Abstract
This chapter describes a methodology for system-level security verification of modern Systems-on-Chip (SoC) designs. These designs comprise interacting intellectual property (IP) blocks which are often sourced from third-party vendors and contain both hardware accelerators and programmable cores executing firmware. Verifying that SoCs meet their security requirements in this context is especially challenging. These challenges relate to: (1) specifying security properties for verification, and (2) verifying these properties across firmware and hardware.We address the latter by raising the level of abstraction of the hardware modules to be similar to that of instructions in software/firmware. This abstraction, referred to as an instruction-level abstraction (ILA), plays a role similar to the instruction set architecture (ISA) for general purpose processors and enables high-level analysis of SoC firmware. In particular, the ILA can be used instead of the cycle-accurate and bit-precise register transfer level (RTL) implementation for scalable verification of system-level security properties in SoCs.Manual construction of the ILA in the context of third-party IPs can be challenging. Hence, we introduce techniques to semi-automatically synthesize the ILA using a template abstraction and directed simulations of the SoC hardware. We describe techniques to ensure that the ILA is a correct abstraction of the underlying hardware implementation. We then show how the ILA can be used for SoC security verification by designing a specification language for security properties and an algorithm based on symbolic execution to verify these properties. We discuss two case studies which apply ILA-based verification to an example SoC built out of open source components and part of a commercial SoC. The methodology discovered several bugs in the hardware implementation, simulators, and firmware.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
Note F o (S, W) must contain the instruction opcode. It may also (but is not required to) contain additional data such as the arguments to the instruction.
- 2.
We are writing bitvectors of width 8 (elements of bvec 8) as 0…255.
- 3.
This is the meaning of the G linear temporal logic (LTL) operator.
- 4.
We could have used the Verilog implementation itself for simulation. However, we chose to replicate the common scenario where simulators are developed and used for validation before the RTL design is complete.
References
S.V. Adve, K. Gharachorloo, Shared memory consistency models: a tutorial. IEEE Comput. 29 (12), 66–76 (1996)
R. Alur, R. Bodik, G. Juniwal, M.M.K. Martin, M. Raghothaman, S.A. Seshia, R. Singh, A. Solar-Lezama, E. Torlak, A. Udupa, Syntax-guided synthesis, in Formal Methods in Computer-Aided Design (2013)
G.S. Babil, O. Mehani, R. Boreli, M.-A. Kaafar, On the effectiveness of dynamic taint analysis for protecting against private information leaks on Android-based devices, in Security and Cryptography (2013)
O. Bazhaniuk, J. Loucaides, L. Rosenbaum, M.R. Tuttle, V. Zimmer, Symbolic Execution for BIOS Security, in Proceedings of the 9th USENIX Conference on Offensive Technologies (2015)
Berkeley Logic Synthesis and Verification Group, ABC: a system for sequential synthesis and verification (2014). http://www.eecs.berkeley.edu/~alanmi/abc/
D. Beyer, T.A. Henzinger, R. Jhala, R. Majumdar, The software model checker blast. Int. J. Softw. Tools Technol. Transfer 9 (5–6), 505–525 (2007)
M. Bohr, The new era of scaling in an SoC world, in IEEE International Solid-State Circuits Conference-Digest of Technical Papers (IEEE, New York, 2009), pp. 23–28
A.R. Bradley, SAT-based model checking without unrolling, in Verification, Model Checking, and Abstract Interpretation (2011)
C. Cadar, D. Dunbar, D. Engler, KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs, in Operating Systems Design and Implementation (2008)
V. Chipounov, V. Kuznetsov, G. Candea, S2E: a platform for in-vivo multi-path analysis of software systems, in Architectural Support for Programming Languages and Operating Systems (2011)
E. Clarke, D. Kroening, F. Lerda, A tool for checking ANSI-C programs, in Tools and Algorithms for the Construction and Analysis of Systems (2004)
J. Cong, M.A. Ghodrat, M. Gill, B. Grigorian, K. Gururaj, G. Reinman, Accelerator-rich architectures: opportunities and progresses, in Proceedings of the 51st Annual Design Automation Conference (ACM, New York, 2014), pp. 1–6
M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, P. Barham, Vigilante: end-to-end containment of internet worms, in Symposium on Operating Systems Principles (2005)
J.R. Crandall, F.T. Chong, Minos: control data attack prevention orthogonal to memory model, in IEEE/ACM International Symposium on Microarchitecture (2004)
D. Davidson, B. Moench, S. Jha, T. Ristenpart, FIE on firmware: finding vulnerabilities in embedded systems using symbolic execution, in USENIX Conference on Security (2013)
L. De Moura, N. Bjørner. Z3: an efficient SMT solver, in Tools and Algorithms for the Construction and Analysis of Systems (2008)
R.H. Dennard, V. Rideout, E. Bassous, A. LeBlanc, Design of ion-implanted MOSFET’s with very small physical dimensions. IEEE J. Solid State Circuits 9 (5), 256–268 (1974)
H. Esmaeilzadeh, E. Blem, R.S. Amant, K. Sankaralingam, D. Burger, Dark silicon and the end of multicore scaling, in Proceedings of the International Symposium on Computer Architecture (IEEE, New York, 2011), pp. 365–376
Experimental artifacts and synthesis framework source code (2016). https://bitbucket.org/spramod/ila-synthesis
A. Gascón, A. Tiwari, A synthesized algorithm for interactive consistency, in NASA Formal Methods (2014)
P. Godefroid, N. Klarlund, K. Sen, DART: directed automated random testing, in Programming Language Design and Implementation (2005)
P. Godefroid, A. Taly, Automated synthesis of symbolic instruction encodings from I/O samples, in Programming Language Design and Implementation (2012)
S. Heule, E. Schkufza, R. Sharma, A. Aiken, Stratified synthesis: automatically learning the x86-64 instruction set, in Proceedings of Programming Language Design and Implementation (2016)
A. Horn, M. Tautschnig, C. Val, L. Liang, T. Melham, J. Grundy, D. Kroening, Formal co-validation of low-level hardware/software interfaces, in Formal Methods in Computer-Aided Design (2013)
H. Hsing, http://opencores.org/project,tiny_aes (2014)
S. Jha, S. Gulwani, S.A. Seshia, A. Tiwari, Oracle-guided component-based program synthesis, in International Conference on Software Engineering (2010)
S. Jha, S.A. Seshia, A theory of formal synthesis via inductive learning, in CoRR, abs/1505.03953 (2015)
R. Jhala, K.L. McMillan, Microarchitecture verification by compositional model checking, in Computer-Aided Verification (2001)
M.G. Kang, S. McCamant, P. Poosankam, D. Song, DTA++: dynamic taint analysis with targeted control-flow propagation, in Network and Distributed System Security Symposium (2011)
S. Krstic, J. Yang, D.W. Palmer, R.B. Osborne, E. Talmor, Security of SoC firmware load protocols, in Hardware-Oriented Security and Trust, pp. 70–75 (2014)
R. Kumar, K.I. Farkas, N.P. Jouppi, P. Ranganathan, D.M. Tullsen. Single-ISA heterogeneous multi-core architectures: the potential for processor power reduction, in Proceedings of International Symposium on Microarchitecture (IEEE, New York, 2003), pp. 81–92
R. Lysecky, T. Givargis, G. Stitt, A. Gordon-Ross, K. Miller, http://www.cs.ucr.edu/~dalton/i8051/i8051sim/ (2001)
S. Malik, P. Subramanyan, Invited: specification and modeling for systems-on-chip security verification, in Proceedings of the Design Automation Conference, DAC ’16, New York, NY (ACM, New York, 2016), pp. 66:1–66:6
J. McLean, A general theory of composition for trace sets closed under selective interleaving functions, in IEEE Computer Society Symposium on Research in Security and Privacy (IEEE, New York, 1994), pp. 79–93
K.L. McMillan, Parameterized verification of the FLASH cache coherence protocol by compositional model checking, in Correct Hardware Design and Verification Methods (Springer, Berlin, 2001)
A. Mishchenko, N. Een, R. Brayton, J. Baumgartner, H. Mony, P. Nalla, GLA: gate-level abstraction revisited, in Design, Automation and Test in Europe (2013)
A.C. Myers, JFlow: practical mostly-static information flow control, in Principles of Programming Languages (1999)
M.D. Nguyen, M. Wedler, D. Stoffel, W. Kunz, Formal hardware/software co-verification by interval property checking with abstraction, in Design Automation Conference (2011)
A. Sabelfeld, A. Myers, Language-based information-flow security. IEEE Sel. Areas Commun. 21, 5–19 (2003)
A. Sabelfeld, D. Sands, Declassification: dimensions and principles, J. Comput. Secur. 17 (5), 517–548 (2009)
R. Saleh, S. Wilton, S. Mirabbasi, A. Hu, M. Greenstreet, G. Lemieux, P.P. Pande, C. Grecu, A. Ivanov, System-on-chip: reuse and integration. Proc. IEEE 94 (6), 1050–1069 (2006)
E. Schwartz, T. Avgerinos, D. Brumley, All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask), in IEEE Security and Privacy (2010)
S.A. Seshia, Combining induction, deduction, and structure for verification and synthesis. Proc. IEEE 103 (11), 2036–2051 (2015)
R. Sinha, P. Roop, S. Basu, The AMBA SOC platform, in Correct-by-Construction Approaches for SoC Design (Springer, New York, 2014)
A. Solar-Lezama, L. Tancau, R. Bodik, S. Seshia, V. Saraswat. Combinatorial sketching for finite programs, in Architectural Support for Programming Languages and Operating Systems (2006)
D. Song, D. Brumley, H. Yin, J. Caballero, I. Jager, M.G. Kang, Z. Liang, J. Newsome, P. Poosankam, P. Saxena, BitBlaze: a new approach to computer security via binary analysis, in Information Systems Security (2008)
J. Strömbergson, https://github.com/secworks/sha1 (2014)
P. Subramanyan, D. Arora, Formal verification of taint-propagation security properties in a commercial SoC design, in Design, Automation and Test in Europe (2014)
P. Subramanyan, Y. Vizel, S. Ray, S. Malik, Template-based synthesis of instruction-level abstractions for SoC verification, in Formal Methods in Computer-Aided Design (2015)
P. Subramanyan, S. Malik, H. Khattri, A. Maiti, J. Fung, Verifying information flow properties of firmware using symbolic execution, In Design Automation and Test in Europe (2016)
S. Teran, J. Simsic, http://opencores.org/project,8051 (2013)
A. Udupa, A. Raghavan, J.V. Deshmukh, S. Mador-Haim, M.M. Martin, R. Alur, TRANSIT: specifying protocols with concolic snippets, in Programming Language Design and Implementation (2013)
C. Wolf, http://www.clifford.at/yosys/ (2015)
F. Xie, X. Song, H. Chung, N. Ranajoy, Translation-based co-verification, in Formal Methods and Models for Co-Design (2005)
F. Xie, G. Yang, X. Song, Component-based hardware/software co-verification for building trustworthy embedded systems. J. Syst. Softw. 80 (5), 643–654 (2007)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this chapter
Cite this chapter
Subramanyan, P., Malik, S. (2017). Verifying Security Properties in Modern SoCs Using Instruction-Level Abstractions. In: Mishra, P., Bhunia, S., Tehranipoor, M. (eds) Hardware IP Security and Trust. Springer, Cham. https://doi.org/10.1007/978-3-319-49025-0_13
Download citation
DOI: https://doi.org/10.1007/978-3-319-49025-0_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-49024-3
Online ISBN: 978-3-319-49025-0
eBook Packages: EngineeringEngineering (R0)