Formal Security Verification of Concurrent Firmware in SoCs using Instruction-Level Abstraction for Hardware*

Formal security verification of firmware interacting with hardware in modern Systems-on-Chip (SoCs) is a critical research problem. This faces the following challenges: (1) design complexity and heterogeneity, (2) semantics gaps between software and hardware, (3) concurrency between firmware/hardware and between Intellectual Property Blocks (IPs), and (4) expensive bit-precise reasoning. In this paper, we present a co-verification methodology to address these challenges. We model hardware using the Instruction-Level Abstraction (ILA), capturing firmware-visible behavior at the architecture level. This enables integrating hardware behavior with firmware in each IP into a single thread. The co-verification with multiple firmware across IPs is formulated as a multi-threaded program verification problem, for which we leverage software verification techniques. We also propose an optimization using abstraction to prevent expensive bit-precise reasoning. The evaluation of our methodology on an industry SoC Secure Boot design demonstrates its applicability in SoC security verification.

[1]  Thomas W. Reps,et al.  Reducing Concurrent Analysis Under a Context Bound to Sequential Analysis , 2008, CAV.

[2]  K. Rustan M. Leino,et al.  BoogiePL: A typed procedural language for checking object-oriented programs , 2005 .

[3]  Shuvendu K. Lahiri,et al.  A Solver for Reachability Modulo Theories , 2012, CAV.

[4]  Sharad Malik,et al.  Invited: Specification and modeling for Systems-on-Chip security verification , 2016, 2016 53nd ACM/EDAC/IEEE Design Automation Conference (DAC).

[5]  Sharad Malik,et al.  Template-Based Parameterized Synthesis of Uniform Instruction-Level Abstractions for SoC Verification , 2018, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[6]  Fei Xie,et al.  An Automata-Theoretic Approach to Hardware/Software Co-verification , 2010, FASE.

[7]  Akash Lal,et al.  Powering the static driver verifier using corral , 2014, SIGSOFT FSE.

[8]  Sharad Malik,et al.  Verifying information flow properties of firmware using symbolic execution , 2016, 2016 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[9]  Sharad Malik,et al.  Instruction-Level Abstraction (ILA) , 2018, ACM Trans. Design Autom. Electr. Syst..

[10]  Salvatore J. Stolfo,et al.  When Firmware Modifications Attack: A Case Study of Embedded Exploitation , 2013, NDSS.

[11]  Sergey Bratus,et al.  TOCTOU, Traps, and Trusted Computing , 2008, TRUST.

[12]  Sayak Ray,et al.  Template-based synthesis of instruction-level abstractions for SoC verification , 2015, 2015 Formal Methods in Computer-Aided Design (FMCAD).

[13]  Zvonimir Rakamaric,et al.  SMACK: Decoupling Source Language Details from Verifier Implementations , 2014, CAV.

[14]  Daniel Kroening,et al.  Formal techniques for effective co-verification of hardware/software co-designs , 2017, 2017 54th ACM/EDAC/IEEE Design Automation Conference (DAC).

[15]  Markus Wedler,et al.  A computational model for SAT-based verification of hardware-dependent low-level embedded system software , 2013, 2013 18th Asia and South Pacific Design Automation Conference (ASP-DAC).

[16]  Shuvendu K. Lahiri,et al.  Corral: A Solver for Reachability Modulo Theories , 2012 .

[17]  Daniel Kroening,et al.  Formal co-validation of low-level hardware/software interfaces , 2013, 2013 Formal Methods in Computer-Aided Design.

[18]  Jamal Hadi Salim,et al.  Beyond Softnet , 2001, Annual Linux Showcase & Conference.

[19]  Jin Yang,et al.  Security of SoC firmware load protocols , 2014, 2014 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST).

[20]  Markus Wedler,et al.  Formal hardware/software co-verification by interval property checking with abstraction , 2011, 2011 48th ACM/EDAC/IEEE Design Automation Conference (DAC).

[21]  Pramod Subramanyan,et al.  Formal verification of taint-propagation security properties in a commercial SoC design , 2014, 2014 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[22]  Rolf Drechsler,et al.  HW/SW co-verification of embedded systems using bounded model checking , 2006, GLSVLSI '06.

[23]  Daniel Kroening,et al.  A Tool for Checking ANSI-C Programs , 2004, TACAS.