Abstract
Hardware-based mechanisms for software isolation are becoming increasingly popular, but implementing these mechanisms correctly has proved difficult, undermining the root of security. This work introduces an effective way to formally verify important properties of such hardware security mechanisms. In our approach, hardware is developed using a lightweight security-typed hardware description language (HDL) that performs static information flow analysis. We show the practicality of our approach by implementing and verifying a simplified but realistic multi-core prototype of the ARM TrustZone architecture. To make the security-typed HDL expressive enough to verify a realistic processor, we develop new type system features. Our experiments suggest that information flow analysis is efficient, and programmer effort is modest. We also show that information flow constraints are an effective way to detect hardware vulnerabilities, including several found in commercial processors.
- Rick Boivie. SecureBlueGoogle Scholar
- : CPU Support for Secure Execution. http://researcher.watson.ibm.com/researcher/view_group.php?id=7253, 2012.Google Scholar
- Intel Corporation. Intel Software Guard Extensions Programming Reference, 2014.Google Scholar
- Intel Corporation. Intel Trusted Execution Technology Software Development Guide, 2015.Google Scholar
- Intel Corporation. Intel Xeon Processor E7--8800/4800/2800 Product Families: Specification Update, 2015.Google Scholar
- Victor Costan, Ilia Lebedev, and Srinivas Devadas. Sanctum: Minimal Hardware Extensions for Strong Software Isolation. In USENIX Security Symposium, 2016.Google Scholar
- Leonardo De Moura and Nikolaj Bjørner. Z3: An Efficient SMT Solver. In International Conferance on Tools and Algorithms for the Construction and Analysis of Systems (TCAS), 2008. Google ScholarCross Ref
- Dorothy E. Denning. A Lattice Model of Secure Information Flow. In Communications of the ACM, 1976. Google ScholarDigital Library
- Advanced Micro Devices. Revision Guide for AMD Athlon 64 and AMD Opteron Processors, 2005.Google Scholar
- Dmitry Evtyushkin, Jesse Elwell, Meltem Ozsoy, Dmitry Ponomarev, Nael Abu Ghazaleh, and Ryan Riley. Iso-X: A Flexible Architecture for Hardware-Managed Isolated Execution. In International Symposium on Microarchitecture (MICRO), 2014. Google ScholarDigital Library
- Andrew Ferraiuolo, Rui Xi, Danfeng Zhang, Andrew C. Myers, and G. Edward Suh. Lightweight Verification of Secure Hardware Isolation Through Static Information Flow Analysis (Technical Report). Technical Report http://hdl.handle.net/1813/45898, Cornell University, 2017.Google Scholar
- Christopher W. Fletcher, Marten van Dijk, and Srinivas Devadas. A Secure Processor Architecture for Encrypted Computation on Untrusted Programs. In ACM Workshop on Scalable Trusted Computing (STC), 2012. Google ScholarDigital Library
- J.A. Goguen and J. Meseguer. Security Policies and Security Models. In IEEE Symposium on Security and Privacy, 1982.Google Scholar
- Anitha Gollamudi and Stephen Chong. Automatic Enforcement of Expressive Security Policies Using Enclaves. In International Conference on Object-Oriented Programming, Systems, Language & Applications (OOPSLA), 2016. Google ScholarDigital Library
- Matthew Hicks, Cynthia Sturton, Samuel T. King, and Jonathan M. Smith. SPECS: A Lightweight Runtime Mechanism for Protecting Software from Security-Critical Processor Bugs. In International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS), 2015. Google ScholarDigital Library
- Wei Hu, Dejun Mu, Jason Oberg, Baolei Mao, Mohit Tiwari, Timothy Sherwood, and Ryan Kastner. Gate-level information flow tracking for security lattices. In ACM Transactions on Design Automation and Electronic Systems (DAES), 2014. Google ScholarDigital Library
- Sangho Lee, Youngsok Kim, Jangwoo Kim, and Jong Kim. Stealing Webpages Rendered on Your Browser by Exploiting GPU Vulnerabilities. In IEEE Symposium on Security and Privacy, 2014. Google ScholarDigital Library
- Peng Li and Steve Zdancewic. Downgrading Policies and Relaxed Noninterference. In Symposium on Principles of Programming Languages (POPL), 2005. Google ScholarDigital Library
- Xun Li, Vineeth Kashyap, Jason K. Oberg, Mohit Tiwari, Vasanth Ram Rajarathinam, Ryan Kastner, Timothy Sherwood, Ben Hardekopf, and Frederic T. Chong. Sapper: A Language for Hardware-level Security Policy Enforcement. In International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS), 2014. Google ScholarDigital Library
- Xun Li, Mohit Tiwari, Jason K. Oberg, Vineeth Kashyap, Frederic T. Chong, Timothy Sherwood, and Ben Hardekopf. Caisson: A Hardware Description Language for Secure Information Flow. In Conference on Programming Language Design and Implementation (PLDI), 2011.Google Scholar
- Luísa Lourenço and Luís Caires. Dependent information flow types. In Symposium on Principles of Programming Languages (POPL), 2015. Google ScholarDigital Library
- ARM Ltd. ARM Security Technology: Building a Secure System using TrustZone Technology, 2009.Google Scholar
- Andrew C. Myers. JFlow: Practical Mostly-static Information Flow Control. In Symposium on Principles of Programming Languages (POPL), 1999. Google ScholarDigital Library
- Aleksandar Nanevski, Anindya Banerjee, and Deepak Garg. Verification of information flow and access control policies with dependent types. In Symposium on Principles of Programming Languages (SSP), 2011. Google ScholarDigital Library
- Jason Oberg, Wei Hu, Ali Irturk, Mohit Tiwari, Timothy Sherwood, and Ryan Kastner. Theoretical Analysis of Gate Level Information Flow Tracking. In Design Automation Conference (DAC), 2010. Google ScholarDigital Library
- Jason Oberg, Wei Hu, Ali Irturk, Mohit Tiwari, Timothy Sherwood, and Ryan Kastner. Information Flow Isolation in I2C and USB. In Design Automation Conference (DAC), 2011. Google ScholarDigital Library
- Jason Oberg, Sarah Meiklejohn, Timothy Sherwood, and Ryan Kastner. A practical testing framework for isolating hardware timing channels. In Conference on Design Automation and Test in Europe (DATE), 2013. Google ScholarCross Ref
- Andrei Sabelfeld and Andrew C. Myers. A Model for Delimited Information Release. In IEEE Symposium on Security and Privacy, 2004. Google ScholarCross Ref
- Andrei Sabelfeld and Andrew C. Myers. Language-based Information-flow Security. IEEE Journal on Selected Areas in Communications, 2006.Google Scholar
- Rohit Sinha, Manuel Costa, Akash Lal, Nuno Lopes, Sanjit Seshia, Sriram Rajamani, and Kapil Vaswani. A Design and Verification Methodology for Secure Isolated Regions. In Conference on Programming Language Design and Implementation (PLDI), 2016. Google ScholarDigital Library
- Rohit Sinha, Sriram Rajamani, Sanjit Seshia, and Kapil Vaswani. Moat: Verifying confidentiality of enclave programs. In ACM Conference on Computer and Communications Security (CCS), 2015. Google ScholarDigital Library
- Sergei Skorobogatov and Christopher Woods. Breakthrough Silicon Scanning Discovers Backdoor in Military Chip. In Conference on Cryptographic Hardware and Embedded Systems (CHES), 2012. Google ScholarDigital Library
- Steve Zdancewic and Andrew C. Myers. Observational determinism for concurrent program security. In Computer Security Foundations Workshop (CSFW), 2003. Google ScholarCross Ref
- G. Edward Suh, Jae W Lee, David Zhang, and Srinivas Devadas. Secure program execution via dynamic information flow tracking. In ACM Sigplan Notices, 2004.Google ScholarDigital Library
- G. Edward Suh, Charles W. O'Donnell, Ishan Sachdev, and Srinivas Devadas. Design and Implementation of the AEGIS Single-Chip Secure Processor Using Physical Random Functions. In International Symposium on Computer Architecture (ISCA), 2005.Google Scholar
- Jakub Szefer and Ruby B. Lee. Architectural Support for Hypervisor-Secure Virtualization. In International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS), 2012. Google ScholarDigital Library
- Mohit Tiwari, Xun Li, Hassan M. G. Wassel, Frederic T. Chong, and Timothy Sherwood. Execution Leases: A Hardware-Supported Mechanism for Enforcing Strong Non-Interference. In International Symposium on Microarchitecture (MICRO), 2009. Google ScholarDigital Library
- Mohit Tiwari, Jason K. Oberg, Xun Li, Jonathan Valamehr, Timothy Levin, Ben Hardekopf, Ryan Kastner, Frederic T. Chong, and Timothy Sherwood. Crafting a Usable Microkernel, Processor, and I/O System with Strict and Provable Information Flow Security. In International Symposium on Computer Architecture (ISCA), 2011. Google ScholarDigital Library
- Mohit Tiwari, Hassan M.G. Wassel, Bita Mazloom, Shashidhar Mysore, Frederic T. Chong, and Timothy Sherwood. Complete Information Flow Tracking from the Gates Up. In International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS), 2009. Google ScholarDigital Library
- Stephen Tse and Steve Zdancewic. Run-Time Principals in Information-Flow Type Systems. In IEEE Symposium on Security and Privacy, 2004. Google ScholarCross Ref
- Rafal Wojtczuk and Joanna Rutkowska. Attacking SMM Memory via Intel CPU Cache Poisoning. invisiblethingslab.com/resources/misc09/smm_cache_fun.pdf, 2009.Google Scholar
- Rafal Wojtczuk and Joanna Rutkowska. Following the White Rabbit: Software Attacks Against Intel VT-d Technology. http://theinvisiblethings.blogspot.com/2011/05/following-white-rabbit-software-attacks.html, 2011.Google Scholar
- Danfeng Zhang, Yao Wang, G. Edward Suh, and Andrew C. Myers. A Hardware Design Language for Timing-Sensitive Information-Flow Security. In International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS), 2015.Google Scholar
- Lantian Zheng and Andrew C. Myers. Dynamic security labels and static information flow control. International Journal of Information Security, 2007. Google ScholarDigital Library
Index Terms
- Verification of a Practical Hardware Security Architecture Through Static Information Flow Analysis
Recommendations
Property Specific Information Flow Analysis for Hardware Security Verification
2018 IEEE/ACM International Conference on Computer-Aided Design (ICCAD)Hardware information flow analysis detects security vulnerabilities resulting from unintended design flaws, timing channels, and hardware Trojans. These information flow models are typically generated in a general way, which includes a significant amount ...
Hardware Information Flow Tracking
Information flow tracking (IFT) is a fundamental computer security technique used to understand how information moves through a computing system. Hardware IFT techniques specifically target security vulnerabilities related to the design, verification, ...
Verification of a Practical Hardware Security Architecture Through Static Information Flow Analysis
ASPLOS '17: Proceedings of the Twenty-Second International Conference on Architectural Support for Programming Languages and Operating SystemsHardware-based mechanisms for software isolation are becoming increasingly popular, but implementing these mechanisms correctly has proved difficult, undermining the root of security. This work introduces an effective way to formally verify important ...
Comments