Lightweight Verification of Secure Hardware Isolation Through Static Information Flow Analysis (Technical Report)

Hardware-based mechanisms for software isolation are becoming increasingly popular, but implementing these mechanisms correctly has proved difficult, undermining the root of security. This work introduces an effective way to formally verify important properties of such hardware security mechanisms. In our approach, hardware is developed using a lightweight security-typed hardware description language (HDL) that performs static information flow analysis. We show the practicality of our approach by implementing and verifying a simplified but realistic multi-core prototype of the ARM TrustZone architecture. To make the security-typed HDL expressive enough to verify a realistic processor, we develop new type system features. Our experiments suggest that information flow analysis is efficient, and programmer effort is modest. We also show that information flow constraints are an effective way to detect hardware vulnerabilities, including several found in commercial processors.

[1]  Steve Zdancewic,et al.  Run-time principals in information-flow type systems , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[2]  Sanjit A. Seshia,et al.  A design and verification methodology for secure isolated regions , 2016, PLDI.

[3]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[4]  R. Boivie SecureBlue + + : CPU Support for Secure Execution , 2011 .

[5]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[6]  Frederic T. Chong,et al.  Complete information flow tracking from the gates up , 2009, ASPLOS.

[7]  Nael B. Abu-Ghazaleh,et al.  Iso-X: A Flexible Architecture for Hardware-Managed Isolated Execution , 2014, 2014 47th Annual IEEE/ACM International Symposium on Microarchitecture.

[8]  Ryan Kastner,et al.  A practical testing framework for isolating hardware timing channels , 2013, 2013 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[9]  G. Edward Suh,et al.  A Hardware Design Language for Efficient Control of Timing Channels , 2014 .

[10]  Ruby B. Lee,et al.  Architectural support for hypervisor-secure virtualization , 2012, ASPLOS XVII.

[11]  Jonathan M. Smith,et al.  SPECS: A Lightweight Runtime Mechanism for Protecting Software from Security-Critical Processor Bugs , 2015, ASPLOS.

[12]  Andrew C. Myers,et al.  Dynamic security labels and static information flow control , 2007, International Journal of Information Security.

[13]  Frederic T. Chong,et al.  Crafting a usable microkernel, processor, and I/O system with strict and provable information flow security , 2011, 2011 38th Annual International Symposium on Computer Architecture (ISCA).

[14]  Peng Li,et al.  Downgrading policies and relaxed noninterference , 2005, POPL '05.

[15]  Sanjit A. Seshia,et al.  Moat: Verifying Confidentiality of Enclave Programs , 2015, CCS.

[16]  Wei Hu,et al.  Theoretical analysis of gate level information flow tracking , 2010, Design Automation Conference.

[17]  G. Edward Suh,et al.  Design and implementation of the AEGIS single-chip secure processor using physical random functions , 2005, 32nd International Symposium on Computer Architecture (ISCA'05).

[18]  Frederic T. Chong,et al.  Sapper: a language for hardware-level security policy enforcement , 2014, ASPLOS.

[19]  Frederic T. Chong,et al.  Execution leases: A hardware-supported mechanism for enforcing strong non-interference , 2009, 2009 42nd Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).

[20]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[21]  Andrew C. Myers,et al.  Observational determinism for concurrent program security , 2003, 16th IEEE Computer Security Foundations Workshop, 2003. Proceedings..

[22]  ChongStephen,et al.  Automatic enforcement of expressive security policies using enclaves , 2016 .

[23]  Wei Hu,et al.  Information flow isolation in I2C and USB , 2011, 2011 48th ACM/EDAC/IEEE Design Automation Conference (DAC).

[24]  Frederic T. Chong,et al.  Caisson: a hardware description language for secure information flow , 2011, PLDI '11.

[25]  Sergei Skorobogatov,et al.  Breakthrough Silicon Scanning Discovers Backdoor in Military Chip , 2012, CHES.

[26]  Deepak Garg,et al.  Verification of Information Flow and Access Control Policies with Dependent Types , 2011, 2011 IEEE Symposium on Security and Privacy.

[27]  Jong Kim,et al.  Stealing Webpages Rendered on Your Browser by Exploiting GPU Vulnerabilities , 2014, 2014 IEEE Symposium on Security and Privacy.

[28]  Wei Hu,et al.  Gate-Level Information Flow Tracking for Security Lattices , 2014, TODE.

[29]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[30]  Srinivas Devadas,et al.  Sanctum: Minimal Hardware Extensions for Strong Software Isolation , 2016, USENIX Security Symposium.

[31]  David Zhang,et al.  Secure program execution via dynamic information flow tracking , 2004, ASPLOS XI.

[32]  Rafal Wojtczuk,et al.  Following the White Rabbit : Software attacks against Intel ( R ) VT-d technology , 2011 .

[33]  Yao Wang,et al.  A Hardware Design Language for Timing-Sensitive Information-Flow Security , 2015, ASPLOS.

[34]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[35]  Srinivas Devadas,et al.  A secure processor architecture for encrypted computation on untrusted programs , 2012, STC '12.

[36]  Andrew C. Myers,et al.  A Model for Delimited Information Release , 2003, ISSS.

[37]  Luís Caires,et al.  Dependent Information Flow Types , 2015, POPL.