Interstellar: Fully Partitioned and Efficient Security Monitoring Hardware Near a Processor Core for Protecting Systems against Attacks on Privileged Software

The existing approaches to instruction trace-based security monitoring hardware are dependent on the privileged software, which presents a significant challenge in defending against attacks on privileged software itself. To address this challenge, we propose Interstellar, which introduces a partitioned hardware near the CPU's main core and leverages the benefit of hardware-level security monitoring. Interstellar is fully partitioned, parallelized, and simultaneously detecting security monitoring hardware. Interstellar's design makes it hard for malicious software to reverse-engineer how Interstellar detects the attacks, and Interstellar efficiently protects the system against the attacks on the privileged software (e.g., Trusted Execution Environment (TEE)). Moreover, Interstellar not only monitors but also blocks various attacks in a timely manner without stalling a CPU core by designing with a finite-state machine. We implemented a prototype of Interstellar in Rocket chip using a hardware description language and evaluated Interstellar with a Linux kernel and a custom TEE-equipped Linux kernel for Rocket chip on two different FPGA boards. The performance overhead of Interstellar is negligible for benchmark applications. The average performance overhead incurred from Interstellar on 50MHz Rocket core for three different benchmarks is 0.102%.