research-article

Public Access

Verification of a Practical Hardware Security Architecture Through Static Information Flow Analysis

Authors:

Andrew Ferraiuolo,

Andrew C. Myers, and

G. Edward SuhAuthors Info & Claims

ACM SIGARCH Computer Architecture News, Volume 45, Issue 1

Pages 555 - 568

https://doi.org/10.1145/3093337.3037739

Published: 04 April 2017 Publication History

Abstract

Hardware-based mechanisms for software isolation are becoming increasingly popular, but implementing these mechanisms correctly has proved difficult, undermining the root of security. This work introduces an effective way to formally verify important properties of such hardware security mechanisms. In our approach, hardware is developed using a lightweight security-typed hardware description language (HDL) that performs static information flow analysis. We show the practicality of our approach by implementing and verifying a simplified but realistic multi-core prototype of the ARM TrustZone architecture. To make the security-typed HDL expressive enough to verify a realistic processor, we develop new type system features. Our experiments suggest that information flow analysis is efficient, and programmer effort is modest. We also show that information flow constraints are an effective way to detect hardware vulnerabilities, including several found in commercial processors.

References

[1]

Rick Boivie. SecureBlue

[2]

: CPU Support for Secure Execution. http://researcher.watson.ibm.com/researcher/view_group.php?id=7253, 2012.

[3]

Intel Corporation. Intel Software Guard Extensions Programming Reference, 2014.

[4]

Intel Corporation. Intel Trusted Execution Technology Software Development Guide, 2015.

[5]

Intel Corporation. Intel Xeon Processor E7--8800/4800/2800 Product Families: Specification Update, 2015.

[6]

Victor Costan, Ilia Lebedev, and Srinivas Devadas. Sanctum: Minimal Hardware Extensions for Strong Software Isolation. In USENIX Security Symposium, 2016.

[7]

Leonardo De Moura and Nikolaj Bjørner. Z3: An Efficient SMT Solver. In International Conferance on Tools and Algorithms for the Construction and Analysis of Systems (TCAS), 2008.

[8]

Dorothy E. Denning. A Lattice Model of Secure Information Flow. In Communications of the ACM, 1976.

Digital Library

[9]

Advanced Micro Devices. Revision Guide for AMD Athlon 64 and AMD Opteron Processors, 2005.

[10]

Dmitry Evtyushkin, Jesse Elwell, Meltem Ozsoy, Dmitry Ponomarev, Nael Abu Ghazaleh, and Ryan Riley. Iso-X: A Flexible Architecture for Hardware-Managed Isolated Execution. In International Symposium on Microarchitecture (MICRO), 2014.

Digital Library

[11]

Andrew Ferraiuolo, Rui Xi, Danfeng Zhang, Andrew C. Myers, and G. Edward Suh. Lightweight Verification of Secure Hardware Isolation Through Static Information Flow Analysis (Technical Report). Technical Report http://hdl.handle.net/1813/45898, Cornell University, 2017.

[12]

Christopher W. Fletcher, Marten van Dijk, and Srinivas Devadas. A Secure Processor Architecture for Encrypted Computation on Untrusted Programs. In ACM Workshop on Scalable Trusted Computing (STC), 2012.

Digital Library

[13]

J.A. Goguen and J. Meseguer. Security Policies and Security Models. In IEEE Symposium on Security and Privacy, 1982.

[14]

Anitha Gollamudi and Stephen Chong. Automatic Enforcement of Expressive Security Policies Using Enclaves. In International Conference on Object-Oriented Programming, Systems, Language & Applications (OOPSLA), 2016.

Digital Library

[15]

Matthew Hicks, Cynthia Sturton, Samuel T. King, and Jonathan M. Smith. SPECS: A Lightweight Runtime Mechanism for Protecting Software from Security-Critical Processor Bugs. In International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS), 2015.

Digital Library

[16]

Wei Hu, Dejun Mu, Jason Oberg, Baolei Mao, Mohit Tiwari, Timothy Sherwood, and Ryan Kastner. Gate-level information flow tracking for security lattices. In ACM Transactions on Design Automation and Electronic Systems (DAES), 2014.

Digital Library

[17]

Sangho Lee, Youngsok Kim, Jangwoo Kim, and Jong Kim. Stealing Webpages Rendered on Your Browser by Exploiting GPU Vulnerabilities. In IEEE Symposium on Security and Privacy, 2014.

Digital Library

[18]

Peng Li and Steve Zdancewic. Downgrading Policies and Relaxed Noninterference. In Symposium on Principles of Programming Languages (POPL), 2005.

Digital Library

[19]

Xun Li, Vineeth Kashyap, Jason K. Oberg, Mohit Tiwari, Vasanth Ram Rajarathinam, Ryan Kastner, Timothy Sherwood, Ben Hardekopf, and Frederic T. Chong. Sapper: A Language for Hardware-level Security Policy Enforcement. In International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS), 2014.

Digital Library

[20]

Xun Li, Mohit Tiwari, Jason K. Oberg, Vineeth Kashyap, Frederic T. Chong, Timothy Sherwood, and Ben Hardekopf. Caisson: A Hardware Description Language for Secure Information Flow. In Conference on Programming Language Design and Implementation (PLDI), 2011.

[21]

Luísa Lourenço and Luís Caires. Dependent information flow types. In Symposium on Principles of Programming Languages (POPL), 2015.

Digital Library

[22]

ARM Ltd. ARM Security Technology: Building a Secure System using TrustZone Technology, 2009.

[23]

Andrew C. Myers. JFlow: Practical Mostly-static Information Flow Control. In Symposium on Principles of Programming Languages (POPL), 1999.

Digital Library

[24]

Aleksandar Nanevski, Anindya Banerjee, and Deepak Garg. Verification of information flow and access control policies with dependent types. In Symposium on Principles of Programming Languages (SSP), 2011.

Digital Library

[25]

Jason Oberg, Wei Hu, Ali Irturk, Mohit Tiwari, Timothy Sherwood, and Ryan Kastner. Theoretical Analysis of Gate Level Information Flow Tracking. In Design Automation Conference (DAC), 2010.

Digital Library

[26]

Jason Oberg, Wei Hu, Ali Irturk, Mohit Tiwari, Timothy Sherwood, and Ryan Kastner. Information Flow Isolation in I2C and USB. In Design Automation Conference (DAC), 2011.

Digital Library

[27]

Jason Oberg, Sarah Meiklejohn, Timothy Sherwood, and Ryan Kastner. A practical testing framework for isolating hardware timing channels. In Conference on Design Automation and Test in Europe (DATE), 2013.

[28]

Andrei Sabelfeld and Andrew C. Myers. A Model for Delimited Information Release. In IEEE Symposium on Security and Privacy, 2004.

[29]

Andrei Sabelfeld and Andrew C. Myers. Language-based Information-flow Security. IEEE Journal on Selected Areas in Communications, 2006.

[30]

Rohit Sinha, Manuel Costa, Akash Lal, Nuno Lopes, Sanjit Seshia, Sriram Rajamani, and Kapil Vaswani. A Design and Verification Methodology for Secure Isolated Regions. In Conference on Programming Language Design and Implementation (PLDI), 2016.

Digital Library

[31]

Rohit Sinha, Sriram Rajamani, Sanjit Seshia, and Kapil Vaswani. Moat: Verifying confidentiality of enclave programs. In ACM Conference on Computer and Communications Security (CCS), 2015.

Digital Library

[32]

Sergei Skorobogatov and Christopher Woods. Breakthrough Silicon Scanning Discovers Backdoor in Military Chip. In Conference on Cryptographic Hardware and Embedded Systems (CHES), 2012.

Digital Library

[33]

Steve Zdancewic and Andrew C. Myers. Observational determinism for concurrent program security. In Computer Security Foundations Workshop (CSFW), 2003.

[34]

G. Edward Suh, Jae W Lee, David Zhang, and Srinivas Devadas. Secure program execution via dynamic information flow tracking. In ACM Sigplan Notices, 2004.

Digital Library

[35]

G. Edward Suh, Charles W. O'Donnell, Ishan Sachdev, and Srinivas Devadas. Design and Implementation of the AEGIS Single-Chip Secure Processor Using Physical Random Functions. In International Symposium on Computer Architecture (ISCA), 2005.

[36]

Jakub Szefer and Ruby B. Lee. Architectural Support for Hypervisor-Secure Virtualization. In International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS), 2012.

Digital Library

[37]

Mohit Tiwari, Xun Li, Hassan M. G. Wassel, Frederic T. Chong, and Timothy Sherwood. Execution Leases: A Hardware-Supported Mechanism for Enforcing Strong Non-Interference. In International Symposium on Microarchitecture (MICRO), 2009.

Digital Library

[38]

Mohit Tiwari, Jason K. Oberg, Xun Li, Jonathan Valamehr, Timothy Levin, Ben Hardekopf, Ryan Kastner, Frederic T. Chong, and Timothy Sherwood. Crafting a Usable Microkernel, Processor, and I/O System with Strict and Provable Information Flow Security. In International Symposium on Computer Architecture (ISCA), 2011.

Digital Library

[39]

Mohit Tiwari, Hassan M.G. Wassel, Bita Mazloom, Shashidhar Mysore, Frederic T. Chong, and Timothy Sherwood. Complete Information Flow Tracking from the Gates Up. In International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS), 2009.

Digital Library

[40]

Stephen Tse and Steve Zdancewic. Run-Time Principals in Information-Flow Type Systems. In IEEE Symposium on Security and Privacy, 2004.

[41]

Rafal Wojtczuk and Joanna Rutkowska. Attacking SMM Memory via Intel CPU Cache Poisoning. invisiblethingslab.com/resources/misc09/smm_cache_fun.pdf, 2009.

[42]

Rafal Wojtczuk and Joanna Rutkowska. Following the White Rabbit: Software Attacks Against Intel VT-d Technology. http://theinvisiblethings.blogspot.com/2011/05/following-white-rabbit-software-attacks.html, 2011.

[43]

Danfeng Zhang, Yao Wang, G. Edward Suh, and Andrew C. Myers. A Hardware Design Language for Timing-Sensitive Information-Flow Security. In International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS), 2015.

[44]

Lantian Zheng and Andrew C. Myers. Dynamic security labels and static information flow control. International Journal of Information Security, 2007.

Digital Library

Cited By

Kulik TDongol BLarsen PMacedo HSchneider STran-Jørgensen PWoodcock J(2022)A Survey of Practical Formal Methods for SecurityFormal Aspects of Computing10.1145/352258234:1(1-39)Online publication date: 5-Jul-2022
https://dl.acm.org/doi/10.1145/3522582
Hassan MGroße DDrechsler RHassan MGroße DDrechsler R(2022)Digital Early Security ValidationEnhanced Virtual Prototyping for Heterogeneous Systems10.1007/978-3-031-05574-4_6(123-154)Online publication date: 3-May-2022
https://doi.org/10.1007/978-3-031-05574-4_6
Zhou ZReiter M(2021)Interpretable noninterference measurement and its application to processor designsProceedings of the ACM on Programming Languages10.1145/34855185:OOPSLA(1-30)Online publication date: 15-Oct-2021
https://dl.acm.org/doi/10.1145/3485518
Show More Cited By

Index Terms

Verification of a Practical Hardware Security Architecture Through Static Information Flow Analysis
1. Security and privacy
  1. Formal methods and theory of security
    1. Logic and verification
  2. Security in hardware
    1. Hardware security implementation

Recommendations

Property Specific Information Flow Analysis for Hardware Security Verification
2018 IEEE/ACM International Conference on Computer-Aided Design (ICCAD)
Hardware information flow analysis detects security vulnerabilities resulting from unintended design flaws, timing channels, and hardware Trojans. These information flow models are typically generated in a general way, which includes a significant amount ...
Read More
Hardware Information Flow Tracking

Information flow tracking (IFT) is a fundamental computer security technique used to understand how information moves through a computing system. Hardware IFT techniques specifically target security vulnerabilities related to the design, verification, ...
Read More
Verification of a Practical Hardware Security Architecture Through Static Information Flow Analysis
ASPLOS '17: Proceedings of the Twenty-Second International Conference on Architectural Support for Programming Languages and Operating Systems

Hardware-based mechanisms for software isolation are becoming increasingly popular, but implementing these mechanisms correctly has proved difficult, undermining the root of security. This work introduces an effective way to formally verify important ...
Read More

Comments

Information & Contributors

Information

Published In

cover image ACM SIGARCH Computer Architecture News

ACM SIGARCH Computer Architecture News Volume 45, Issue 1

Asplos'17

March 2017

812 pages

ISSN:0163-5964

DOI:10.1145/3093337

Editor:
Babak Falsafi
Interim

Issue’s Table of Contents

ASPLOS '17: Proceedings of the Twenty-Second International Conference on Architectural Support for Programming Languages and Operating Systems
April 2017
856 pages
ISBN:9781450344654
DOI:10.1145/3037697
General Chairs:
Yunji Chen
Institute of Computing Technology, CAS, China
,
Olivier Temam
Google, USA
,
Program Chair:
John Carter
IBM, USA

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 April 2017

Published in SIGARCH Volume 45, Issue 1

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

52
Total Citations
View Citations
1,842
Total Downloads

Downloads (Last 12 months)201
Downloads (Last 6 weeks)21

Other Metrics

View Author Metrics

Citations

Cited By

Kulik TDongol BLarsen PMacedo HSchneider STran-Jørgensen PWoodcock J(2022)A Survey of Practical Formal Methods for SecurityFormal Aspects of Computing10.1145/352258234:1(1-39)Online publication date: 5-Jul-2022
https://dl.acm.org/doi/10.1145/3522582
Hassan MGroße DDrechsler RHassan MGroße DDrechsler R(2022)Digital Early Security ValidationEnhanced Virtual Prototyping for Heterogeneous Systems10.1007/978-3-031-05574-4_6(123-154)Online publication date: 3-May-2022
https://doi.org/10.1007/978-3-031-05574-4_6
Zhou ZReiter M(2021)Interpretable noninterference measurement and its application to processor designsProceedings of the ACM on Programming Languages10.1145/34855185:OOPSLA(1-30)Online publication date: 15-Oct-2021
https://dl.acm.org/doi/10.1145/3485518
Hu WArdeshiricham AKastner R(2021)Hardware Information Flow TrackingACM Computing Surveys10.1145/344786754:4(1-39)Online publication date: 3-May-2021
https://dl.acm.org/doi/10.1145/3447867
Reimann LHanel LSisejkovic DMerchant FLeupers R(2021)QFlow: Quantitative Information Flow for Security-Aware Hardware Design in Verilog2021 IEEE 39th International Conference on Computer Design (ICCD)10.1109/ICCD53106.2021.00097(603-607)Online publication date: Oct-2021
https://doi.org/10.1109/ICCD53106.2021.00097
Khan WAzam BShahid NMoeed Khan AShaheen A(2019)Formal Verification of Digital Circuits Using Simulator with Mathematical FoundationApplied Mechanics and Materials10.4028/www.scientific.net/AMM.892.134892(134-142)Online publication date: Jun-2019
https://doi.org/10.4028/www.scientific.net/AMM.892.134
Bater JHe XEhrich WMachanavajjhala ARogers J(2018)ShrinkwrapProceedings of the VLDB Endowment10.14778/3291264.329127412:3(307-320)Online publication date: 1-Nov-2018
https://dl.acm.org/doi/10.14778/3291264.3291274
Ozga W(2023)Towards a Formally Verified Security Monitor for VM-based Confidential ComputingProceedings of the 12th International Workshop on Hardware and Architectural Support for Security and Privacy10.1145/3623652.3623668(73-81)Online publication date: 29-Oct-2023
https://dl.acm.org/doi/10.1145/3623652.3623668
Ryan KGregoire MSturton C(2023)SEIF: Augmented Symbolic Execution for Information Flow in Hardware DesignsProceedings of the 12th International Workshop on Hardware and Architectural Support for Security and Privacy10.1145/3623652.3623666(1-9)Online publication date: 29-Oct-2023
https://dl.acm.org/doi/10.1145/3623652.3623666
Tan QFisseha YChen SBiernacki LJeannin JMalik SAustin TMeng WJensen CCremers CKirda E(2023)Security Verification of Low-Trust ArchitecturesProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3616643(945-959)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3616643
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Issue’s Table of Contents