GARUDA: Designing Energy-Efficient Hardware Monitors From High-Level Policies for Secure Information Flow

Runtime monitors detect vulnerabilities in embedded systems by running alongside untrusted software in order to detect violations of security policies as they occur, ideally with minimal overhead. Prior work has demonstrated language support for largely static security policies implemented using lattices and tag-based monitors. However, compiling high-level policies to modular hardware monitors that can implement a wide variety of security policies with minimal power has not been previously proposed. In this paper, we present a high-level security policy language, GARUDA, together with a compiler from GARUDA to Verilog, that enables the modular construction and composition of security hardware runtime monitors for a variety of security policies, including software fault isolation, secure control flow, and dynamic information flow via taint tracking. Unlike prior approaches in which the hardware monitors check all instructions, our hardware monitors are activated on-demand by the security policies which reduces the energy consumption. We perform experiments on Sniper, a full system multicore simulator, to evaluate the energy and performance tradeoffs of the security policies we have implemented so far. The policies are tested across a range of Splash-2 benchmarks.