VeriSketch: Synthesizing Secure Hardware Designs with Timing-Sensitive Information Flow Properties

We present VeriSketch, a security-oriented program synthesis framework for developing hardware designs with formal guarantee of functional and security specifications. VeriSketch defines a synthesis language, a code instrumentation framework for specifying and inferring timing-sensitive information flow properties, and uses specialized constraint-based synthesis for generating HDL code that enforces the specifications. We show the power of VeriSketch through security-critical hardware design examples, including cache controllers, thread schedulers, and system-on-chip arbiters, with formal guarantee of security properties such as absence of timing side-channels, confidentiality, and isolation.

[1]  William R. Harris,et al.  DIFC programs by automatic instrumentation , 2010, CCS '10.

[2]  Robert I. Davis,et al.  Mixed Criticality Systems - A Review , 2015 .

[3]  Sharad Malik,et al.  Template-Based Parameterized Synthesis of Uniform Instruction-Level Abstractions for SoC Verification , 2018, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[4]  Frederic T. Chong,et al.  Complete information flow tracking from the gates up , 2009, ASPLOS.

[5]  William R. Harris,et al.  Program synthesis for interactive-security systems , 2017, Formal Methods Syst. Des..

[6]  Babak Falsafi,et al.  Clearing the clouds: a study of emerging scale-out workloads on modern hardware , 2012, ASPLOS XVII.

[7]  Bruno Dutertre,et al.  Yices 2.2 , 2014, CAV.

[8]  Frederic T. Chong,et al.  Caisson: a hardware description language for secure information flow , 2011, PLDI '11.

[9]  Isil Dillig,et al.  Component-based synthesis of table consolidation and transformation tasks from examples , 2016, PLDI.

[10]  Paolo Ienne,et al.  Automated circuit elaboration from incomplete architectural descriptions , 2013, 2013 Asilomar Conference on Signals, Systems and Computers.

[11]  Armin Biere,et al.  Boolector: An Efficient SMT Solver for Bit-Vectors and Arrays , 2009, TACAS.

[12]  Sai Zhang,et al.  Automatically synthesizing SQL queries from input-output examples , 2013, 2013 28th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[13]  Isil Dillig,et al.  Program synthesis using conflict-driven learning , 2017, PLDI.

[14]  Isil Dillig,et al.  Synthesis of data completion scripts using finite tree automata , 2017, Proc. ACM Program. Lang..

[15]  David Novo,et al.  SKETCHILOG: Sketching combinational circuits , 2014, 2014 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[16]  Aws Albarghouthi,et al.  MapReduce program synthesis , 2016, PLDI.

[17]  Sanjit A. Seshia,et al.  Combinatorial sketching for finite programs , 2006, ASPLOS XII.

[18]  Ryan Kastner,et al.  Leveraging Gate-Level Properties to Identify Hardware Timing Channels , 2014, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[19]  Wei Hu,et al.  Clepsydra: Modeling timing flows in hardware designs , 2017, 2017 IEEE/ACM International Conference on Computer-Aided Design (ICCAD).

[20]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[21]  Somesh Jha,et al.  Efficient Runtime Policy Enforcement Using Counterexample-Guided Abstraction Refinement , 2012, CAV.

[22]  Jean-Pierre Seifert,et al.  Deconstructing new cache designs for thwarting software cache-based side channel attacks , 2008, CSAW '08.

[23]  Wei Hu,et al.  Register transfer level information flow tracking for provably secure hardware design , 2017, Design, Automation & Test in Europe Conference & Exhibition (DATE), 2017.

[24]  NAVID YAGHMAZADEH,et al.  SQLizer: query synthesis from natural language , 2017, Proc. ACM Program. Lang..

[25]  Wei Hu,et al.  Imprecise security: Quality and complexity tradeoffs for hardware information flow tracking , 2016, 2016 IEEE/ACM International Conference on Computer-Aided Design (ICCAD).

[26]  Armando Solar-Lezama,et al.  Type-Driven Repair for Information Flow Security , 2016, ArXiv.

[27]  Michael Hamburg,et al.  Spectre Attacks: Exploiting Speculative Execution , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[28]  Ruby B. Lee,et al.  New cache designs for thwarting software cache-based side channel attacks , 2007, ISCA '07.

[29]  Igor L. Markov,et al.  Fixing Design Errors with Counterexamples and Resynthesis , 2007, 2007 Asia and South Pacific Design Automation Conference.

[30]  Yuan Xiao,et al.  SgxPectre Attacks: Leaking Enclave Secrets via Speculative Execution , 2018, ArXiv.

[31]  Nael B. Abu-Ghazaleh,et al.  BranchScope: A New Side-Channel Attack on Directional Branch Predictor , 2018, ASPLOS.

[32]  David Broman,et al.  FlexPRET: A processor platform for mixed-criticality systems , 2014, 2014 IEEE 19th Real-Time and Embedded Technology and Applications Symposium (RTAS).

[33]  Ryan Kastner,et al.  Eliminating Timing Information Flows in a Mix-Trusted System-on-Chip , 2013, IEEE Design & Test.

[34]  Jie-Hong Roland Jiang,et al.  A robust functional ECO engine by SAT proof minimization and interpolation techniques , 2010, 2010 IEEE/ACM International Conference on Computer-Aided Design (ICCAD).

[35]  Leonid Ryzhyk,et al.  Automatic device driver synthesis with termite , 2009, SOSP '09.

[36]  Sumit Gulwani,et al.  Synthesis of loop-free programs , 2011, PLDI '11.

[37]  Armando Solar-Lezama,et al.  Program sketching , 2012, International Journal on Software Tools for Technology Transfer.

[38]  Isil Dillig,et al.  Synthesizing transformations on hierarchically structured data , 2016, PLDI.

[39]  Igor L. Markov,et al.  Fixing Design Errors with Counterexamples and Resynthesis , 2007 .

[40]  Vitaly Shmatikov,et al.  Fix Me Up: Repairing Access-Control Bugs in Web Applications , 2013, NDSS.

[41]  Somesh Jha,et al.  Retrofitting legacy code for authorization policy enforcement , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[42]  Milica Miti A Survey of Three System-on-Chip Buses : AMBA , CoreConnect and Wishbone , 2006 .

[43]  Sumit Gulwani,et al.  Oracle-guided component-based program synthesis , 2010, 2010 ACM/IEEE 32nd International Conference on Software Engineering.

[44]  Alexander Aiken,et al.  Stratified synthesis: automatically learning the x86-64 instruction set , 2016, PLDI.

[45]  Yao Wang,et al.  A Hardware Design Language for Timing-Sensitive Information-Flow Security , 2015, ASPLOS.

[46]  Leonid Ryzhyk,et al.  User-Guided Device Driver Synthesis , 2014, OSDI.

[47]  Rajeev Alur,et al.  Syntax-guided synthesis , 2013, 2013 Formal Methods in Computer-Aided Design.

[48]  Jordan Dimitrov Operational semantics for Verilog , 2001, Proceedings Eighth Asia-Pacific Software Engineering Conference.

[49]  Niklas Sörensson,et al.  Temporal induction by incremental SAT solving , 2003, BMC@CAV.

[50]  Frederic T. Chong,et al.  Sapper: a language for hardware-level security policy enforcement , 2014, ASPLOS.

[51]  Wei Hu,et al.  Information flow isolation in I2C and USB , 2011, 2011 48th ACM/EDAC/IEEE Design Automation Conference (DAC).

[52]  Colin Percival CACHE MISSING FOR FUN AND PROFIT , 2005 .

[53]  Armando Solar-Lezama,et al.  Program synthesis from polymorphic refinement types , 2015, PLDI.