128-Bit Addressing in RISC-V and Security

128-Bit Addressing in RISC-V 

and Security 

Steve Wallach 

swallach@micron.com

PresentaCon 

• Background/FoundaConal 

NoCons 

– From the 1970’s to today 

• Exascale Issues 

• Proposal (Strawman) 

• ProtecCon structures for 

current address spaces 

• References 

2016 _NOV _RISCV_WORKSHOP 

2

Background 

• Since the late 70’s, mainstream 

processors have increased the 

size of the virtual space by simply 

adding more bits 

– DEC PDP/11 & VAX: 16è 32 

– Data General Eclipse/MV: 16 è 32 

– SPARC & HP RISC: 32 è 64 

– Intel x86; 16è 32 è 64 (48 used) 

• Itanium 64 

– IBM Power: 32 è 64 

– ARM: 32 è 64 

• Memory management and 

protecCon are intermingled 


3

Background 

• Other’s (pioneer’s) did not simply 

add more bits 

– IBM – FS (Ref: [13]) – 1976 

• Tagged 16 byte pointers 

(CapabiliCes) 

• System/38 is the diminuCve of FS 

– Data General - FHP (Ref: [3, 4,17]) - 

1980 

• Ref: 

hgp://people.cs.clemson.edu/ 

~mark/ip.html 

– true object orientaCon with onelevel 

addressing across a network 

(128 bit pointers!) 

– Intel 432 iMAX OS – (Ref: [16]) – 1980 

• 24 bit passive address 

• 80 bit UID (16 bit checksum) 


4

What Happened 

• MulCcs at MIT 

– UNIX is the diminuCve of 

MulCcs 

• Project Genie at UC 

Berkeley 

• Influenced Industry 

– Graduates 

– A new era of compuCng 

– Technology was not ready 


5

ARCHITECTURE OBJECTIVES 

• Programming generality is the ability 

to move a program between 

computer installaCons; the ability to 

maintain a program within changing 

hardware; the ability to use a 

program in the construcCon of 

another - without altering the 

program descripCon in any way. 

[9] Dennis, J., “PROGRAMMING GENERALITY , PARALLELISM and COMPUTER 

ARCHITECTURE”, MAC-M-409, MEMO NO. 32 , MIT. 


6

Going Forward 

• There Time is to only define one mistake a 128 that bit can space be made without in computer the design need that for is 128 difficult address to 

recover arithmeCc from—not having enough address bits for memory addressing and 

memory management.” Bell and Strecker, ISCA-3, 1976. 

– What is “i” in A[i]? 

– A Virtual Address greater than 64 bits 

(v2.1, page 105) 

• Time to correct and incorporate appropriate security and access 

mechanisms 

– Network Wide Security Model 

• Now each node has its own security model (client/server/network/server) 

– Access to the web is assumed and required 

• Private Cloud 

RISC V ISA SPEC ( page 105 – v2.1) 


7

Security & Facts 

• Computer Virtual Address’s (VA) span to local disk only 

– Disk Access is now Global (In pracCce) 

– Remember a VA references DISK explicitly NOT main memory (CS101) 

• Network Addressing (IPv4 & IPv6 span the enCre network) 

– IPv6 created a 128 bit network address space. Unique names 

• MAC and URL’s addresses are unique 

• EMAIL addresses are unique 

• Phone numbers are global; country code, city code, local code 

• Two different (web and local) address structures 

– Two different protecCon and addressing systems 

– Two different authenCcaCon systems 

• Soxware needed to bridge these two domains (too much soxware) 

• What if one unified name structure could be developed? 


8

ProtecCon ObjecCves 

• The original moCvaCon for puyng 

protecCon mechanisms into 

computer systems was to keep one 

user’s (program) malice or error from 

harming other users (program). Harm 

can be inflicted in several ways: 

– a) By destroying or modifying another 

user’s (program) data. 

– b) By reading or copying another user’s 

(program) data without permission. 

– c) By degrading the service another user 

(program) gets, for example, using up all 

the disk space or geyng more than a fair 

share of the processing Cme 

[1] Lampson, ProtecCon. Proc. 5th Princeton Conf. on Informa2on 

Sciences and Systems, Princeton, 1971 

2016 _NOV _RISCV_WORKSHOP 9

Some FoundaConal Basis 

• One should recognize that concentraCon on 

protecCon and authenCcaCon mechanisms 

provides a narrow view of informaCon 

security ,and that a narrow view is 

dangerous .The objecRve of a secure system 

is to prevent all unauthorized use of 

informaRon, a negaRve kind of 

requirement. 

• Every access to every object must be 

checked for authority. This principle, when 

systemaCcally applied, is the primary 

underpinning of the protecCon system 

• Validity/AuthenRcity is a REQUIREMENT 

(Ref D. Clark, personal communicaRons) 

[2] Schroder & Saltzer, “The protecCon of informaCon in computer systems”, 

PROCEEDINGS OF THE IEEE, VOL. 63, NO. 9, SEPTEMBER 1975 


10

Previous Efforts 

• Another soluCon is to address each segment with 

a unique integer which is assigned at the Cme the 

segment is created, never changed, and not 

reused even axer the segment has disappeared 

from the system. Call this the unique integer 

soluCon. ([3,4,5] & [13]Radin’s H – Handle) 

[3] US Patent, 4,525,780, “DATA PROCESSING SYSTEM HAVING A 

MEMORY USING OBJECT- BASED INFORMATION AND A 

PROTECTION SCHEME …” , 1985 

[4] US Patent, 4,821,184,” UNIVERSAL ADDRESSING SYSTEM FOR A 

DIGITAL DATA PROCESSING SYSTEM”, 1989 

[5] Fabry, “ Capability-Based Addressing”, CACM, July 

1974 

[13] Radin, Schneider, “An Architecture for an Extended 

Machine With Protected Addressing”, Radin, Schneider, 

TR 00.2757, IBM May 21, 1976 


OPAL 

• 

Single Address Space for all 

applicaCons 

• 

Persistent Pointers 

• 

“A full 64-bit address space will last 

for 500 years if allocated at the rate 

of one gigabyte per second. We 

believe that 64 bits is enough "for 

all Cme" on a single computer, 

enough for a long Cme on a small 

network, and not enough for very 

long at all on the global network.” 

[14] J. Chase, H. Levy, et. al, “Sharing and protecRon in a single address space operaRng system” “ 

Journal ACM TransacCons on Computer Systems (TOCS) - Special issue on computer architecture, Volume 

12 Issue 4, Nov. 1994, Pages 271-307 


12

Strawman – RV128I 

OBJECT ID 

Byte Offset 

64 64 

• 128 Bits 

• Object ID – Unique IdenCfier 

– a soxware (or hardware) structure that is considered to be worthy of a disCnct name. 

• Indexing is 64 bits – A[i] 

– Program Counter 

– Stack Pointer (CI format - Loads and Stores) 

• ISA independent 

– Like rouCng IP packets (Vendor Independent) 

• Persistent across Cme and space 

• ProtecCon and memory management are independent 


13

Why? 

• We need beger security 

• We need computer virtual 

addressing to reflect the 

contemporary uses 

– Network Wide 

• We do NOT want 128 bit flat 

addressing 

• We need pointer interoperability 

between computer systems 

(maybe) 

• We need a simplified sharing 

mechanism 

• We need a authenCcaCon, 

revocaCon and protecCon again 

malware/virus’s 


14

What is a Object ? 

• A Object is a unique 64 bit number. 

• An Object can specify 

– LocaCon and protecCon mechanisms 

– Language Specific/Architecture agributes 

• E.G., PGAS NODE 

• Data Encrypted 

• Blockchain 

• The creaCon of a Object is via a central name 

server. 

– Just like: IPv6, MAC addresses, ICANN 

• Central NAME server Involvement 

– Just like a DNS server 

– Just like Apple’s iCloud 

– Only manages Object’s, NOT DATA/ 

APPLICATIONS 

• Should an Object be a IPv6 address 

– Use bit 63 of offset to select; IPv6 or Object 

UID? 


15

Access Control/Domains 

• Defines a sphere of protecCon and use 

• Non-Hierarchical 

• Permission bits define what is 

permiged 

– LOCAL (Rd, Wr, Ex) 

– Global Network (Rd, Wr, Ex) 

– Extended privileged 

– Classical Privileged 

– System Calls 

• Explicit 

• Mediated 

– Shadow Stack 

• Domain Crossing and Return 

– Protected Stack (HW maintained) 

– Gate Entry 

– Mediated Number of Gates 

– Stack Switching 


16

AuthenCcaCon 

• The address space is unique over Cme and space. Any computer 

supporCng this address space is addressable by the name server. 

• Accessing an object for the first Cme requires 

– Permission to access (i.e., download A.OUT or .EXE file, entry within an ACL) 

– Access privileges for the object 

• Local and Network read/write/execute 

• Access only thru a protected sub-object 

• ExecuCon Domain 

• Domain of execuCon 

– Level of user (e.g., gold, plaCnum, execuCve plaCnum) 

– Admin (Level 1, 2, or n) 

• In essence we have a global access control list 

– We have that today, but don’t realize it 

– It is distributed (e.g., ADOBE maintains it 2D slice of the matrix) 

– Each Vendor has their own access control list 


17

Example using An ApplicaCon 

Steve Wallach – OBJECT 

Adobe PDF Reader - OBJECT 

• Can Execute in My Domain 

– Can read and write my file system 

• Can execute in different domain 

– Determine level of trust 

– Can read my data, but not write 

– Can’t send data back to ADOBE (network permissions) 

• Adobe FLASH - NO ACCESS 


18

Memory Management 

• Each object can have its OWN 

memory management structure 

– Page Tables 

– Hashed Indices 

– PGAS like 

• There is NO ACCESS bits 

associated with the management 

of storage (e.g., read, write, 

execute, etc..) 

– Management is separate from 

protecRon 

• Each object can choose to have 

object size for constraint access 

checking (bounds check). 


19

64 BIT LINUX 

Machine State Model 

File Object 

Proc_ID (pid_t) 

Process Address 

Space Object 

System Wide 

Resources 

Process 

CommunicaCons 

Process Specific (task_struct) 

-Unique for each process 

-Hashed Proc_ID 


Kernel Maintained 

.Page frame Cache 

.Disk Cache 

.Directory Cache 

.Lower level of 

Network Stack 

20

64 BIT LINUX 

-Memory Management 

Proc_ID 

32 BITS 

VIRTUAL ADDRESS (VA) 

64 BITS 

Hash 

BASE 

Page Table Base 

F(VA) 

LINUX NAME SPACE 

Page Base 

CAT 

Page 

Offset 

Process Object 

Address Space 

Page Table per Proc_ID 

TLB ASSOCIATES ON A 96 BIT NAME SPACE 

.implementaCon dependent 


Physical 

Byte Address 

21

128-BIT VIRTUAL ADDRESSING 

-Memory Management 

OBJECT ID 

64 64 

BYTE OFFSET 

BASE 

HASH 

F(ID) 

CAT 

Address Space 

Object 

TLB ASSOCIATES ON A 128 BIT NAME SPACE 

.implementaCon dependent 


PAGE BASE 

Control 

Local Page Table 

PGAS Local Node 

Object Length 

Lookup (hash/trees) 

CommunicaCons 

Physical 

Byte Address 

22

Exascale Issues 

• Subject to cost and power 

criCcal apps desire 

– One byte per peak flop (DOE 

ASC) 

– As much as you can 

• 2^64_bit words desirable 

(global access) 

• Memcached ConfiguraCons 

[7] 

– FronCng LARGE Disk Farms 

• Big Data and Compute. 

• BTW: An ExaByte requires 60 

bits of address 


Exascale Programming Model 

The machine that is simplest to program WINS. User cycles are more 

Important that cpu cycles 


24

128- BIT VIRTUAL ADDRESSING 

-ProtecCon/Data Reference 

OBJECT ID 

64 

BYTE OFFSET 

64 

Current Domain 

Principal 

FUNCT 

Access Control Lists 

ProtecCon Agributes 

-Read/Write/Execute 

-System Calls 

-External References 

-Protected Sub-Objects 

Cache Last # of Entries 

Validate Reference before Data Reference 


25

ProtecCon - ACL (matrix) – uses OBJECT names 

-maintained by Name Server- 

Target Name | Object 

Permissions 

Object Length 

PSO Pointer 

Source Name | Object (Principal) 


Note: Domain and Process 

Are NOT unique 

26

ACL (Access Control List) - ENTRY 

PERMISSIONS (Local and Global) 

OBJECT LENGTH - BYTES 

PROTECED SUB-OBJECT (PSO) POINTER 

64 

Principal UID is appended to the PSO pointer, essenCal which virtual machine to use 


27

PROTECTION -ACL Entry 

• PSO – Protected Sub-Object 

(Sandbox – [11]) 

– Virtual Machine 

– Requires soxware 

interpretaCon 

• Address of Sandbox 

– Mediated access 

– Part of Object creaCon 

• The meta data of the object 

– … the concept of confining a 

helper applicaCon to a 

restricted environment, within 

which it has free reign 


28

REFERENCE MONITOR 

• It must validate 

enforcement of the security 

policy for every reference to 

informaCon. 

• Second, it must be tamperproof, 

that is, it cannot be 

subverted. 

• Lastly, it must be verifiable, 

so we have high assurance 

it always works correctly. 

[18]Roger Schell,” Privacy and Security Cyber Defense Triad for Where Security 

Magers “ NOVEMBER 2016 | VOL. 59 | NO. 11 | CACM 


Summary 

• Deal with Virtual Address (and 

physical address) ranges from 

2020 and beyond 

• Incorporate Contemporary 

ProtecCon Mechanisms that 

funcCon in: 

– Web and Cloud based 

configuraCons 

– The objecCve of a secure 

system is to prevent all 

unauthorized use of 

informaCon, a negaCve kind of 

requirement. 


30

Summary 

• Compare to CHERI [12] 

– Capability System 

• Good summary of single address space OperaCng Systems: J. Case, 

H. Levy, “ Sharing and ProtecCon in a Single-Address-Space 

OperaCng System” [14] 

• Should Internet addressing be by a UID and NOT IP address. 

– Facilitate protecCon and authenCcaCon (Ref: [ 15]) 

• Named Data Network Proposal 

• What next?? 

– Proposal 

• Build a prototype with FPGA’s/Simulate 


31

References 

• [1] Lampson, ProtecCon. Proc. 5th Princeton Conf. on Informa2on Sciences and Systems, 

Princeton, 1971 

• [2] Schroder & Saltzer, “The protecCon of informaCon in computer systems”, PROCEEDINGS 

OF THE IEEE, VOL. 63, NO. 9, SEPTEMBER 1975 

• [3]US Patent, 4,525,780 ,“DATA PROCESSING SYSTEM HAVING A MEMORY USING OBJECT- 

BASED INFORMATION AND A PROTECTION SCHEME FOR DETERMINING ACCESS RIGHTS TO 

SUCH INFORMATION” 

• [4]US Patent, 4,821,184,” UNIVERSAL ADDRESSING SYSTEM FOR A 

DIGITAL DATA PROCESSING SYSTEM” 

• [5] Fabry, “ Capability-Based Addressing”, CommunicaCons of the ACM, July 1974, Volume 

17, Number 7 

• [6] hgp://en.wikipedia.org/wiki/Domain_Name_System 

• [7] hgp://en.wikipedia.org/wiki/Memcached 

• [8] hgp://en.wikipedia.org/wiki/Heap_feng_shui 

• [9] Dennis, J., “PROGRAMMING GENERALITY , PARALLELISM and COMPUTER 

ARCHITECTURE”, MAC-M-409, MEMO NO. 32 , MIT. 

• hgp://csg.csail.mit.edu/CSGArchives/memos/Memo-32.pdf 

• [10] hgp://code.google.com/p/google-safe-browsing/wiki/SafeBrowsingDesign 

• [11] Ian Goldberg, David Wagner, Randi Thomas, and Eric Brewer (1996). 

"A Secure Environment for Untrusted Helper ApplicaCons (Confining the Wily Hacker)". 

Proceedings of the Sixth USENIX UNIX Security Symposium. 


32

References 

• [12] Robert N.M. Watson, Peter G. Neumann Jonathan Woodruff, Jonathan Anderson, Ross 

Anderson, Nirav Dave, Ben Laurie, Simon W. Moore, Steven J. Murdoch, Philip Paeps, 

Michael Roe, and Hassen Saidi. 

CHERI: a research plaorm deconflaCng hardware virtualizaCon and protecCon. Workshop 

paper, RunCme Environments, Systems, Layering and Virtualized Environments (RESoLVE 

2012), March, 2012. 

• [13] Radin, Schneider, “An Architecture for an Extended Machine With Protected 

Addressing”, TR 00.2757, IBM May 21, 1976. 

• [14] J. Chase, H. Levy, et. al, “Sharing and protecRon in a single address space operaRng 

system” “ Journal ACM TransacCons on Computer Systems (TOCS) - Special issue on 

computer architecture, Volume 12 Issue 4, Nov. 1994, Pages 271-307 

• [15]Zhang, Estrin, et. al, “Named Data Networking (NDN) Project, NDN -0001, October, 31, 

2010. 

• [16]F. Pollack, et. al., “ The iMAX-432 object filing system” Proceeding SOSP '81 Proceedings 

of the eighth ACM symposium on OperaCng systems principles Pages 137-147 

• [17] hlp://people.cs.clemson.edu/~mark/op.html 

• [18]Roger Schell,” Privacy and Security Cyber Defense Triad for Where Security Magers “ 

NOVEMBER 2016 | VOL. 59 | NO. 11 | CACM 


33

BACKUP SLIDES 

• The following slides discuss 

– RevocaCons 

– Shadow Stack 

– ETC 


34

RevocaCon 

• Every client has a “KILL 

SWITCH” 

• The central name server is 

accessed and each object has 

a kill capability (only iniCated 

by the owner) 

• What if the unified name 

server is NEVER accessed 

again?? 

– Watch Dog Timer? 

• Compare to a capability based 

system ( [5] Fabry & [12] Watson, 

et. al, CHERI) 


35

Sandbox ParCculars 

• Sys Calls Mediated to Defined Domain Server 

– (Framework of [11]) 

• Dispatch Table Within Domain Server traversed 

to to decide allow or deny the call. 

– If denied – Kill 

• Trusted Apps can bypass the framework 

– Part of ACL entry 

• If no sys calls and only reads/writes to permiged 

data 

– Timer resoluCon or other means 


36

Some Object UID Math 

• 60 seconds in a minute 

• 60 minutes in a hour 

• 24 hour in a day 

• 365 days in a year 

• Yields 31,536 000 seconds 

in a year 

• 30 years of life è 

946,080,000 or 2^30 

• 2^34 clients (16 billion) 


37

What if processors like this win? 

(A number of vendors like this model) 

hgp://www.wired.com/2014/08/datacenter-of-the-future/ 

hgp://www.wired.com/2013/05/google-jason-mars/ 


Courtesy of Steve Poole 

38

ProtecCon in Unified Name Space 

• ACL – access control matrix 

• ProtecCon Domains 

• RevocaCon 


Shadow Stack 

• Independent, somewhat of 

address proposal 

• Solves classical virus/malware 

agacks 

– Heap Overflow 

• Change return address 

– WriCng over Stack 

– Heap Fung Hui Agacks [8] 

• Hardware protected SP, AP, FP 

– Akin to domain crossing 

– Return via shadow stack 


Shadow Stack - Architecture 

Return Block 

Return Block 

FP 

AP 

FP 

AP 

Stack Pointer 

Stack Pointer 

Shadow Stack (Hardware Maintained) 

User Visible Stack 

Different Domain, Same virtual address Can not write/read Shadow Stack 

Return via THIS STACK 2016 _NOV _RISCV_WORKSHOP 41

128-Bit Addressing in RISC-V and Security

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?