research-article

Caisson: a hardware description language for secure information flow

Authors:

Jason K. Oberg,

Vineeth Kashyap,

Frederic T. Chong,

Timothy Sherwood,

Ben HardekopfAuthors Info & Claims

PLDI '11: Proceedings of the 32nd ACM SIGPLAN Conference on Programming Language Design and Implementation

Pages 109 - 120

https://doi.org/10.1145/1993498.1993512

Published: 04 June 2011 Publication History

Abstract

Information flow is an important security property that must be incorporated from the ground up, including at hardware design time, to provide a formal basis for a system's root of trust. We incorporate insights and techniques from designing information-flow secure programming languages to provide a new perspective on designing secure hardware. We describe a new hardware description language, Caisson, that combines domain-specific abstractions common to hardware design with insights from type-based techniques used in secure programming languages. The proper combination of these elements allows for an expressive, provably-secure HDL that operates at a familiar level of abstraction to the target audience of the language, hardware architects.

We have implemented a compiler for Caisson that translates designs into Verilog and then synthesizes the designs using existing tools. As an example of Caisson's usefulness we have addressed an open problem in secure hardware by creating the first-ever provably information-flow secure processor with micro-architectural features including pipelining and cache. We synthesize the secure processor and empirically compare it in terms of chip area, power consumption, and clock frequency with both a standard (insecure) commercial processor and also a processor augmented at the gate level to dynamically track information flow. Our processor is competitive with the insecure processor and significantly better than dynamic tracking.

References

[1]

90nm generic CMOS library, Synopsys University program, Synopsys Inc.

[2]

Common critera evaluation and validation scheme. http://www.niap-ccevs.org/cc-scheme/cc_docs/.

[3]

Validated FIPS 140-1 and FIPS 140-2 cryptographic modules. http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm.

[4]

What does CC EAL6 mean? http://www.ok-labs.com/blog/entry/what-does-cc-eal6-mean/.

[5]

O. Accigmez, J. pierre Seifert, and C. K. Koc. Predicting secret keys via branch prediction. In The Cryptographers' Track at the RSA Conference, pages 225--242. Springer-Verlag, 2007.

Digital Library

[6]

O. Aciiçmez. Yet another microarchitectural attack: Exploiting i-cache. In CCS Computer Security Architecture Workshop, 2007.

Digital Library

[7]

O. Aciiçmez, J.-P. Seifert, and C. K. Koc. Micro-architectural cryptanalysis. IEEE Security and Privacy, 5:62--64, July 2007.

Digital Library

[8]

J. Agat. Transforming out timing leaks. In Proceedings of the 27th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, POPL '00, pages 40--53, New York, NY, USA, 2000. ACM.

Digital Library

[9]

G. Barthe, T. Rezk, and M. Warnier. Preventing Timing Leaks Through Transactional Branching Instructions. Electronic Notes Theoretical Computer Science, 153:33--55, May 2006.

Digital Library

[10]

G. Boudol and I. Castellani. Noninterference for concurrent programs. pages 382--395, 2001.

Digital Library

[11]

E. M. Clarke, O. Grumberg, and D.Peled. Model Checking. MIT Press, 2000.

[12]

J. R. Crandall and F. T. Chong. Minos: Control data attack prevention orthogonal to memory model. In Micro, pages 221--232, 2004.

Digital Library

[13]

M. Dalton, H. Kannan, and C. Kozyrakis. Raksha: A flexible information flow architecture for software security. In ISCA, pages 482--493, 2007.

Digital Library

[14]

D. E. Denning and P. J. Denning. Certification of programs for secure information flow. Communications of the ACM, 20(7):504--513, 1977.

Digital Library

[15]

F. A. A. (FAA). Boeing model 787-8 airplane; systems and data networks security-isolation or protection from unauthorized passenger domain systems access. http://cryptome.info/faa010208.htm.

[16]

A. Filinski. Linear continuations. In Proceedings of the 19th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, POPL '92, pages 27--38, New York, NY, USA, 1992. ACM.

Digital Library

[17]

C. Fournet and T. Rezk. Cryptographically sound implementations for typed information-flow security. In POPL, pages 323--335, 2008.

Digital Library

[18]

J. A. Goguen and J. Meseguer. Security policies and security models. In IEEE Symposium on Security and Privacy, 1982.

[19]

C. Hankin. Program analysis tools. International Journal on Software Tools for Technology Transfer, 2(1), 1998.

[20]

D. Harel. Statecharts: A visual formalism for complex systems. Science of Computer Programming 8, 1987.

Digital Library

[21]

D. Hedin and D. Sands. Timing aware information flow security for a javacard-like bytecode. 141(1):163--182, 2005.

Digital Library

[22]

C. Hymans. Checking safety properties of behavioral VHDL descriptions by abstract interpretation. In International Static Analysis Symposium, pages 444--460. Springer, 2002.

Digital Library

[23]

C. Hymans. Design and implementation of an abstract interpreter for VHDL. D.Geist and E.Tronci, editors, CHARME, 2860 of LNCS, 2003.

[24]

G. Klein, K. Elphinstone, G. Heiser, J. Andronick, D. Cock, P. Derrin, D. Elkaduwe, K. Engelhardt, R. Kolanski, M. Norrish, T. Sewell, H. Tuch, and S. Winwood. seL4: formal verification of an OS kernel. In SOSP, pages 207--220, 2009.

Digital Library

[25]

P. C. Kocher, J. Jaffe, and B. Jun. Differential power analysis. In Proceedings of the 19th Annual International Cryptology Conference on Advances in Cryptology, pages 388--397, 1999.

Digital Library

[26]

J. Kong, O. Aciiçmez, J.-P. Seifert, and H. Zhou. Deconstructing new cache designs for thwarting software cache-based side channel attacks. In Proc. of the 2nd ACM workshop on Computer security architectures, pages 25--34, 2008.

Digital Library

[27]

K. Koscher, A. Czeskis, F. Roesner, S. Patel, T. Kohno, S. Checkoway, D. McCoy, B. Kantor, D. Anderson, H. Shacham, and S. Savage. Experimental security analysis of a modern automobile. IEEE Symposium on Security and Privacy, pages 447--462, 2010.

Digital Library

[28]

M. Krohn, A. Yip, M. Brodsky, N. Cliffer, M. Frans, K. Eddie, and K. R. Morris. Information flow control for standard OS abstractions. In SOSP, 2007.

Digital Library

[29]

L. C. Lam and T.-c. Chiueh. A general dynamic information flow tracking framework for security applications. In Proceedings of the 22nd Annual Computer Security Applications Conference, pages 463--472, 2006.

Digital Library

[30]

P. Li, Y. Mao, and S. Zdancewic. Information integrity policies. In Proceedings of the Workshop on Formal Aspects in Security and Trust, 2003.

[31]

X. Li, M. Tiwari, B. Hardekopf, T. Sherwood, and F. T. Chong. Secure information flow analysis for hardware design: Using the right abstraction for the job. The Fifth ACM SIGPLAN Workshop on Programming Languages and Analysis for Security(PLAS), June 2010.

Digital Library

[32]

O. Mutlu and T. Moscibroda. Stall-time fair memory access scheduling for chip multiprocessors. In Micro, pages 146--160, 2007.

Digital Library

[33]

A. C. Myers, N. Nystrom, L. Zheng, and S. Zdancewic. Jif: Java information flow. Software release. http://www.cs.cornell.edu/jif, July 2001.

[34]

J. Newsome and D. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In NDSS, 2005.

[35]

C. Percival. Cache missing for fun and profit. In Proc. of BSDCan, 2005.

[36]

F. Qin, C. Wang, Z. Li, H.-s. Kim, Y. Zhou, and Y. Wu. Lift: A low-overhead practical information flow tracking system for detecting security attacks. In Micro, pages 135--148, 2006.

Digital Library

[37]

A. Russo, J. Hughes, D. Naumann, and A. Sabelfeld. Closing internal timing channels by transformation. pages 120--135, 2007.

Digital Library

[38]

O. Ruwase, P. B. Gibbons, T. C. Mowry, V. Ramachandran, S. Chen, M. Kozuch, and M. Ryan. Parallelizing dynamic information flow tracking. In SPAA, pages 35--45, 2008.

Digital Library

[39]

A. Sabelfeld and A. C. Myers. Language-based information-flow security. IEEE Journal on Selected Areas in Communications, 21(1), Jan. 2003.

Digital Library

[40]

M. Schlickling and M. Pister. A framework for static analysis of VHDL code. 7th International Workshop on Worst-Case Execution Time (WCET) Analysis, 2007.

[41]

O. Sibert, P. A. Porras, and R. Lindell. An analysis of the intel 80x86 security architecture and implement ations. IEEE Transactions on Software Engineering, 22(5):283--293, 1996.

Digital Library

[42]

G. Smith and D. Volpano. Secure information flow in a multi-threaded imperative language. pages 355--364, 1998.

Digital Library

[43]

G. E. Suh, J. W. Lee, D. Zhang, and S. Devadas. Secure program execution via dynamic information flow tracking. In ASPLOS, pages 85--96, 2004.

Digital Library

[44]

E. Technologies. The Esterel v7 Reference Manual, version v7.30 - initial IEEE standardization proposal edition. 2005.

[45]

M. Tiwari, X. Li, H. Wassel, F. Chong, and T. Sherwood. Execution leases: A hardware-supported mechanism for enforcing strong non-interference. In Micro, 2009.

Digital Library

[46]

M. Tiwari, H. Wassel, B. Mazloom, S. Mysore, F. Chong, and T. Sherwood. Complete information flow tracking from the gates up. In ASPLOS, March 2009.

Digital Library

[47]

T. K. Tolstrup. Language-based Security for VHDL. PhD thesis, Technical University of Denmark, 2006.

[48]

T. K. Tolstrup, F. Nielson, and H. R. Nielson. Information flow analysis for VHDL. volume 3606 of LNCS, 2005.

Digital Library

[49]

N. Vachharajani, M. J. Bridges, J. Chang, R. Rangan, G. Ottoni, J. A. Blome, G. A. Reis, M. Vachharajani, and D. I. August. Rifle: An architectural framework for user-centric information-flow security. In Micro, pages 243--254, 2004.

Digital Library

[50]

G. Venkataramani, I. Doudalis, Y. Solihin, and M. Prvulovic. FlexiTaint: A programmable accelerator for dynamic taint propagation. In HPCA, pages 196--206, 2008.

[51]

D. Volpano, C. Irvine, and G. Smith. A sound type system for secure flow analysis. J. Comput. Secur., 4:167--187, January 1996.

Digital Library

[52]

D. Volpano and G. Smith. Eliminating covert flows with minimum typings. page 156, 1997.

Digital Library

[53]

D. Volpano and G. Smith. A type-based approach to program security. In In Proceedings of the 7th International Joint Conference on the Theory and Practice of Software Devel-opment, pages 607--621. Springer, 1997.

Digital Library

[54]

Z. Wang and R. B. Lee. New cache designs for thwarting software cache-based side channel attacks. In ISCA, pages 494--505, New York, NY, USA, 2007. ACM.

Digital Library

[55]

S. Zdancewic and A. C. Myers. Secure information flow via linear continuations. 15(2--3):209--234, 2002.

Digital Library

[56]

S. Zdancewic and A. C. Myers. Observational determinism for concurrent program security. pages 29--43, 2003.

[57]

N. Zeldovich, S. Boyd-Wickizer, and D.Mazieres. Security distributed systems with information flow control. In NSDI, pages 293--308, Apr. 2008.

Digital Library

[58]

N. Zeldovich, S. Boyd-Wickizer, E. Kohler, and D. Mazières. Making information flow explicit in HiStar. In OSDI, 2006.

Digital Library

[59]

N. Zeldovich, H. Kannan, M. Dalton, and C. Kozyrakis. Hardware enforcement of application security policies using tagged memory. In OSDI, Dec. 2008.

Digital Library

Cited By

Ryan KGregoire MSturton C(2023)SEIF: Augmented Symbolic Execution for Information Flow in Hardware DesignsProceedings of the 12th International Workshop on Hardware and Architectural Support for Security and Privacy10.1145/3623652.3623666(1-9)Online publication date: 29-Oct-2023
https://dl.acm.org/doi/10.1145/3623652.3623666
Zagieboylo DSherk CMyers ASuh GMeng WJensen CCremers CKirda E(2023)SpecVerilog: Adapting Information Flow Control for Secure SpeculationProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623074(2068-2082)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623074
Feldtkeller JSasdrich PGüneysu T(2023)Challenges and Opportunities of Security-Aware EDAACM Transactions on Embedded Computing Systems10.1145/357619922:3(1-34)Online publication date: 19-Apr-2023
https://dl.acm.org/doi/10.1145/3576199
Show More Cited By

Index Terms

Caisson: a hardware description language for secure information flow
1. Hardware
  1. Electronic design automation
    1. Hardware description languages and compilation

Recommendations

Sapper: a language for hardware-level security policy enforcement
ASPLOS '14: Proceedings of the 19th international conference on Architectural support for programming languages and operating systems

Privacy and integrity are important security concerns. These concerns are addressed by controlling information flow, i.e., restricting how information can flow through a system. Most proposed systems that restrict information flow make the implicit ...
Caisson: a hardware description language for secure information flow
PLDI '11

Information flow is an important security property that must be incorporated from the ground up, including at hardware design time, to provide a formal basis for a system's root of trust. We incorporate insights and techniques from designing information-...
Sapper: a language for hardware-level security policy enforcement
ASPLOS '14

Privacy and integrity are important security concerns. These concerns are addressed by controlling information flow, i.e., restricting how information can flow through a system. Most proposed systems that restrict information flow make the implicit ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

PLDI '11: Proceedings of the 32nd ACM SIGPLAN Conference on Programming Language Design and Implementation

June 2011

668 pages

ISBN:9781450306638

DOI:10.1145/1993498

General Chair:
Mary Hall
University of Utah
,
Program Chair:
David Padua
University of Illinois at Urbana-Champaign

ACM SIGPLAN Notices Volume 46, Issue 6
PLDI '11
June 2011
652 pages
ISSN:0362-1340
EISSN:1558-1160
DOI:10.1145/1993316
Issue’s Table of Contents

Copyright © 2011 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGPLAN: ACM Special Interest Group on Programming Languages

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 June 2011

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

PLDI '11

Sponsor:

SIGPLAN

PLDI '11: ACM SIGPLAN Conference on Programming Language Design and Implementation

June 4 - 8, 2011

California, San Jose, USA

Acceptance Rates

Overall Acceptance Rate 406 of 2,067 submissions, 20%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

106
Total Citations
View Citations
654
Total Downloads

Downloads (Last 12 months)26
Downloads (Last 6 weeks)4

Reflects downloads up to 27 Jul 2024

Other Metrics

View Author Metrics

Citations

Cited By

Ryan KGregoire MSturton C(2023)SEIF: Augmented Symbolic Execution for Information Flow in Hardware DesignsProceedings of the 12th International Workshop on Hardware and Architectural Support for Security and Privacy10.1145/3623652.3623666(1-9)Online publication date: 29-Oct-2023
https://dl.acm.org/doi/10.1145/3623652.3623666
Zagieboylo DSherk CMyers ASuh GMeng WJensen CCremers CKirda E(2023)SpecVerilog: Adapting Information Flow Control for Secure SpeculationProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623074(2068-2082)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623074
Feldtkeller JSasdrich PGüneysu T(2023)Challenges and Opportunities of Security-Aware EDAACM Transactions on Embedded Computing Systems10.1145/357619922:3(1-34)Online publication date: 19-Apr-2023
https://dl.acm.org/doi/10.1145/3576199
Bhamidipati PVemuri R(2023)ASPIRE: An Intermediate Representation for Abstract Security Policies2023 36th International Conference on VLSI Design and 2023 22nd International Conference on Embedded Systems (VLSID)10.1109/VLSID57277.2023.00046(175-180)Online publication date: Jan-2023
https://doi.org/10.1109/VLSID57277.2023.00046
Baty MWilke PHiet GFontaine ATrieu A(2023)A Generic Framework to Develop and Verify Security Mechanisms at the Microarchitectural Level: Application to Control-Flow Integrity2023 IEEE 36th Computer Security Foundations Symposium (CSF)10.1109/CSF57540.2023.00029(372-387)Online publication date: Jul-2023
https://doi.org/10.1109/CSF57540.2023.00029
Liu FProkopec AGrosser TLee K(2022)Implicit state machinesProceedings of the 23rd ACM SIGPLAN/SIGBED International Conference on Languages, Compilers, and Tools for Embedded Systems10.1145/3519941.3535065(13-25)Online publication date: 14-Jun-2022
https://dl.acm.org/doi/10.1145/3519941.3535065
Pundir NAftabjahani SCammarota RTehranipoor MFarahmandi F(2022)Analyzing Security Vulnerabilities Induced by High-level SynthesisACM Journal on Emerging Technologies in Computing Systems10.1145/349234518:3(1-22)Online publication date: 29-Jan-2022
https://dl.acm.org/doi/10.1145/3492345
Zhou XXu ZWang CGao MSalapura VZahran MChong FTang L(2022)PPMLACProceedings of the 49th Annual International Symposium on Computer Architecture10.1145/3470496.3527392(87-101)Online publication date: 18-Jun-2022
https://dl.acm.org/doi/10.1145/3470496.3527392
Guo XHan SHu XJiao XJin YKong FLemmon MPhan LBroman D(2021)Towards scalable, secure, and smart mission-critical IoT systemsProceedings of the 2021 International Conference on Embedded Software10.1145/3477244.3477624(1-10)Online publication date: 30-Sep-2021
https://dl.acm.org/doi/10.1145/3477244.3477624
Hu WArdeshiricham AKastner R(2021)Hardware Information Flow TrackingACM Computing Surveys10.1145/344786754:4(1-39)Online publication date: 3-May-2021
https://dl.acm.org/doi/10.1145/3447867
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents