Skip to main content
SpringerLink
Log in
Book cover

Hardware IP Security and Trust pp 287–323Cite as

Verifying Security Properties in Modern SoCs Using Instruction-Level Abstractions

  • Chapter
  • First Online:

  • 1538 Accesses

Abstract

This chapter describes a methodology for system-level security verification of modern Systems-on-Chip (SoC) designs. These designs comprise interacting intellectual property (IP) blocks which are often sourced from third-party vendors and contain both hardware accelerators and programmable cores executing firmware. Verifying that SoCs meet their security requirements in this context is especially challenging. These challenges relate to: (1) specifying security properties for verification, and (2) verifying these properties across firmware and hardware.We address the latter by raising the level of abstraction of the hardware modules to be similar to that of instructions in software/firmware. This abstraction, referred to as an instruction-level abstraction (ILA), plays a role similar to the instruction set architecture (ISA) for general purpose processors and enables high-level analysis of SoC firmware. In particular, the ILA can be used instead of the cycle-accurate and bit-precise register transfer level (RTL) implementation for scalable verification of system-level security properties in SoCs.Manual construction of the ILA in the context of third-party IPs can be challenging. Hence, we introduce techniques to semi-automatically synthesize the ILA using a template abstraction and directed simulations of the SoC hardware. We describe techniques to ensure that the ILA is a correct abstraction of the underlying hardware implementation. We then show how the ILA can be used for SoC security verification by designing a specification language for security properties and an algorithm based on symbolic execution to verify these properties. We discuss two case studies which apply ILA-based verification to an example SoC built out of open source components and part of a commercial SoC. The methodology discovered several bugs in the hardware implementation, simulators, and firmware.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD   159.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    Note F o (S, W) must contain the instruction opcode. It may also (but is not required to) contain additional data such as the arguments to the instruction.

  2. 2.

    We are writing bitvectors of width 8 (elements of bvec 8) as 0255.

  3. 3.

    This is the meaning of the G linear temporal logic (LTL) operator.

  4. 4.

    We could have used the Verilog implementation itself for simulation. However, we chose to replicate the common scenario where simulators are developed and used for validation before the RTL design is complete.

References

  1. S.V. Adve, K. Gharachorloo, Shared memory consistency models: a tutorial. IEEE Comput. 29 (12), 66–76 (1996)

    Article  Google Scholar 

  2. R. Alur, R. Bodik, G. Juniwal, M.M.K. Martin, M. Raghothaman, S.A. Seshia, R. Singh, A. Solar-Lezama, E. Torlak, A. Udupa, Syntax-guided synthesis, in Formal Methods in Computer-Aided Design (2013)

    Google Scholar 

  3. G.S. Babil, O. Mehani, R. Boreli, M.-A. Kaafar, On the effectiveness of dynamic taint analysis for protecting against private information leaks on Android-based devices, in Security and Cryptography (2013)

    Google Scholar 

  4. O. Bazhaniuk, J. Loucaides, L. Rosenbaum, M.R. Tuttle, V. Zimmer, Symbolic Execution for BIOS Security, in Proceedings of the 9th USENIX Conference on Offensive Technologies (2015)

    Google Scholar 

  5. Berkeley Logic Synthesis and Verification Group, ABC: a system for sequential synthesis and verification (2014). http://www.eecs.berkeley.edu/~alanmi/abc/

  6. D. Beyer, T.A. Henzinger, R. Jhala, R. Majumdar, The software model checker blast. Int. J. Softw. Tools Technol. Transfer 9 (5–6), 505–525 (2007)

    Article  Google Scholar 

  7. M. Bohr, The new era of scaling in an SoC world, in IEEE International Solid-State Circuits Conference-Digest of Technical Papers (IEEE, New York, 2009), pp. 23–28

    Google Scholar 

  8. A.R. Bradley, SAT-based model checking without unrolling, in Verification, Model Checking, and Abstract Interpretation (2011)

    MATH  Google Scholar 

  9. C. Cadar, D. Dunbar, D. Engler, KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs, in Operating Systems Design and Implementation (2008)

    Google Scholar 

  10. V. Chipounov, V. Kuznetsov, G. Candea, S2E: a platform for in-vivo multi-path analysis of software systems, in Architectural Support for Programming Languages and Operating Systems (2011)

    Book  Google Scholar 

  11. E. Clarke, D. Kroening, F. Lerda, A tool for checking ANSI-C programs, in Tools and Algorithms for the Construction and Analysis of Systems (2004)

    MATH  Google Scholar 

  12. J. Cong, M.A. Ghodrat, M. Gill, B. Grigorian, K. Gururaj, G. Reinman, Accelerator-rich architectures: opportunities and progresses, in Proceedings of the 51st Annual Design Automation Conference (ACM, New York, 2014), pp. 1–6

    Google Scholar 

  13. M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, P. Barham, Vigilante: end-to-end containment of internet worms, in Symposium on Operating Systems Principles (2005)

    Book  Google Scholar 

  14. J.R. Crandall, F.T. Chong, Minos: control data attack prevention orthogonal to memory model, in IEEE/ACM International Symposium on Microarchitecture (2004)

    Google Scholar 

  15. D. Davidson, B. Moench, S. Jha, T. Ristenpart, FIE on firmware: finding vulnerabilities in embedded systems using symbolic execution, in USENIX Conference on Security (2013)

    Google Scholar 

  16. L. De Moura, N. Bjørner. Z3: an efficient SMT solver, in Tools and Algorithms for the Construction and Analysis of Systems (2008)

    Google Scholar 

  17. R.H. Dennard, V. Rideout, E. Bassous, A. LeBlanc, Design of ion-implanted MOSFET’s with very small physical dimensions. IEEE J. Solid State Circuits 9 (5), 256–268 (1974)

    Article  Google Scholar 

  18. H. Esmaeilzadeh, E. Blem, R.S. Amant, K. Sankaralingam, D. Burger, Dark silicon and the end of multicore scaling, in Proceedings of the International Symposium on Computer Architecture (IEEE, New York, 2011), pp. 365–376

    Google Scholar 

  19. Experimental artifacts and synthesis framework source code (2016).​​ https://bitbucket.org/spramod/ila-synthesis

  20. A. Gascón, A. Tiwari, A synthesized algorithm for interactive consistency, in NASA Formal Methods (2014)

    Google Scholar 

  21. P. Godefroid, N. Klarlund, K. Sen, DART: directed automated random testing, in Programming Language Design and Implementation (2005)

    Book  Google Scholar 

  22. P. Godefroid, A. Taly, Automated synthesis of symbolic instruction encodings from I/O samples, in Programming Language Design and Implementation (2012)

    Google Scholar 

  23. S. Heule, E. Schkufza, R. Sharma, A. Aiken, Stratified synthesis: automatically learning the x86-64 instruction set, in Proceedings of Programming Language Design and Implementation (2016)

    Google Scholar 

  24. A. Horn, M. Tautschnig, C. Val, L. Liang, T. Melham, J. Grundy, D. Kroening, Formal co-validation of low-level hardware/software interfaces, in Formal Methods in Computer-Aided Design (2013)

    Google Scholar 

  25. H. Hsing, http://opencores.org/project,tiny_aes (2014)

  26. S. Jha, S. Gulwani, S.A. Seshia, A. Tiwari, Oracle-guided component-based program synthesis, in International Conference on Software Engineering (2010)

    Google Scholar 

  27. S. Jha, S.A. Seshia, A theory of formal synthesis via inductive learning, in CoRR, abs/1505.03953 (2015)

    Google Scholar 

  28. R. Jhala, K.L. McMillan, Microarchitecture verification by compositional model checking, in Computer-Aided Verification (2001)

    MATH  Google Scholar 

  29. M.G. Kang, S. McCamant, P. Poosankam, D. Song, DTA++: dynamic taint analysis with targeted control-flow propagation, in Network and Distributed System Security Symposium (2011)

    Google Scholar 

  30. S. Krstic, J. Yang, D.W. Palmer, R.B. Osborne, E. Talmor, Security of SoC firmware load protocols, in Hardware-Oriented Security and Trust, pp. 70–75 (2014)

    Google Scholar 

  31. R. Kumar, K.I. Farkas, N.P. Jouppi, P. Ranganathan, D.M. Tullsen. Single-ISA heterogeneous multi-core architectures: the potential for processor power reduction, in Proceedings of International Symposium on Microarchitecture (IEEE, New York, 2003), pp. 81–92

    Google Scholar 

  32. R. Lysecky, T. Givargis, G. Stitt, A. Gordon-Ross, K. Miller, http://www.cs.ucr.edu/~dalton/i8051/i8051sim/ (2001)

  33. S. Malik, P. Subramanyan, Invited: specification and modeling for systems-on-chip security verification, in Proceedings of the Design Automation Conference, DAC ’16, New York, NY (ACM, New York, 2016), pp. 66:1–66:6

    Google Scholar 

  34. J. McLean, A general theory of composition for trace sets closed under selective interleaving functions, in IEEE Computer Society Symposium on Research in Security and Privacy (IEEE, New York, 1994), pp. 79–93

    Google Scholar 

  35. K.L. McMillan, Parameterized verification of the FLASH cache coherence protocol by compositional model checking, in Correct Hardware Design and Verification Methods (Springer, Berlin, 2001)

    MATH  Google Scholar 

  36. A. Mishchenko, N. Een, R. Brayton, J. Baumgartner, H. Mony, P. Nalla, GLA: gate-level abstraction revisited, in Design, Automation and Test in Europe (2013)

    Google Scholar 

  37. A.C. Myers, JFlow: practical mostly-static information flow control, in Principles of Programming Languages (1999)

    Book  Google Scholar 

  38. M.D. Nguyen, M. Wedler, D. Stoffel, W. Kunz, Formal hardware/software co-verification by interval property checking with abstraction, in Design Automation Conference (2011)

    Google Scholar 

  39. A. Sabelfeld, A. Myers, Language-based information-flow security. IEEE Sel. Areas Commun. 21, 5–19 (2003)

    Article  Google Scholar 

  40. A. Sabelfeld, D. Sands, Declassification: dimensions and principles, J. Comput. Secur. 17 (5), 517–548 (2009)

    Article  Google Scholar 

  41. R. Saleh, S. Wilton, S. Mirabbasi, A. Hu, M. Greenstreet, G. Lemieux, P.P. Pande, C. Grecu, A. Ivanov, System-on-chip: reuse and integration. Proc. IEEE 94 (6), 1050–1069 (2006)

    Article  Google Scholar 

  42. E. Schwartz, T. Avgerinos, D. Brumley, All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask), in IEEE Security and Privacy (2010)

    Google Scholar 

  43. S.A. Seshia, Combining induction, deduction, and structure for verification and synthesis. Proc. IEEE 103 (11), 2036–2051 (2015)

    Article  Google Scholar 

  44. R. Sinha, P. Roop, S. Basu, The AMBA SOC platform, in Correct-by-Construction Approaches for SoC Design (Springer, New York, 2014)

    Book  Google Scholar 

  45. A. Solar-Lezama, L. Tancau, R. Bodik, S. Seshia, V. Saraswat. Combinatorial sketching for finite programs, in Architectural Support for Programming Languages and Operating Systems (2006)

    Google Scholar 

  46. D. Song, D. Brumley, H. Yin, J. Caballero, I. Jager, M.G. Kang, Z. Liang, J. Newsome, P. Poosankam, P. Saxena, BitBlaze: a new approach to computer security via binary analysis, in Information Systems Security (2008)

    Google Scholar 

  47. J. Strömbergson, https://github.com/secworks/sha1 (2014)

  48. P. Subramanyan, D. Arora, Formal verification of taint-propagation security properties in a commercial SoC design, in Design, Automation and Test in Europe (2014)

    Google Scholar 

  49. P. Subramanyan, Y. Vizel, S. Ray, S. Malik, Template-based synthesis of instruction-level abstractions for SoC verification, in Formal Methods in Computer-Aided Design (2015)

    Google Scholar 

  50. P. Subramanyan, S. Malik, H. Khattri, A. Maiti, J. Fung, Verifying information flow properties of firmware using symbolic execution, In Design Automation and Test in Europe (2016)

    Google Scholar 

  51. S. Teran, J. Simsic, http://opencores.org/project,8051 (2013)

  52. A. Udupa, A. Raghavan, J.V. Deshmukh, S. Mador-Haim, M.M. Martin, R. Alur, TRANSIT: specifying protocols with concolic snippets, in Programming Language Design and Implementation (2013)

    Book  Google Scholar 

  53. C. Wolf, http://www.clifford.at/yosys/ (2015)

  54. F. Xie, X. Song, H. Chung, N. Ranajoy, Translation-based co-verification, in Formal Methods and Models for Co-Design (2005)

    Google Scholar 

  55. F. Xie, G. Yang, X. Song, Component-based hardware/software co-verification for building trustworthy embedded systems. J. Syst. Softw. 80 (5), 643–654 (2007)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Electrical Engineering, Princeton University, Princeton, NJ, USA

    Pramod Subramanyan & Sharad Malik

Authors
  1. Pramod Subramanyan
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Sharad Malik
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Pramod Subramanyan .

Editor information

Editors and Affiliations

  1. Department of Computer and Information Science and Engineering, University of Florida , Gainesville, Florida, USA

    Prabhat Mishra

  2. Department of Electrical and Computer Engineering, University of Florida , Gainesville, Florida, USA

    Swarup Bhunia

  3. Department of Electrical and Computer Engineering, University of Florida , Gainesville, Florida, USA

    Mark Tehranipoor

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this chapter

Cite this chapter

Subramanyan, P., Malik, S. (2017). Verifying Security Properties in Modern SoCs Using Instruction-Level Abstractions. In: Mishra, P., Bhunia, S., Tehranipoor, M. (eds) Hardware IP Security and Trust. Springer, Cham. https://doi.org/10.1007/978-3-319-49025-0_13

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-49025-0_13

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-49024-3

  • Online ISBN: 978-3-319-49025-0

  • eBook Packages: EngineeringEngineering (R0)

Publish with us

Policies and ethics

Search

Navigation