kth.sePublications
EnglishSvenskaNorsk
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Towards a Trustworthy Stack: Formal Verification of Low-Level Hardware and Software
KTH, School of Electrical Engineering and Computer Science (EECS), Computer Science, Theoretical Computer Science, TCS.ORCID iD: 0000-0002-0629-4439
2024 (English)Doctoral thesis, comprehensive summary (Other academic)
Abstract [en]

Computer systems, consisting of hardware and software, have gained significant importance in the digitalised world. These computer systems rely on critical components to provide core functionalities and handle sensitive data. A fundamental requirement for these critical components is functional correctness, which ensures that the components work as their specifications prescribe. For instance, a pipelined processor will execute instructions concurrently in different stages such as fetch, decode and execute, and must produce results as specified in the instruction set architecture (ISA) manual. In addition to functional correctness, security properties such as confidentiality and integrity are important. In particular, confidentiality requires that sensitive data is only accessible to authorised users. To construct a correct and secure computer (i.e., a trustworthy stack), this thesis focuses on the functional correctness and confidentiality of peripherals and pipelined processors using the HOL4 interactive theorem prover.

For functional correctness, we use a refinement-based verification approach where the execution of a target system is constrained by a reference system. We have studied this for two different target systems, a synchronous serial peripheral interface (SPI) device along with its driver, and a 5-stage pipelined processor. Specifically, we formalise an SPI device and its driver, and present an abstract model as the reference system. The abstract model ensures correct communications in the SPI half- and full-duplex modes. The refinement between the abstract and SPI models is established using weak bisimulation. Secondly, we implement and verify a 5-stage in-order pipelined processor Silver-Pi for the RISC ISA Silver. The correctness of Silver-Pi is proved by exhibiting a refinement relation between the traces of the processor and the Silver ISA. Silver-Pi is implemented using the verified HOL4 Verilog library, which ensures the correctness of the processor down to its Verilog implementation. 

For the SPI case study, weak bisimulation ensures that the SPI model has the same information flows as the abstract model, which prevents malicious driver operations e.g., an infinite loop based on a secret value.

In general, to prevent secret leaks caused by phenomena such as instruction pipelining and out-of-order (OoO) execution, the target and reference systems are augmented by observations that extract visible parts of the machine state to attackers. This allows a variety of information channels based on e.g. timing and cache access behaviour to be captured. As a security policy, we use the notion of conditional noninterference (CNI), which guarantees that a target system does not leak more information than what the reference system allows.

In order to analyse the timing channel of Silver-Pi, the observation function extracts the parts of the ISA state that may affect the execution time of a program. With this reference system, we prove that Silver-Pi satisfies CNI.

For OoO execution, we present the formalisation of a machine independent language, MIL, which uses a small set of primitive events to describe both in-order and OoO execution at a microarchitecture-like level. A notion of CNI in MIL rules out trace-driven cache side channels by comparing OoO and in-order execution of a program. We present a semi-automated verification strategy for CNI using the executable semantics and demonstrate this strategy with several examples. The executable semantics computes results and generates observations during the execution of MIL programs.
Abstract [sv]

Datorsystem, bestående av hårdvara och mjukvara, har fått stor betydelse i den digitaliserade världen.Dessa datorsystem är beroende av kritiska komponenter för att tillhandahålla grundläggande funktionalitet och hantera känslig information. Ett grundläggande krav för dessa kritiska komponenter är funktionell korrekthet, vilket säkerställer att komponenterna fungerar som deras specifikationer föreskriver. Till exempel kommer en pipelineprocessor att exekvera instruktioner samtidigt i olika steg, till exempel hämtning, dekodning och utförande, och måste producera resultat som specificeras i instruktionsuppsättning (ISA) manualen. Utöver funktionell korrekthet är säkerhetsegenskaper som konfidentialitet och integritet också viktiga. Särskilt kräver konfidentialitet att känslig information endast är tillgänglig för auktoriserade användare. För att konstruera en korrekt och säker dator (dvs. en pålitlig stack), fokuserar denna avhandling på den funktionella korrektheten och konfidentialiteten hos periferiutrustningar och pipelined-processorer med hjälp av det interaktiva bevisprogrammet HOL4.

För funktionell korrekthet använder vi ett verifieringssätt baserat på för-fining där utförandet av ett målsystem begränsas av ett referenssystem. Vi har studerat detta för två olika målsystem, en synkron seriell peripheral interface (SPI) tillsammans med dess drivrutin, och en 5-stegs pipelined processor. Specifikt formaliserar vi en SPI-anordning och dess drivrutin, och presenterar en abstrakt modell som referenssystemet. Den abstrakta modellen säkerställer korrekt kommunikation i SPI:s halv- och hel-duplexlägen. Förfiningen mellan den abstrakta och SPI-modellerna fastställs med hjälp av svag bisimulering. För det andra implementerar och verifierar vi en 5-stegs in-order pipelined processor Silver-Pi för RISC ISA Silver. Korrektheten hos Silver-Pi bevisas genom att uppvisa ett förfiningsförhållande mellan processorernas exkveringsspår och Silver ISA.Silver-Pi är implementerad med det verifierade HOL4 Verilog-biblioteket, vilket säkerställer processorns korrekthet ner till dess Verilog-implementation.

För SPI-fallstudien säkerställer svag bisimulering att SPI-modellen har samma informationsflöden som den abstrakta modellen, vilket förhindrar skadliga drivrutinsoperationer, t.ex. en oändlig loop baserad på ett hemligt värde.

I allmänhet, för att förhindra läckage av hemligheter orsakade av fenomen som instruktionspipelining och omordnad (OoO) exekvering, kompletteras mål- och referenssystemen med observationer som extraherar synliga delar av maskinens tillstånd för angripare. Detta möjliggör att en mängd informationskanaler baserat på exempelvis tid och cacheåtkomstbeteende kan fångas upp. Som säkerhetspolicy använder vi begreppet konditionell icke-interferens (CNI), vilket garanterar att ett målsystem inte läcker ut mer information än vad referenssystemet tillåter.

För att analysera tidkanalen hos Silver-Pi, extraherar observationsfunktionen delar av ISA-tillståndet som kan påverka exekveringstiden för ett program.Med detta referenssystem bevisar vi att Silver-Pi uppfyller CNI.

För OoO-utförande presenterar vi formaliseringen av ett maskinoberoende språk, MIL, som använder en liten uppsättning primitiva händelser för att beskriva både in-order och OoO-utförande på en mikroarkitekturliknande nivå. Ett begrepp av CNI i MIL utesluter spårdrivna cache-sidokanaler genom att jämföra OoO och in-order utförande av ett program. En verifierad körbar semantik beräknar resultat och genererar observationer av MIL-program. Vi presenterar en semi-automatiserad verifieringsstrategi för CNI med hjälp av den körbara semantiken och demonstrerar denna strategi med flera exempel.
Place, publisher, year, edition, pages
Stockholm: KTH Royal Institute of Technology, 2024. , p. 75
Series
TRITA-EECS-AVL ; 2024:3
Keywords [en]
Formal Verification, Information Flow, Refinement, Interactive Theorem Prover, HOL4, Serial Interface, Pipelined Processor, Microarchitecture, Out-of-order Execution
Keywords [sv]
Formell Verifiering, Informationsflöde, Förfining, Interaktiva Bevisprogrammet, HOL4, Seriellt Gränssnitt, Pipelined Processor, Mikroarkitektur, Omordnad Exekvering
National Category
Computer Sciences
Research subject
Computer Science
Identifiers
URN: urn:nbn:se:kth:diva-341484ISBN: 978-91-8040-792-2 (print)OAI: oai:DiVA.org:kth-341484DiVA, id: diva2:1821827
Public defence
2024-02-05, https://kth-se.zoom.us/j/65032245867, F3, Lindstedtsvägen 26, Stockholm, 14:00 (English)
Opponent
Supervisors
Note

QC 20231221

Available from: 2023-12-21 Created: 2023-12-21 Last updated: 2024-01-19Bibliographically approved
List of papers
1. Refinement-Based Verification of Device-to-Device Information Flow
Open this publication in new window or tab >>Refinement-Based Verification of Device-to-Device Information Flow
2021 (English)In: Proceedings of the 21st Conference on Formal Methods in Computer-Aided Design – FMCAD 2021, TU Wien Academic Press , 2021Conference paper, Published paper (Refereed)
Abstract [en]

I/O devices are the critical components that allow a computing system to communicate with the external environment. From the perspective of a device, interactions can be divided into two parts, with the processor (mainly memory operations by the driver) and through the communication medium with external devices. In this paper, we present an abstract model of I/O devices and their drivers to describe the expected results of their execution, where the communication between devices is made explicit and the device-to-device information flow is analyzed. In order to handle general I/O functionalities, both half-duplex (transmission and reception) and full-duplex (sending and receiving simultaneously) data transmissions are considered. We propose a refinement-based approach that concretizes a correct-by-construction abstract model into an actual hardware device and its driver. As an example, we formalize the Serial Peripheral Interface (SPI) with a driver. In the HOL4 interactive theorem prover, we verified the refinement between these models by establishing a weak bisimulation. We show how this result can be used to establish both functional correctness and information flow security for both single devices and when devices are connected in an end-to-end fashion.
Place, publisher, year, edition, pages
TU Wien Academic Press, 2021
Keywords
Formal verification, Refinement, Serial interface, Device driver, Interactive theorem prover, Information flow
National Category
Computer Sciences
Research subject
Computer Science
Identifiers
urn:nbn:se:kth:diva-303933 (URN)10.34727/2021/isbn.978-3-85448-046-4_21 (DOI)2-s2.0-85123738676 (Scopus ID)
Conference
Formal Methods in Computer Aided Design, FMCAD 2021, New Haven, CT, USA, October 19-22, 2021
Projects
CERCES
Note

Part of ISBN 978-3-85448-046-4

QC 20211117

Available from: 2021-10-29 Created: 2021-10-29 Last updated: 2023-12-21Bibliographically approved
2. Formal Verification of Correctness and Information Flow Security for an In-Order Pipelined Processor
Open this publication in new window or tab >>Formal Verification of Correctness and Information Flow Security for an In-Order Pipelined Processor
2023 (English)In: Proceedings of the 23rd Conference on Formal Methods in Computer-Aided Design – FMCAD 2023 / [ed] Alexander Nadel; Kristin Yvonne Rozier, TU Wien Academic Press , 2023Conference paper, Published paper (Refereed)
Abstract [en]

We present an in-order pipelined processor and its verification in the HOL4 interactive theorem prover. The processor implements the RISC ISA Silver and features a general 5-stage pipeline. The correctness of the processor is proved by exhibiting a refinement relation between the traces of the pipelined circuit and the Silver ISA. The processor is constructed by using a HOL4 Verilog library for formally verified hardware, and its correctness is guaranteed down to the Verilog implementation. Additionally, we analyze the information flow properties of the processor by utilizing the refinement relation. The notion of conditional noninterference formulates that a processor should not leak more information via its timing channel than what is expected by a leakage model expressed at the ISA level. We establish the conditional noninterference for our processor and demonstrate the adaptability of the information flow methodology to accommodate various processor designs, attacker models, and environments. Our approach to verify processor implementations and enable information flow analysis at the circuit level is suitable for ISAs beyond Silver.
Place, publisher, year, edition, pages
TU Wien Academic Press, 2023
Keywords
Formal Verification, Information Flow, Pipelined Processor, Interactive Theorem Prover
National Category
Computer Sciences
Research subject
Computer Science
Identifiers
urn:nbn:se:kth:diva-338911 (URN)10.34727/2023/isbn.978-3-85448-060-0_33 (DOI)2-s2.0-85180375645 (Scopus ID)
Conference
Formal Methods in Computer-Aided Design (FMCAD) 2023, 24-27 Oct. 2023
Funder
Swedish Foundation for Strategic Research
Note

QC 20231121

Available from: 2023-11-21 Created: 2023-11-21 Last updated: 2024-01-04Bibliographically approved
3. Information Flow Analysis of a Verified In-Order Pipelined Processor
Open this publication in new window or tab >>Information Flow Analysis of a Verified In-Order Pipelined Processor
(English)Manuscript (preprint) (Other academic)
Abstract [en]

We implement a verified in-order pipelined processor Silver-Pi for the RISC ISA Silver in the HOL4 interactive theorem prover. The correctness of the processor is established by exhibiting a trace relation between the circuit and the Silver ISA. Based on the correctness proof, we prove the conditional noninterference (CNI) of the processor. The CNI formulates that executing programs on the processor does not leak additional information on the timing channel than permitted by a leakage function expressed at the ISA level.
Keywords
Information Flow, Side-channel, Pipelined Processor, Formal Verification
National Category
Computer Sciences
Research subject
Computer Science
Identifiers
urn:nbn:se:kth:diva-339910 (URN)
Note

QC 20240125

Available from: 2023-11-29 Created: 2023-11-29 Last updated: 2024-01-25Bibliographically approved
4. Foundations and Tools in HOL4 for Analysis of Microarchitectural Out-of-Order Execution
Open this publication in new window or tab >>Foundations and Tools in HOL4 for Analysis of Microarchitectural Out-of-Order Execution
Show others...
2022 (English)In: Proceedings of the 22nd Conference on Formal Methods in Computer-Aided Design, FMCAD 2022, Institute of Electrical and Electronics Engineers (IEEE) , 2022, p. 129-138Conference paper, Published paper (Refereed)
Abstract [en]

Program analyses based on Instruction Set Architecture (ISA) abstractions can be circumvented using microarchitectural vulnerabilities, permitting unwanted program information flows even when proven ISA-level properties ostensibly rule them out. However, the low abstraction levels found below ISAs, e.g., in microarchitectures defined in hardware description languages, may obscure information flow and hinder analysis tool development. We present a machine-checked formalization in the HOL4 theorem prover of a language, MIL, that abstractly describes microarchitectural in-order and out-of-order program execution and enables reasoning about low-level program information flows. In particular, MIL programs can exhibit information flow side channels when executed out-of-order, as compared to a reference in-order execution. We prove memory consistency between MIL's out-of-order and in-order dynamic semantics in HOL4, and define a notion of conditional noninterference for MIL programs which rules out trace-driven cache side channels. We then demonstrate how to establish conditional noninterference for programs via a novel semi-automated bisimulation based verification strategy inside HOL4 that we apply to several examples. Based on our results, we believe MIL is suitable as a translation target for ISA code to enable information flow analyses.
Place, publisher, year, edition, pages
Institute of Electrical and Electronics Engineers (IEEE), 2022
Series
Formal Methods in Computer-Aided Design
Keywords
HOL4, information flow, interactive theorem proving, microarchitectures, out-of-order execution
National Category
Computer Systems
Identifiers
urn:nbn:se:kth:diva-330691 (URN)10.34727/2022/isbn.978-3-85448-053-2_19 (DOI)001062691400019 ()2-s2.0-85148099314 (Scopus ID)
Conference
2022 Formal Methods in Computer-Aided Design (FMCAD), 17-21 October 2022, Trento, Italy
Note

Part of ISBN 9783854480532

QC 20230630

Available from: 2023-06-30 Created: 2023-06-30 Last updated: 2023-12-21Bibliographically approved

Open Access in DiVA

kappa(1267 kB)665 downloads
File information
File name FULLTEXT01.pdfFile size 1267 kBChecksum SHA-512
b0dd6b817930d7f94a77538017611941298d96be07bd472f230bdc38980fd796044d94e1a22543dcb9c280bad6ea8200cee775655f3950d66dc410db891c390b
Type fulltextMimetype application/pdf

Authority records

Dong, Ning

Search in DiVA

By author/editor
Dong, Ning
By organisation
Theoretical Computer Science, TCS
Computer Sciences

Search outside of DiVA

GoogleGoogle Scholar
Total: 666 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

isbn
urn-nbn

Altmetric score

isbn
urn-nbn
Total: 2587 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
v. 2.46.0
|
WCAG
|
KTH Library
|
DiVA support
|
Register in DiVA
|
Posting your thesis
|
SwePub