FireGuard: A Generalized Microarchitecture for Fine-Grained Security Analysis on OoO Superscalar Cores

TL;DR

FireGuard delivers a practical microarchitecture for fine-grained instruction analysis on OoO superscalar cores by introducing a buffer-free data-forwarding channel, a superscalar event filter, and a broadcast-free mapper. The system supports end-to-end analysis via guardian kernels running on $\upmu$-cores or hardware accelerators and features an ISA/programming model built around FIFO-based interactions on a RISC-V Rocket core. Evaluation across real cores and commercial-like SoCs demonstrates low overheads for common safeguards (e.g., PMC and shadow stack) and competitive detection latencies, with scalable performance as more $\upmu$-cores are added. Feasibility analyses indicate FireGuard can be integrated into modern CPUs with less than $1\%$ area overhead per core, suggesting practical deployment potential for dynamic in-core security analysis. Overall, FireGuard shows that comprehensive, fine-grained hardware-assisted security analysis is feasible and scalable in contemporary processor architectures.

Abstract

High-performance security guarantees rely on hardware support. Generic programmable support for fine-grained instruction analysis has gained broad interest in the literature as a fundamental building block for the security of future processors. Yet, implementation in real out-of-order (OoO) superscalar processors presents tough challenges that cannot be explored in highly abstract simulators. We detail the challenges of implementing complex programmable pathways without critical paths or contention. We then introduce FireGuard, the first implementation of fine-grained instruction analysis on a real OoO superscalar processor. We establish an end-to-end system, including microarchitecture, SoC, ISA and programming model. Experiments show that our solution simultaneously ensures both security and performance of the system, with parallel scalability. We examine the feasibility of building FireGuard into modern SoCs: Apple's M1-Pro, Huawei's Kirin-960, and Intel's i7-12700F, where less than 1% silicon area is introduced. The Repo. of FireGuard's source code: https://github.com/SEU-ACAL/reproduce-FireGuard-DAC-25.

Figures (11)

• Figure 1: Overview of FireGuard (Mini-F: Mini-Filter; GID: Group Index; HA: Hardware Accelerator; SE: Scheduling Engine): a buffer-free data-forwarding channel extracts the main core's execution events; b a superscalar filter pre-checks extracted events, identifying relevant instructions and selecting channels for analysis; c an allocator associates an SE to each kernel to distribute contents, and d a distributed fabric network transmits contents to the $\mathbf{\upmu}$cores or HAs; e kernels running on $\mu$cores or HAs fetch contents and validate their security.
• Figure 2: Data-forwarding channel, using PRFs as an example (blue lines: data-forwarding paths; red lines: filtering paths; gray lines: control paths; DP_Sel: Data Path Selection): a commit paths from the ROB are hooked, forwarding retired instructions to mini-filters and storing the PRF access addresses in temporary registers; b mini-filters pre-check the forwarded instructions, sending control signals to PRF controllers when PRF data is selected; c the data-forwarding channel preempts the controllers and feeds the addresses temporarily stored; d the read data is routed back for in-depth analysis.
• Figure 3: Microarchitecture of a mini-filter (gray lines: control paths; WR/RD IFC: Write/Read Interface).
• Figure 4: Reordering with 4-width FIFOs. P[x].y: yth packet in FIFO[x].
• Figure 5: Allocator microarchitecture. 3 GIDs and 4 SEs allocate contents to 16 engines (gray lines: control paths).