is\Ncalled DBGOSLAR. We can see that, in this
Dialogue: 0,0:20:07.74,0:20:15.40,Default,,0000,0000,0000,,register, we can say that writing the key\Nvalue 0xC5A-blabla to this field locks the
Dialogue: 0,0:20:15.40,0:20:20.18,Default,,0000,0000,0000,,debug registers. And if your write any\Nother value, it will just unlock those
Dialogue: 0,0:20:20.18,0:20:27.60,Default,,0000,0000,0000,,debug registers. So that was basically the\Nfirst step to enable the debug components:
Dialogue: 0,0:20:27.60,0:20:38.84,Default,,0000,0000,0000,,Just writing a random value to this register\Njust to unlock my debug components. Here
Dialogue: 0,0:20:38.84,0:20:44.87,Default,,0000,0000,0000,,is again a schematic of the overall\Nsystem-on-chip. As you see, you have the
Dialogue: 0,0:20:44.87,0:20:50.22,Default,,0000,0000,0000,,two processors and, on the top part, you\Nhave what are called Coresight components.
Dialogue: 0,0:20:50.22,0:20:56.12,Default,,0000,0000,0000,,These are the famous debug components I\Nwill talk in the second part of my talk.
Dialogue: 0,0:20:56.12,0:21:05.68,Default,,0000,0000,0000,,Here is a simplified view of the debug\Ncomponents we have in Zynq SoCs. On the
Dialogue: 0,0:21:05.68,0:21:13.46,Default,,0000,0000,0000,,left side, we have the two processors\N(CPU0 and CPU1) and all the Coresight
Dialogue: 0,0:21:13.46,0:21:21.21,Default,,0000,0000,0000,,components are: PTM, the one which is in\Nthe red rectangle; and also the ECT which
Dialogue: 0,0:21:21.21,0:21:26.46,Default,,0000,0000,0000,,is the Embedded Cross Trigger; and the ITM\Nwhich is the Instrumentation Trace
Dialogue: 0,0:21:26.46,0:21:32.94,Default,,0000,0000,0000,,Macrocell. Basically, when we want to\Nextract some data from the Coresight
Dialogue: 0,0:21:32.94,0:21:43.56,Default,,0000,0000,0000,,components, the basic path we use is the\NPTM, go through the Funnel and, at this
Dialogue: 0,0:21:43.56,0:21:50.75,Default,,0000,0000,0000,,step, we have two choices to store the\Ninformation taken from debug components.
Dialogue: 0,0:21:50.75,0:21:55.83,Default,,0000,0000,0000,,The first one is the Embedded Trace Buffer\Nwhich is a small memory embedded in the
Dialogue: 0,0:21:55.83,0:22:04.28,Default,,0000,0000,0000,,processor. Unfortunately, this memory is\Nreally small because it's only about
Dialogue: 0,0:22:04.28,0:22:10.57,Default,,0000,0000,0000,,4KBytes as far as I remember. But the other\Npossibility is just to export some data to
Dialogue: 0,0:22:10.57,0:22:15.80,Default,,0000,0000,0000,,the Trace Packet Output and this is what\Nwe will use just to export some data to
Dialogue: 0,0:22:15.80,0:22:26.31,Default,,0000,0000,0000,,the coprocessor implemented in the FPGA.\NBasically, what PTM is able to do? The
Dialogue: 0,0:22:26.31,0:22:34.15,Default,,0000,0000,0000,,first thing that PTM can do is to trace\Nwhatever in your memory. For instance, you
Dialogue: 0,0:22:34.15,0:22:41.88,Default,,0000,0000,0000,,can trace all your code. Basically, all\Nthe blue sections. But, you can also let's
Dialogue: 0,0:22:41.88,0:22:47.89,Default,,0000,0000,0000,,say trace specific regions of the code:\NYou can say OK I just want to trace the
Dialogue: 0,0:22:47.89,0:22:55.52,Default,,0000,0000,0000,,code in my section 1 or section 2 or\Nsection N. Then the PTM is also able to
Dialogue: 0,0:22:55.52,0:23:00.10,Default,,0000,0000,0000,,make some Branch Broadcasting. That is\Nsomething that was not present in the
Dialogue: 0,0:23:00.10,0:23:06.92,Default,,0000,0000,0000,,Linux kernel. So, we already submitted a\Npatch that was accepted to manage the
Dialogue: 0,0:23:06.92,0:23:14.31,Default,,0000,0000,0000,,Branch Broadcasting into the PTM. And we\Ncan do some timestamping and other things
Dialogue: 0,0:23:14.31,0:23:22.25,Default,,0000,0000,0000,,just to be able to store the information\Nin the traces. Basically, what a trace
Dialogue: 0,0:23:22.25,0:23:27.34,Default,,0000,0000,0000,,looks like? Here is the most simple\Ncode we could had: it's just a for loop
Dialogue: 0,0:23:27.34,0:23:35.57,Default,,0000,0000,0000,,doing nothing. The assembly code over\Nthere. And the trace will look like this.
Dialogue: 0,0:23:35.57,0:23:45.07,Default,,0000,0000,0000,,In the first 5 bytes, some kind of start\Npacket which is called the A-sync packet
Dialogue: 0,0:23:45.07,0:23:50.39,Default,,0000,0000,0000,,just to say "OK, this is the beginning of\Nthe trace". In the green part, we'll have
Dialogue: 0,0:23:50.39,0:23:56.46,Default,,0000,0000,0000,,the address which corresponds to the\Nbeginning of the loop. And, in the orange
Dialogue: 0,0:23:56.46,0:24:02.70,Default,,0000,0000,0000,,part, we will have the Branch Address\NPacket. You can see that you have 10
Dialogue: 0,0:24:02.70,0:24:08.30,Default,,0000,0000,0000,,iterations of this Branch Address Packet\Nbecause we have 10 iterations of the for
Dialogue: 0,0:24:08.30,0:24:18.68,Default,,0000,0000,0000,,loop. This is just to show what is the\Ngeneral structure of a trace. This is just
Dialogue: 0,0:24:18.68,0:24:22.72,Default,,0000,0000,0000,,a control flow graph just to say what we\Ncould have about this. Of course, if we
Dialogue: 0,0:24:22.72,0:24:27.01,Default,,0000,0000,0000,,have another loop at the end of this\Ncontrol flow graph, we'll just make the
Dialogue: 0,0:24:27.01,0:24:31.82,Default,,0000,0000,0000,,trace a bit longer just to have the\Ninformation about the second loop and so
Dialogue: 0,0:24:31.82,0:24:40.98,Default,,0000,0000,0000,,on. Once we have all these traces, the\Nnext step is to say I have my tags but how
Dialogue: 0,0:24:40.98,0:24:49.22,Default,,0000,0000,0000,,do I define the rules just to transmit my\Ntags. And this is there we will use static
Dialogue: 0,0:24:49.22,0:24:55.88,Default,,0000,0000,0000,,analysis for this. Basically, in this\Nexample, if we have the instruction "add
Dialogue: 0,0:24:55.88,0:25:05.87,Default,,0000,0000,0000,,register1 + register2 and put the result\Nin register0". For this, we will use
Dialogue: 0,0:25:05.87,0:25:12.78,Default,,0000,0000,0000,,static analysis which allows us to say that\Nthe tag associated with register0 will be
Dialogue: 0,0:25:12.78,0:25:19.03,Default,,0000,0000,0000,,the tag of register1 or the tag of\Nregister2. Static analysis will be done
Dialogue: 0,0:25:19.03,0:25:25.22,Default,,0000,0000,0000,,before running my code just to say I have\Nall the rules for all the lines of my
Dialogue: 0,0:25:25.22,0:25:33.59,Default,,0000,0000,0000,,code. Now that we have the trace, we know\Nhow to transmit the tags all over my code,
Dialogue: 0,0:25:33.59,0:25:41.53,Default,,0000,0000,0000,,the final step will be just to make the\Nstatic analysis in the LLVM backend. The
Dialogue: 0,0:25:41.53,0:25:46.64,Default,,0000,0000,0000,,final step will be about instrumentation.\NAs I said before, we can recover all the
Dialogue: 0,0:25:46.64,0:25:51.81,Default,,0000,0000,0000,,memory addresses we need through\Ninstrumentation. Otherwise, we can also
Dialogue: 0,0:25:51.81,0:26:02.85,Default,,0000,0000,0000,,only get the register-relative memory\Naddresses through instrumentation. In this
Dialogue: 0,0:26:02.85,0:26:12.18,Default,,0000,0000,0000,,first case, on this simple code, we can\Ninstrument all the code but the main
Dialogue: 0,0:26:12.18,0:26:19.91,Default,,0000,0000,0000,,drawback of this solution is that it will\Ncompletely excess the time of the
Dialogue: 0,0:26:19.91,0:26:27.40,Default,,0000,0000,0000,,instruction. Otherwise, what we can do is\Nthat with the store instruction over
Dialogue: 0,0:26:27.40,0:26:33.53,Default,,0000,0000,0000,,there, we can get data from the trace:\Nbasically, we will use the Program Counter
Dialogue: 0,0:26:33.53,0:26:37.86,Default,,0000,0000,0000,,from the trace. Then, for the Stack\NPointer, we will use static analysis to
Dialogue: 0,0:26:37.86,0:26:42.73,Default,,0000,0000,0000,,get information from the Stack Pointer.\NAnd, finally, we can use only one
Dialogue: 0,0:26:42.73,0:26:54.59,Default,,0000,0000,0000,,instrumented instruction at the end. If I\Ngo back to this system, the communication
Dialogue: 0,0:26:54.59,0:27:03.04,Default,,0000,0000,0000,,overhead will be the main drawback as I\Nsaid before because if we have over there
Dialogue: 0,0:27:03.04,0:27:09.34,Default,,0000,0000,0000,,the processor and the FPGA running in\Ndifferent parts, the main problem will be
Dialogue: 0,0:27:09.34,0:27:18.09,Default,,0000,0000,0000,,how we can transmit data in real-time or,\Nat least, in the highest speed we can
Dialogue: 0,0:27:18.09,0:27:27.46,Default,,0000,0000,0000,,between the processor and the FPGA. This\Nis the time overhead when we enable
Dialogue: 0,0:27:27.46,0:27:35.30,Default,,0000,0000,0000,,Coresight components or not. In blue, we\Nhave the basic time overhead when the
Dialogue: 0,0:27:35.30,0:27:40.61,Default,,0000,0000,0000,,traces are disabled. And we can see that,\Nwhen we enable traces, the time overhead
Dialogue: 0,0:27:40.61,0:27:50.62,Default,,0000,0000,0000,,is nearly negligible. Regarding time\Ninstrumentation, we can see that regarding
Dialogue: 0,0:27:50.62,0:27:56.78,Default,,0000,0000,0000,,the strategy 2 which is using the\NCoresight components, using the static
Dialogue: 0,0:27:56.78,0:28:02.43,Default,,0000,0000,0000,,analysis and the instrumentation, we can\Nlower the instrumentation overhead from
Dialogue: 0,0:28:02.43,0:28:11.12,Default,,0000,0000,0000,,53% down to 5%. We still have some\Noverhead due to instrumentation but it's
Dialogue: 0,0:28:11.12,0:28:18.22,Default,,0000,0000,0000,,really low compared to the related works\Nwhere all the code was instrumented. This
Dialogue: 0,0:28:18.22,0:28:26.19,Default,,0000,0000,0000,,is an overview that shows that in the\Ngrey lines some overhead of related works
Dialogue: 0,0:28:26.19,0:28:31.20,Default,,0000,0000,0000,,with full instrumentation and we can see\Nthat, in our approach (with the greeen
Dialogue: 0,0:28:31.20,0:28:43.87,Default,,0000,0000,0000,,lines over there), the time overhead with\Nour code is much much smaller. Basically,
Dialogue: 0,0:28:43.87,0:28:49.14,Default,,0000,0000,0000,,how we can use TrustZone with this? This\Nis just an overview of our system. And we
Dialogue: 0,0:28:49.14,0:28:55.70,Default,,0000,0000,0000,,can say we can use TrustZone just to\Nseparate the CPU from the FPGA
Dialogue: 0,0:28:55.70,0:29:07.21,Default,,0000,0000,0000,,coprocessor. If we make a comparison with\Nrelated works, we can see that compared to
Dialogue: 0,0:29:07.21,0:29:14.26,Default,,0000,0000,0000,,the first works, we are able to make some\Ninformation flow control with an hardcore
Dialogue: 0,0:29:14.26,0:29:22.29,Default,,0000,0000,0000,,processor which was not the case with the\Ntwo first works in this table. It means
Dialogue: 0,0:29:22.29,0:29:26.51,Default,,0000,0000,0000,,you can use a basic ARM processor just to\Nmake the information flow tracking instead
Dialogue: 0,0:29:26.51,0:29:33.34,Default,,0000,0000,0000,,of having a specific processor. And, of\Ncourse, the area overhead, which is
Dialogue: 0,0:29:33.34,0:29:39.09,Default,,0000,0000,0000,,another important topic, is much much\Nsmaller compared to the existing works.
Dialogue: 0,0:29:39.09,0:29:44.57,Default,,0000,0000,0000,,It's time for the conclusion. As I\Npresented in this talk, we are able to use
Dialogue: 0,0:29:44.57,0:29:50.79,Default,,0000,0000,0000,,the PTM component just to obtain runtime\Ninformation about my application. This is
Dialogue: 0,0:29:50.79,0:29:56.94,Default,,0000,0000,0000,,a non-intrusive tracing because we still\Nhave negligible performance overhead.
Dialogue: 0,0:29:56.94,0:30:02.15,Default,,0000,0000,0000,,And we also improve the software security\Njust because we were able to make some
Dialogue: 0,0:30:02.15,0:30:07.71,Default,,0000,0000,0000,,security on the coprocessor. The future\Nperspective of that work is mainly to work
Dialogue: 0,0:30:07.71,0:30:16.02,Default,,0000,0000,0000,,with multicore processors and see if we can\Nuse the same approach for Intel and maybe
Dialogue: 0,0:30:16.02,0:30:21.10,Default,,0000,0000,0000,,ST microcontrollers to see if we can also\Ndo information flow tracking in this case.
Dialogue: 0,0:30:21.10,0:30:25.52,Default,,0000,0000,0000,,That was my talk. Thanks for listening.
Dialogue: 0,0:30:25.52,0:30:33.17,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:30:35.21,0:30:37.87,Default,,0000,0000,0000,,Herald: Thank you very much for this talk.
Dialogue: 0,0:30:37.87,0:30:44.58,Default,,0000,0000,0000,,Unfortunately, we don't have time for Q&amp;A,\Nso please, if you leave the room and take
Dialogue: 0,0:30:44.58,0:30:48.17,Default,,0000,0000,0000,,your trash with you, that makes the angels\Nhappy.
Dialogue: 0,0:30:48.17,0:30:54.84,Default,,0000,0000,0000,,Pascal: I was a bit long, sorry.\N
Dialogue: 0,0:30:54.84,0:30:57.49,Default,,0000,0000,0000,,Herald: Another round\Nof applause for Pascal.
Dialogue: 0,0:30:57.49,0:31:02.72,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:31:02.72,0:31:07.51,Default,,0000,0000,0000,,{\i1}34c3 outro{\i0}
Dialogue: 0,0:31:07.51,0:31:24.00,Default,,0000,0000,0000,,subtitles created by c3subtitles.de\Nin the year 2020. Join, and help us!