Rigorous engineering for hardware security: Formal modelling and proof in the CHERI design and implementation process

The root causes of many security vulnerabilities include a pernicious combination of two problems, often regarded as inescapable aspects of computing. First, the protection mechanisms provided by the mainstream processor architecture and C/C++ language abstractions, dating back to the 1970s and before, provide only coarse-grain virtual-memory-based protection. Second, mainstream system engineering relies almost exclusively on test-and-debug methods, with (at best) prose specifications. These methods have historically sufficed commercially for much of the computer industry, but they fail to prevent large numbers of exploitable bugs, and the security problems that this causes are becoming ever more acute.In this paper we show how more rigorous engineering methods can be applied to the development of a new security-enhanced processor architecture, with its accompanying hardware implementation and software stack. We use formal models of the complete instruction-set architecture (ISA) at the heart of the design and engineering process, both in lightweight ways that support and improve normal engineering practice - as documentation, in emulators used as a test oracle for hardware and for running software, and for test generation - and for formal verification. We formalise key intended security properties of the design, and establish that these hold with mechanised proof. This is for the same complete ISA models (complete enough to boot operating systems), without idealisation.We do this for CHERI, an architecture with hardware capabilities that supports fine-grained memory protection and scalable secure compartmentalisation, while offering a smooth adoption path for existing software. CHERI is a maturing research architecture, developed since 2010, with work now underway on an Arm industrial prototype to explore its possible adoption in mass-market commercial processors. The rigorous engineering work described here has been an integral part of its development to date, enabling more rapid and confident experimentation, and boosting confidence in the design.

[1]  G. Edward Suh,et al.  Using Information Flow to Design an ISA that Controls Timing Channels , 2019, 2019 IEEE 32nd Computer Security Foundations Symposium (CSF).

[2]  Lawrence Charles Paulson,et al.  Isabelle/HOL: A Proof Assistant for Higher-Order Logic , 2002 .

[3]  Alastair David Reid Who guards the guards? formal validation of the Arm v8-m architecture specification , 2017, Proc. ACM Program. Lang..

[4]  David L Weaver,et al.  The SPARC architecture manual : version 9 , 1994 .

[5]  Robert M. Norton,et al.  ISA semantics for ARMv8-a, RISC-v, and CHERI-MIPS , 2019, Proc. ACM Program. Lang..

[6]  Sanjit A. Seshia,et al.  Moat: Verifying Confidentiality of Enclave Programs , 2015, CCS.

[7]  Benjamin C. Pierce,et al.  A verified information-flow architecture , 2014, J. Comput. Secur..

[8]  Pierre Castéran,et al.  Interactive Theorem Proving and Program Development , 2004, Texts in Theoretical Computer Science An EATCS Series.

[9]  Peter G. Neumann,et al.  The CHERI capability model: Revisiting RISC in an age of risk , 2014, 2014 ACM/IEEE 41st International Symposium on Computer Architecture (ISCA).

[10]  George Neville-Neil,et al.  The Design and Implementation of the FreeBSD Operating System , 2014 .

[11]  Michael J. C. Gordon,et al.  Edinburgh LCF: A mechanised logic of computation , 1979 .

[12]  David Brumley,et al.  BAP: A Binary Analysis Platform , 2011, CAV.

[13]  Shilpi Goel,et al.  Formal verification of application and system programs based on a validated x86 ISA model , 2016 .

[14]  Andrew Ferraiuolo,et al.  HyperFlow: A Processor Architecture for Nonmalleable, Timing-Safe Information Flow Security , 2018, CCS.

[15]  Rick Chen,et al.  End-to-End Verification of Processors with ISA-Formal , 2016, CAV.

[16]  Milo M. K. Martin,et al.  SoftBound: highly compatible and complete spatial memory safety for c , 2009, PLDI '09.

[17]  Benjamin C. Pierce,et al.  Micro-Policies: Formally Verified, Tag-Based Security Monitors , 2015, 2015 IEEE Symposium on Security and Privacy.

[18]  Peter G. Neumann,et al.  Capability Hardware Enhanced RISC Instructions: CHERI Instruction-set architecture , 2014 .

[19]  James Cheney,et al.  Cyclone: A Safe Dialect of C , 2002, USENIX Annual Technical Conference, General Track.

[20]  Timothy Bourke,et al.  seL4: From General Purpose to a Proof of Information Flow Enforcement , 2013, 2013 IEEE Symposium on Security and Privacy.

[21]  Peter G. Neumann,et al.  Fast Protection-Domain Crossing in the CHERI Capability-System Architecture , 2016, IEEE Micro.

[22]  Matt Kaufmann,et al.  Industrial hardware and software verification with ACL2 , 2017, Philosophical Transactions of the Royal Society A: Mathematical, Physical and Engineering Sciences.

[23]  Bor-Yuh Evan Chang,et al.  Boogie: A Modular Reusable Verifier for Object-Oriented Programs , 2005, FMCO.

[24]  Dawn Xiaodong Song,et al.  SoK: Eternal War in Memory , 2013, 2013 IEEE Symposium on Security and Privacy.

[25]  Markus Wenzel,et al.  Eisbach: A Proof Method Language for Isabelle , 2016, Journal of Automated Reasoning.

[26]  Vern Paxson,et al.  The Matter of Heartbleed , 2014, Internet Measurement Conference.

[27]  Sam Weber,et al.  Verifying the EROS confinement mechanism , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[28]  Jonathan M. Smith,et al.  PUMP: a programmable unit for metadata processing , 2014, HASP@ISCA.

[29]  Vikram S. Adve,et al.  LLVM: a compilation framework for lifelong program analysis & transformation , 2004, International Symposium on Code Generation and Optimization, 2004. CGO 2004..

[30]  Peter G. Neumann,et al.  CheriABI: Enforcing Valid Pointer Provenance and Minimizing Pointer Privilege in the POSIX C Run-time Environment , 2019, ASPLOS.

[31]  Michael Scott Doerrie Confidence in Confinement: An Axiom-free, Mechanized Verification of Confinement in Capability-based Systems , 2015 .

[32]  Peter G. Neumann,et al.  Clean Application Compartmentalization with SOAAP , 2015, CCS.

[33]  Adam Chlipala,et al.  Kami: a platform for high-level parametric hardware specification and its modular verification , 2017, Proc. ACM Program. Lang..

[34]  Yunsup Lee,et al.  The RISC-V Instruction Set Manual , 2014 .

[35]  Norman Hardy,et al.  The Confused Deputy: (or why capabilities might have been invented) , 1988, OPSR.

[36]  Alastair David Reid,et al.  Trustworthy specifications of ARM® v8-A and v8-M system level architecture , 2016, 2016 Formal Methods in Computer-Aided Design (FMCAD).

[37]  Peter G. Neumann,et al.  Capability Hardware Enhanced RISC Instructions (CHERI): Notes on the Meltdown and Spectre Attacks , 2018 .

[38]  Anthony C. J. Fox Directions in ISA Specification , 2012, ITP.

[39]  M.J.C. Gordon,et al.  The HOL Logic and System , 1994 .

[40]  Rishiyur S. Nikhil,et al.  Bluespec System Verilog: efficient, correct RTL from high level specifications , 2004, Proceedings. Second ACM and IEEE International Conference on Formal Methods and Models for Co-Design, 2004. MEMOCODE '04..

[41]  Yves Bertot,et al.  Interactive Theorem Proving and Program Development: Coq'Art The Calculus of Inductive Constructions , 2010 .

[42]  Mads Dam,et al.  Automatic Derivation of Platform Noninterference Properties , 2016, SEFM.

[43]  Peter G. Neumann,et al.  Efficient Tagged Memory , 2017, 2017 IEEE International Conference on Computer Design (ICCD).

[44]  BirkedalLars,et al.  Reasoning about a Machine with Local Capabilities , 2019 .

[45]  George C. Necula,et al.  CCured: type-safe retrofitting of legacy code , 2002, POPL '02.

[46]  Peter G. Neumann,et al.  CHERI Concentrate: Practical Compressed Capabilities , 2019, IEEE Transactions on Computers.

[47]  Ian Stark,et al.  Extracting behaviour from an executable instruction set model , 2016, 2016 Formal Methods in Computer-Aided Design (FMCAD).

[48]  Lauretta O. Osho,et al.  Axiomatic Basis for Computer Programming , 2013 .

[49]  Jerome H. Saltzer,et al.  Protection and the control of information sharing in multics , 1974, CACM.

[50]  Bob Martin,et al.  2010 CWE/SANS Top 25 Most Dangerous Software Errors , 2010 .

[51]  Robert N. M. Watson,et al.  Exploring C semantics and pointer provenance , 2019, Proc. ACM Program. Lang..

[52]  Jonathan M. Smith,et al.  Architectural Support for Software-Defined Metadata Processing , 2015, ASPLOS.