Skip to content

Contact

David Lie | 李云峰
Sandford Fleming 2001C
10 King’s College Road
Toronto, ON M5S 3G4
Phone: (416) 946-0251
Fax: (416) 978-1145
Admin: Simone RodrigueShania Dela Paz
david.lie@utoronto.ca(PGP key)

Recent News

All news items

Hardware/Software Codesign for Security

We have been exploring how designs at the hardware-software interface can improve overall systems security.  Traditionally, security has been the domain of software solutions, but increasingly hardware support in the from of trusted computing, Intel SGX and TXT, ARM authenticated pointers and the upcoming CET extensions have meant that hardware acceleration for strong security guarantees is increasingly possible.  Hardware support for security has been an area I have been working for almost 20 years now.  I proposed seminal work on XOM, one of the first architectures to provide hardware-enforced trusted execution — a precursor to modern day Intel TXT, SGX and ARM Trustzone.  This also included the design of a matching operating system, and formal verification of the hardware architecture.  As hardware support (intel VT and VT-d) for virtualization became available for x86, we explored security designs using hardware virtualization, building and experimenting with system architectures like Proxos and Patagonix.  More recently, we have been exploring the use of Intel MPX to prevent return-oriented programming (ROP) attacks in a system we call Light-Weighted Memory Protection (LMP), the most effective way of executing arbitrary code in the face of non-executable pages.  LMP is able to stop ROP attacks while imposing only a 4% overhead because of its clever use of hardware support.

Recently our group developed In-Fat Pointer, the first hardware-assisted tagged-pointer scheme that achieves subobject-level spatial memory safety while remaining binary-compatible with legacy code. By combining multi-scheme object metadata lookups with compact per-pointer tags, we enable precise bounds checks down to struct fields and array elements at low performance cost. To complement this, MIFP introduces a mixed fat-pointer model that selectively replaces compressed bounds with accurate, uncompressed ones only where needed. Using whole-program static analysis and a novel points-to graph, MIFP preserves CHERI’s performance while ensuring no out-of-bounds access escapes detection.

We also demonstrated that all existing SGX software timers are fundamentally insecure by introducing Aion attacks, which manipulate CPU thermal states and cache behavior to distort timer execution by over 200×. These attacks break the assumptions underlying current side-channel defenses, showing that secure timing requires hardware support.