research-article

Formalizing, Verifying and Applying ISA Security Guarantees as Universal Contracts

Authors:

Sander Huyghebaert,

Steven Keuchel,

Coen De Roover,

Dominique DevrieseAuthors Info & Claims

CCS '23: Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security

Pages 2083 - 2097

https://doi.org/10.1145/3576915.3616602

Published: 21 November 2023 Publication History

Abstract

Progress has recently been made on specifying instruction set architectures (ISAs) in executable formalisms rather than through prose. However, to date, those formal specifications are limited to the functional aspects of the ISA and do not cover its security guarantees. We present a novel, general method for formally specifying an ISA's security guarantees to (1) balance the needs of ISA implementations (hardware) and clients (software), (2) can be semi-automatically verified to hold for the ISA operational semantics, producing a high-assurance mechanically-verifiable proof, and (3) support informal and formal reasoning about security-critical software in the presence of adversarial code. Our method leverages universal contracts: software contracts that express bounds on the authority of arbitrary untrusted code. Universal contracts can be kept agnostic of software abstractions, and strike the right balance between requiring sufficient detail for reasoning about software and preserving implementation freedom of ISA designers and CPU implementers. We semi-automatically verify universal contracts against Sail implementations of ISA semantics using our Katamaran tool; a semi-automatic separation logic verifier for Sail which produces machine-checked proofs for successfully verified contracts. We demonstrate the generality of our method by applying it to two ISAs that offer very different security primitives: (1) MinimalCaps: a custom-built capability machine ISA and (2) a (somewhat simplified) version of RISC-V with PMP. We verify a femtokernel using the security guarantee we have formalized for RISC-V with PMP.

References

[1]

CTSRD-CHERI/Flute: RISC-V CPU, simple 5-stage in-order pipeline, for low-end applications needing MMUs and some performance., 2022. URL https://github.com/ CTSRD-CHERI/Flute.

[2]

Danel Ahman, Cătălin Hriţcu, Kenji Maillard, Guido Martínez, Gordon Plotkin, Jonathan Protzenko, Aseem Rastogi, and Nikhil Swamy. Dijkstra monads for free. In Proceedings of the 44th ACM SIGPLAN Symposium on Principles of Programming Languages, POPL 2017, New York, NY, USA, 2017. Association for Computing Machinery.

Digital Library

[3]

Andrew W. Appel. Verismall: Verified smallfoot shape analysis. In Jean-Pierre Jouannaud and Zhong Shao, editors, Certified Programs and Proofs, pages 231--246, Berlin, Heidelberg, 2011. Springer Berlin Heidelberg. ISBN 978-3-642-25379-9.

Digital Library

[4]

Alasdair Armstrong, Thomas Bauereiss, Brian Campbell, Alastair Reid, Kathryn E. Gray, Robert M. Norton, Prashanth Mundkur, Mark Wassell, Jon French, Christopher Pulte, Shaked Flur, Ian Stark, Neel Krishnaswami, and Peter Sewell. Isa semantics for armv8-a, risc-v, and cheri-mips. Proc. ACM Program. Lang., 3(POPL), January 2019.

Digital Library

[5]

Krste Asanović and David A Patterson. Instruction sets should be free: The case for risc-v. EECS Department, University of California, Berkeley, Tech. Rep. UCB/EECS-2014-146, 2014.

[6]

Roberto Baldoni, Emilio Coppa, Daniele Cono D'Elia, Camil Demetrescu, and Irene Finocchi. A survey of symbolic execution techniques. ACM Comput. Surv., 51(3), 2018.

[7]

Thomas Bauereiss, Brian Campbell, Thomas Sewell, Alasdair Armstrong, Lawrence Esswood, Ian Stark, Graeme Barnes, Robert N. M. Watson, and Peter Sewell. Verified security for the morello capability-enhanced prototype arm architecture. In Ilya Sergey, editor, Programming Languages and Systems, pages 174--203, Cham, 2022. Springer International Publishing. ISBN 978-3-030-99336-8.

Digital Library

[8]

Josh Berdine, Cristiano Calcagno, and Peter W. O'Hearn. Symbolic execution with separation logic. In Programming Languages and Systems. Springer Berlin Heidelberg, 2005. ISBN 978-3-540-32247-4.

Digital Library

[9]

Josh Berdine, Cristiano Calcagno, and Peter W. O'Hearn. Symbolic execution with separation logic. In Kwangkeun Yi, editor, Programming Languages and Systems, pages 52--68, Berlin, Heidelberg, 2005. Springer Berlin Heidelberg. ISBN 978-3-540-32247-4.

[10]

Thomas Bourgeat, Ian Clester, Andres Erbsen, Samuel Gruetter, Andrew Wright, and Adam Chlipala. A Multipurpose Formal RISC-V Specification. April 2021.

[11]

Qinxiang Cao, Lennart Beringer, Samuel Gruetter, Josiah Dodds, and Andrew W Appel. Vst-floyd: A separation logic tool to verify correctness of c programs. Journal of Automated Reasoning, 61(1):367--422, 2018.

Digital Library

[12]

Nicholas P. Carter, Stephen W. Keckler, and William J. Dally. Hardware Support for Fast Capability-based Addressing. In International Conference on Architectural Support for Programming Languages and Operating Systems, pages 319--327. ACM, 1994.

Digital Library

[13]

Arthur Charguéraud. Separation logic for sequential programs (functional pearl). Proceedings of the ACM on Programming Languages, 4(ICFP):116:1--116:34, Aug 2020.

Digital Library

[14]

Kevin Cheang, Cameron Rasmussen, Dayeol Lee, David W Kohlbrenner, Krste Asanovic, and Sanjit A Seshia. Verifying risc-v physical memory protection. In IEEE International Symposium on Performance Analysis of Systems and Software (ISPASS) Workshop on Secure RISC-V Architecture Design, 2020.

[15]

Adam Chlipala. Mostly-automated verification of low-level programs in compu-tational separation logic. SIGPLAN Not., 46(6):234-245, jun 2011. ISSN 0362-1340. URL https://doi.org/10.1145/1993316.1993526.

Digital Library

[16]

Mads Dam, Roberto Guanciale, Narges Khakpour, Hamed Nemati, and Oliver Schwarz. Formal verification of information flow security for a simple arm-based separation kernel. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, pages 223--234, 2013.

Digital Library

[17]

Sandeep Dasgupta, Daejun Park, Theodoros Kasampalis, Vikram S. Adve, and Grigore Roşu. A complete formal semantics of x86-64 user-level instruction set architecture. In Programming Language Design and Implementation, pages 1133--1148. ACM, June 2019.

Digital Library

[18]

Dominique Devriese, Lars Birkedal, and Frank Piessens. Reasoning about object capabilities with logical relations and effect parametricity. In 2016 IEEE European Symposium on Security and Privacy (EuroS&P), pages 147--162. IEEE, 2016.

[19]

Jean-Christophe Filliâtre and Andrei Paskevich. Why3 - where programs meet provers. In Matthias Felleisen and Philippa Gardner, editors, Programming Languages and Systems, pages 125--128, Berlin, Heidelberg, 2013. Springer Berlin Heidelberg. ISBN 978-3-642-37036-6.

Digital Library

[20]

Shaked Flur, Kathryn E. Gray, Christopher Pulte, Susmit Sarkar, Ali Sezgin, Luc Maranget, Will Deacon, and Peter Sewell. Modelling the ARMv8 architecture, operationally: Concurrency and ISA. In Principles of Programming Languages, pages 608--621. ACM, January 2016.

Digital Library

[21]

Anthony Fox and Magnus O. Myreen. A Trustworthy Monadic Formalization of the ARMv7 Instruction Set Architecture. In Interactive Theorem Proving, Lecture Notes in Computer Science, pages 243--258. Springer Berlin Heidelberg, 2010.

Digital Library

[22]

Dapeng Gao and Tom Melham. End-to-end formal verification of a risc-v processor extended with capability pointers. In 2021 Formal Methods in Computer Aided Design (FMCAD), pages 24--33. IEEE, 2021.

[23]

Qian Ge, Yuval Yarom, and Gernot Heiser. No security without time protection: We need a new hardware-software contract. In Proceedings of the 9th Asia-Pacific Workshop on Systems, pages 1--9, 2018.

Digital Library

[24]

Qian Ge, Yuval Yarom, Tom Chothia, and Gernot Heiser. Time Protection: The Missing OS Abstraction. In EuroSys Conference 2019, EuroSys '19, pages 1--17. ACM, March 2019.

Digital Library

[25]

Aïna Linn Georges, Armaël Guéneau, Thomas Van Strydonck, Amin Timany, Alix Trieu, Dominique Devriese, and Lars Birkedal. Cap'ou pas cap'?: Preuve de programmes pour une machine à capacités en présence de code inconnu. In Journées Francophones des Langages Applicatifs 2021. Institut de Recherche en Informatique Fondamentale, April 2021.

[26]

Aïna Linn Georges, Armaël Guéneau, Thomas Van Strydonck, Amin Timany, Alix Trieu, Sander Huyghebaert, Dominique Devriese, and Lars Birkedal. Efficient and provable local capability revocation using uninitialized capabilities. Proc. ACM Program. Lang., 5(POPL):1--30, 2021.

Digital Library

[27]

Shilpi Goel, Warren A. Hunt, and Matt Kaufmann. Engineering a Formal, Executable x86 ISA Simulator for Software Verification. In Provably Correct Systems, NASA Monographs in Systems and Software Engineering, pages 173--209. Springer International Publishing, 2017. ISBN 978-3-319-48628-4.

[28]

Marco Guarnieri, Boris Köpf, Jan Reineke, and Pepe Vila. Hardware/software contracts for secure speculation. S&P 2021. IEEE, 2021.

[29]

Bart Jacobs, Jan Smans, Pieter Philippaerts, Frédéric Vogels, Willem Penninckx, and Frank Piessens. Verifast: A powerful, sound, predictable, fast verifier for c and java. In Mihaela Bobaru, Klaus Havelund, Gerard J. Holzmann, and Rajeev Joshi, editors, NASA Formal Methods, pages 41--55, Berlin, Heidelberg, 2011. Springer Berlin Heidelberg. ISBN 978-3-642-20398-5.

[30]

Bart Jacobs, Frédéric Vogels, and Frank Piessens. Featherweight VeriFast. Logical Methods in Computer Science, Volume 11, Issue 3, September 2015. LMCS-11(3:19)2015. URL https://lmcs.episciences.org/1595.

[31]

Ralf Jung, Robbert Krebbers, Jacques-Henri Jourdan, Ale? Bizjak, Lars Birkedal, and Derek Dreyer. Iris from the ground up: A modular foundation for higher-order concurrent separation logic. Journal of Functional Programming, 28, 2018.

[32]

Steven Keuchel, Sander Huyghebaert, Georgy Lukyanov, and Dominique Devriese. Verified Symbolic Execution with Kripke Specification Monads (and no Meta-Programming). Proc. ACM Program. Lang., 6(ICFP), aug 2022.

Digital Library

[33]

Narges Khakpour, Oliver Schwarz, and Mads Dam. Machine assisted proof of armv7 instruction level isolation properties. In Certified Programs and Proofs: Third International Conference, CPP 2013, Melbourne, VIC, Australia, December 11-13, 2013, Proceedings 3, pages 276--291. Springer, 2013.

Digital Library

[34]

Robbert Krebbers, Jacques-Henri Jourdan, Ralf Jung, Joseph Tassarotti, Jan-Oliver Kaiser, Amin Timany, Arthur Charguéraud, and Derek Dreyer. Mosel: A general, extensible modal framework for interactive proofs in separation logic. Proc. ACM Program. Lang., 2(ICFP), jul 2018. URL https://doi.org/10. 1145/3236772.

Digital Library

[35]

Dayeol Lee, David Kohlbrenner, Shweta Shinde, Krste Asanović, and Dawn Song. Keystone: An open framework for architecting trusted execution environments. In Proceedings of the Fifteenth European Conference on Computer Systems, pages 1--16, 2020.

Digital Library

[36]

K. Rustan M. Leino. Dafny: An automatic program verifier for functional correct-ness. In Edmund M. Clarke and Andrei Voronkov, editors, Logic for Programming, Artificial Intelligence, and Reasoning, pages 348--370, Berlin, Heidelberg, 2010. Springer Berlin Heidelberg. ISBN 978-3-642-17511-4.

[37]

Sergio Maffeis, John C Mitchell, and Ankur Taly. Object capabilities and isolation of untrusted web applications. In S&P, pages 125--140. IEEE, 2010.

Digital Library

[38]

Kenji Maillard, Danel Ahman, Robert Atkey, Guido Martínez, Cătălin Hrişcu, Exequiel Rivas, and Éric Tanter. Dijkstra monads for all. Proc. ACM Program. Lang., 3(ICFP), July 2019.

Digital Library

[39]

Ike Mulder, Robbert Krebbers, and Herman Geuvers. Diaframe: Automated verification of fine-grained concurrent programs in iris. In Proceedings of the 43rd ACM SIGPLAN International Conference on Programming Language Design and Implementation, PLDI 2022, pages 809--824, New York, NY, USA, 2022. Association for Computing Machinery. ISBN 9781450392655. URL https://doi.org/10.1145/3519939.3523432.

Digital Library

[40]

P. Müller, M. Schwerhoff, and A. J. Summers. Viper: A verification infrastructure for permission-based reasoning. In B. Jobstmann and K. R. M. Leino, editors, Verification, Model Checking, and Abstract Interpretation (VMCAI), volume 9583 of LNCS, pages 41--62. Springer-Verlag, 2016. URL https://doi.org/10.1007/978-3-662-49122-5_2.

Digital Library

[41]

Kyndylan Nienhuis, Alexandre Joannou, Thomas Bauereiss, Anthony Fox, Michael Roe, Brian Campbell, Matthew Naylor, Robert M. Norton, Simon W. Moore, Peter G. Neumann, Ian Stark, Robert N. M. Watson, and Peter Sewell. Rigorous engineering for hardware security: Formal modelling and proof in the cheri design and implementation process. In IEEE Symposium on Security and Privacy (SP), pages 1003--1020, 2020.

[42]

Alastair Reid. Who guards the guards? formal validation of the Arm v8-m architecture specification. 1(OOPSLA):88:1--88:24, October 2017.

Digital Library

[43]

John C Reynolds. Separation logic: A logic for shared mutable data structures. In Proceedings 17th Annual IEEE Symposium on Logic in Computer Science, pages 55--74. IEEE, 2002.

[44]

RISC-V International. Specifications - risc-v international, 2022. URL https: //riscv.org/technical/specifications/. Accessed: 2022-04-30.

[45]

Michael Sammler, Rodolphe Lepigre, Robbert Krebbers, Kayvan Memarian, Derek Dreyer, and Deepak Garg. Refinedc: Automating the foundational verification of c code with refined ownership types. In Proceedings of the 42nd ACM SIGPLAN International Conference on Programming Language Design and Implementation, PLDI 2021, pages 158--174, New York, NY, USA, 2021. Association for Computing Machinery. ISBN 9781450383912. URL https: //doi.org/10.1145/3453483.3454036.

Digital Library

[46]

Michael Sammler, Angus Hammond, Rodolphe Lepigre, Brian Campbell, Jean Pichon-Pharabod, Derek Dreyer, Deepak Garg, and Peter Sewell. Islaris: Verification of machine code against authoritative isa semantics. In Proceedings of the 43rd ACM SIGPLAN International Conference on Programming Language Design and Implementation, PLDI 2022, pages 825--840, New York, NY, USA, 2022. Association for Computing Machinery. ISBN 9781450392655. URL https://doi.org/10.1145/3519939.3523434.

Digital Library

[47]

Malte H. Schwerhoff. Advancing Automated, Permission-Based Program Verification Using Symbolic Execution. Doctoral thesis, ETH Zurich, Zürich, 2016.

[48]

Lau Skorstengaard, Dominique Devriese, and Lars Birkedal. Reasoning about a machine with local capabilities. In European Symposium on Programming, pages 475--501. Springer, 2018.

[49]

Nikhil Swamy, Joel Weinberger, Cole Schlesinger, Juan Chen, and Benjamin Livshits. Verifying higher-order programs with the dijkstra monad. In Proceedings of the 34th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI '13, New York, NY, USA, 2013. Association for Computing Machinery.

Digital Library

[50]

David Swasey, Deepak Garg, and Derek Dreyer. Robust and compositional verification of object capability patterns. Proc. ACM Program. Lang., 1(OOPSLA): 89-1, 2017.

Digital Library

[51]

Thomas Van Strydonck, Frank Piessens, and Dominique Devriese. Linear capabilities for fully abstract compilation of separation-logic-verified code. Proceedings of the ACM on Programming Languages, 3(ICFP):1-29, 2019.

Digital Library

[52]

Thomas Van Strydonck, Aïna Linn Georges, Armaël Gueneau, Alix Trieu, Amin Timany, Frank Piessens, Lars Birkedal, and Dominique Devriese. Proving full-system security properties under multiple attacker models on capability machines. In IEEE Computer Security Foundations Symposium (CSF), pages 80--95, August 2022.

[53]

R. N. M. Watson, J. Woodruff, P. G. Neumann, S. W. Moore, J. Anderson, D. Chisnall, N. Dave, B. Davis, K. Gudka, B. Laurie, S. J. Murdoch, R. Norton, M. Roe, S. Son, and M. Vadera. CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization. In IEEE Symposium on Security and Privacy, 2015.

Digital Library

[54]

Robert NM Watson, Peter G Neumann, Jonathan Woodruff, Michael Roe, Hesham Almatary, Jonathan Anderson, John Baldwin, Graeme Barnes, David Chisnall, Jessica Clarke, Brooks Davis, Lee Eisen, Nathaniel Wesley Filardo, Alexandre Joannou, Ben Laurie, A Theodore Markettos, Simon W Moore, Steven J Murdoch, Kyndylan Nienhuis, Robert Norton, Alex Richardson, Peter Rugg, Peter Sewell, Stacey Son, and Hongyan Xia. Capability hardware enhanced risc instructions: Cheri instruction-set architecture (version 8). Technical report, University of Cambridge, Computer Laboratory, October 2020.

Cited By

Georges AGuéneau AVan Strydonck TTimany ATrieu ADevriese DBirkedal L(2024)Cerise: Program Verification on a Capability Machine in the Presence of Untrusted CodeJournal of the ACM10.1145/362351071:1(1-59)Online publication date: 11-Feb-2024
https://dl.acm.org/doi/10.1145/3623510

Index Terms

Formalizing, Verifying and Applying ISA Security Guarantees as Universal Contracts

Recommendations

BasicBlocker: ISA Redesign to Make Spectre-Immune CPUs Faster
RAID '21: Proceedings of the 24th International Symposium on Research in Attacks, Intrusions and Defenses

Recent research has revealed an ever-growing class of microarchitectural attacks that exploit speculative execution, a standard feature in modern processors. Proposed and deployed countermeasures involve a variety of compiler updates, firmware updates, ...
RISC-V ISA Extension Toolchain Supports: A Survey
CNIOT '23: Proceedings of the 2023 4th International Conference on Computing, Networks and Internet of Things

RISC-V is an open source modular and scalable emerging instruction set. As the RISC-V architecture gradually matures in the field of contemporary chips, the RISC-V software ecosystem is also gradually prospering. Some mainstream tool chains and ...
Register Allocation for Compressed ISAs in LLVM
CC 2023: Proceedings of the 32nd ACM SIGPLAN International Conference on Compiler Construction

We present an adaptation to the LLVM greedy register allocator to improve code density for compressed RISC ISAs.
Many RISC architectures have extensions defining smaller encodings for common instructions, typically 16 rather than 32 bits wide. However,...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '23: Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security

November 2023

3722 pages

ISBN:9798400700507

DOI:10.1145/3576915

General Chairs:
Weizhi Meng
Technical University of Denmark
,
Christian D. Jensen
Technical University of Denmark
,
Program Chairs:
Cas Cremers
CISPA Helmholtz Center for Information Security
,
Engin Kirda
Khoury College of Computer Sciences

Copyright © 2023 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 21 November 2023

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

European Research Council

Conference

CCS '23

Sponsor:

SIGSAC

CCS '23: ACM SIGSAC Conference on Computer and Communications Security

November 26 - 30, 2023

Copenhagen, Denmark

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
146
Total Downloads

Downloads (Last 12 months)146
Downloads (Last 6 weeks)11

Reflects downloads up to 11 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Georges AGuéneau AVan Strydonck TTimany ATrieu ADevriese DBirkedal L(2024)Cerise: Program Verification on a Capability Machine in the Presence of Untrusted CodeJournal of the ACM10.1145/362351071:1(1-59)Online publication date: 11-Feb-2024
https://dl.acm.org/doi/10.1145/3623510

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents