DESIGN AND IMPLEMENTATION OF THE ASCEND SECURE PROCESSOR
This paper presents hardware implementations of the Ascend secure processor, prototyped on an FPGA and taped out in a32 nm SOI process. Ascend prevents information leakage over a processor’s digital I/O pins — in particular, the processor’srequests to external memory — and certiﬁes the program’s execution by integrity-verifying the external memory. In secureprocessor design, encrypting main memory is not sufﬁcient for security because where and when memory is accessed revealssecret information. To this end, Ascend is equipped with a hardware Oblivious RAM (ORAM) controller, which obfuscates theaddress bus by reshufﬂing memory as it is accessed. To our knowledge, Ascend is the ﬁrst prototyping of ORAM in customsilicon. Ascend has also been carefully engineered to ensure its timing behaviors are independent of user private data.We describe our open-source FPGA prototype and the different design considerations that were made when optimizing for anFPGA vs. the ASIC. In 32 nm silicon, all security components combined (the ORAM controller, which includes 12 AES roundsand one SHA-3 hash unit) impose a moderate area overhead of 1 mm2. Post tape-out, the Ascend chip has been successfullytested at 500 MHz.
Academic work on single-chip (tamper-resistant) secureprocessors include eXecute Only Memory (XOM) , Aegis and Bastion. In XOM, applications(both instructions and data) are only decrypted in securecompartments. XOM doesn’t manage transparent spilling ofdata to a larger storage (e.g., cache misses to an externalmemory). Aegis, a single-chip secure processor, performsmemory integrity veriﬁcation and encryption on all data writtento main memory, but does not provide access pattern ortiming protection. Bastion provides the same external memoryprotection as Aegis, and uses a trusted hypervisor to protectS)applications when running alongside an untrusted operatingsystem.In the industry, secure processor extensions include ARMTrustZone, TPM+TXT and (most recently) IntelSGX . Trustzone creates a “secure world” which isolatesapplications as long as they only require on-chip SRAMmemory. TPM+TXT gives the user ownership over an entiremachine, but does not provide encryption or other protectionto main memory. Intel SGX (similar to Bastion) isolates applicationsfrom an untrusted operating system using hardwaresupportedenclaves, and provides encryption/integrity checksover data written to main memory.None of the above works include memory access patternattacks or timing attacks in their threat model. More generally,Ascend is the ﬁrst full system architecture that preventsuntrusted applications (buggy or arbitrarily malicious) fromrevealing user secrets, even when the adversary has completecontrol/visibility over external memory.Related works which consider access pattern attacks arePhantom  and HIDE . Phantom, a concurrent hardwareORAM project, is treated as a basline design in our paper.HIDE only protects certain access patterns, and thereforeprovides weaker security than ORAM.
ContributionsThis paper presents hardware prototypes for the Ascendsecure processor. We make three primary contributions:1) We give an overview of the Ascend execution model tosecurely run untrusted programs. This part (Section II)has been published in an STC workshop paper We provide a comprehensive overview of challengesin implementing a hardware Oblivious RAM (ORAM)controller, the core component in the Ascend design. Wepresent new techniques to address these issues. Thesematerials (Section IV, V, VI) have been published in aseries of our papers We implement and evaluate all our techniques on aFPGA prototype, and taped out the Ascend processor in32 nm silicon. This part (Section VII and VIII) is newfor this submission. (We have presented an early/partialversion of the prototype in that did not implementdefenses against active adversaries.)
This paper has described the Ascend execution model, forrunning untrusted programs operating safely on sensitive userdata, as well as detailed implementation results for an Ascendprototype chip in silicon. This work proves the viability ofa single-chip secure processor which can protect the privacyof software intellectual property or user data, as it interactswith an external memory device. The evaluation results areencouraging. The hardware mechanisms needed to supportAscend, when integrated into the 25 core test chip, are roughlythe size of a single processor core. Further, average programslowdown considering these mechanisms is estimated to be_ 4_ — roughly the cost of running a program in aninterpreted language.The Ascend execution model in its current form is somewhatconstrained. Ascend does not support multiple tenants sharingthe same chip, since on-chip resource sharing can leak privateinformation. Other modules cannot write to Ascend mainmemory using DMA, and Ascend cannot be used in a multisocketshared memory architecture. We leave these challengesto future work, and note that there have been efforts in thesedirections .
 Open cores. http://opencores.org/.
 T. Alves and D. Felton. Trustzone: Integrated hardware and softwaresecurity. In Information Quarterly, 2004.
 Mihir Bellare, Ran Canetti, and Hugo Krawczyk. Keying hash functionsfor message authentication. In CRYPTO, 1996.
 D. Champagne and R. B. Lee. Scalable architectural support for trustedsoftware. In HPCA, 2010. Victor Costan and Srinivas Devadas. Intel sgx explained. CryptologyePrint Archive, Report 2016/086, 2016.
 Victor Costan, Ilia Lebedev, and Srinivas Devadas. Sanctum: Minimalhardware extensions for strong software isolation. In 25th USENIXSecurity Symposium, pages 857–874. USENIX Association, 2016.
 Christopher Fletcher, Ling Ren, Albert Kwon, Marten van Dijk, andSrinivas Devadas. Freecursive ORAM: [nearly] free recursion andintegrity veriﬁcation for position-based Oblivious RAM. In ASPLOS,2015.
 Christopher Fletcher, Ling Ren, Albert Kwon, Marten Van Dijk, EmilStefanov, Dimitrios Serpanos, and Srinivas Devadas. A low-latency,low-area hardware Oblivious RAM controller. In FCCM, 2015.
 Christopher Fletcher, Ling Ren, Xiangyao Yu, Marten Van Dijk, OmerKhan, and Srinivas Devadas. Suppressing the oblivious ram timingchannel while making information leakage and program efﬁciency tradeoffs.In HPCA, 2014.
 Christopher Fletcher, Marten van Dijk, and Srinivas Devadas. Secureprocessor architecture for encrypted computation on untrusted programs.In STC, 2012.