Language-based Security for VHDL by Tolstrup, Terkel Kristian
  
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  
General rights 
Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners 
and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. 
 
• Users may download and print one copy of any publication from the public portal for the purpose of private study or research. 
• You may not further distribute the material or use it for any profit-making activity or commercial gain 
• You may freely distribute the URL identifying the publication in the public portal  
 
If you believe that this document breaches copyright please contact us providing details, and we will remove access to the work immediately 
and investigate your claim. 
   
 
Downloaded from orbit.dtu.dk on: Dec 17, 2017
Language-based Security for VHDL
Tolstrup, Terkel Kristian; Nielson, Hanne Riis; Nielson, Flemming
Publication date:
2007
Document Version
Publisher's PDF, also known as Version of record
Link back to DTU Orbit
Citation (APA):
Tolstrup, T. K., Nielson, H. R., & Nielson, F. (2007). Language-based Security for VHDL.  (IMM-PHD; No. 174).
Language-based Security for VHDL
Terkel K. Tolstrup
Kongens Lyngby 2006
IMM-PHD-2006-174
Technical University of Denmark
Informatics and Mathematical Modelling
Building 321, DK-2800 Kongens Lyngby, Denmark
Phone +45 45253351, Fax +45 45882673
reception@imm.dtu.dk
www.imm.dtu.dk
IMM-PHD: ISSN 0909-3192
Summary
The need for reliable performance of computerised systems is well-known, yet
the security veriﬁcation of hardware systems is often none-existing or applied
in an ad-hoc manner. To overcome this issue, standards such as the Common
Criteria has been successful in listing points of attention for a thorough inves-
tigation of a system. Hence in this thesis it is investigated how language-based
security techniques can be adapted and applied to hardware speciﬁcations. The
focus of the investigation is on the information ﬂow security that is required by
the standard. Information ﬂow security provides a strong notion of end-to-end
security in computing systems. However sometimes the policies for information
ﬂow security are limited in their expressive power, and this complicates the
matter of specifying policies even for simple systems. These limitations often
become apparent in contexts where conﬁdential information is released under
speciﬁc conditions.
This thesis presents a novel policy language for expressing permissible infor-
mation ﬂow using expressive constraints on the execution traces for programs.
Based on the policy language a security property is proposed and shown to be a
generalised intransitive non-interference condition. The security property is de-
ﬁned on a fragment of the hardware description language VHDL that is suitable
for implementing the Advanced Encryption Standard algorithm.
The means to verify the property is provided in the terms of a static information
ﬂow analysis. The goal of the analysis is to identify the entire information ﬂow
through the VHDL program. The result of the analysis is presented as a non-
transitive directed graph that connects those nodes (representing either variables
or signals) where an information ﬂow might occur. The approach is compared
to traditional approaches and shown to allow for a greater precision.
Practical implementations of embedded systems are vulnerable to side channel
attacks. In particular timing channels have had a great impact on the security
ii
veriﬁcation of algorithms for cryptography. In order to address this another
security property stating the absence of timing channels is presented. Again,
veriﬁcation is provided by a static analysis, that identiﬁes the timing behaviour
of a program. This analysis consists of a type system that identiﬁes the delay
between when a value enters the system and when it leaves it again. Programs
accepted by our analysis are shown to have no timing channels.
Resume´
Vigtigheden af p˚alidelig opførsel i computersystemer er velkendt, men stadigvæk
bliver sikkerhedsveriﬁkation af hardware-systemer ofte ikke udført, eller veriﬁka-
tionen bliver udført p˚a en ustruktureret facon. For at overkomme dette prob-
lem, har standarder som Common Criteria været succesfulde ved at fremhæve
vigtige punkter for en fuldstændig undersøgelse af et system. Derfor vil denne
afhandling undersøge, hvorledes teknikker inden for sprog-baseret sikkerhed kan
tilpasses og anvendes p˚a hardware speciﬁkationer. Fokus i denne undersøgelse
vil være p˚a information ﬂow sikkerhed som det kræves af standarden. Infor-
mation ﬂow sikkerhed giver en stærk opfattelse af ende-til-ende sikkerhed i et
computersystem. Imidlertid sker det, at politiker for information ﬂow sikker-
hed kan være for begrænsede i deres udtrykskraft, og derfor kan de komplicere
opgaven omkring at angive en politik for endda simple systemer. Disse begræn-
sninger bliver ofte fremhævet af systemer, hvor hemmelige oplysninger bliver
frigivet ved opfyldelse af klare krav.
Denne afhandling præsenterer et nyt sprog for politiker, der muliggør at udtrykke
information ﬂow, der bliver tilladt under angivne krav til eksekveringssekvensen
ved afvikling af programmet. Baseret p˚a sproget for politikerne foresl˚as en
sikkerhedsegenskab, som vises at generaliserer intransitiv non-interference egen-
skaben. Sikkerhedsegenskaben deﬁneres p˚a et fragment af hardware beskrivelses
sproget VHDL, der er tilstrækkeligt til at implementere en Advanced Encryption
Standard algoritme.
En information ﬂow analyse deﬁneres efterfølgende. Ma˚let med analysen er
at identiﬁcere, hvorledes information ﬂyder gennem hele VHDL programmet.
Resultatet af analysen er en intransitiv orienteret graf, der forbinder de knuder
(repræsenterende enten variable eller signaler), hvor informationen eventuelt
kan ﬂyde. Denne tilgang sammenlignes med traditionelle metoder og vises at
muliggøre en analyse med større præcision.
iv
Virkelige implementationer af indlejrede systemer er s˚arbare over for angreb gen-
nem side channels. Specielt har side channels stor indﬂydelse p˚a sikkerhedsver-
iﬁkationen af kryptograﬁskealgoritmer. Derfor foresl˚as en sikkerhedsegenskab,
der angiver, hvorn˚ar et system er fri for timing channels. En statisk analyse til
at identiﬁcere den tidsmæssige opførsel af et program bliver ogs˚a præsenteret.
Analysen best˚ar af et type system, der identiﬁcerer forsinkelser, mellem at en
værdi kommer ind i systemet, og indtil den forlader systemer igen. Det bevises
at programmer, der accepteres af analysen, ikke indeholder timing channels.
Preface
Whether you take the doughnut hole as a blank space
or as an entity unto itself is a purely metaphysical question
and does not aﬀect the taste of the doughnut one bit
— Haruki Murakami
This thesis was prepared at the department for Informatics and Mathematical
Modelling, Technical University of Denmark in partial fulﬁllment of the require-
ments for acquiring the Ph.D. degree in engineering. The Ph.D. study has been
carried out under the supervision of Professor Hanne Riis Nielson and Professor
Flemming Nielson.
Acknowledgements
I would like to thank my supervisors Hanne Riis Nielson and Flemming Nielson
for continous support and guidance. Furthermore I would like to thank them
as well as the rest of the LBT Group, Han Gao, Christoﬀer Rosenkilde Nielsen,
Henrik Pilegaard, Christian W. Probst and Ye Zhang for providing an inspiring
and motivating working environment. Further gratitude must go to Henrik Pi-
legaard for enduring countless discussions, arguments and three years of sharing
an oﬃce with me. I would to thank Rene´ Rydhof Hansen for numerous discus-
sions and working together with me on [TNH06], likewise thanks go to Sebatian
Nanz for comments and suggestions.
For my visit at the Universita¨t des Saarlandes, Saarbru¨cken, Germany, I would
like to thank Reinhard Wilhelm for providing me with everything I needed
during the three month I visited, and for always discussing, commenting and
motivating my work on timing channels. Thanks go to Stephan Thesing for
vi
discussions and suggestions and to Jo¨rg Bauer for comments, proof reading and
never allowing me a boring weekend.
I would like to thank Andrei Sabelfeld for allowing me to visit him at Chalmers
during September 2005, for helping me with numerous issues - work related and
otherwise - and for being a inspiration, even after my return to Lyngby. Thanks
also go to David Sands, Aslan Askarov and Daniel Hedin for welcoming me to
the ProSec group, and for having daily discussions that have helped me shape
an understanding and intuition for bisimulations as security properties.
Finally I would like to thank my family, friends and in particular my wife for
unlimited patience, support and love, without which I could not have ﬁnished
this thesis.
Lyngby, October 2006
Terkel K. Tolstrup
vii
viii
Contents
Summary i
Resume´ iii
Preface v
1 Introduction 1
1.1 Main thesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.2 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.3 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2 VHDL 7
2.1 CoreVHDL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.2 Semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.3 Properties of the Semantics . . . . . . . . . . . . . . . . . . . . . 20
2.4 Example: Advanced Encryption Standard . . . . . . . . . . . . . 21
x CONTENTS
2.5 Discussion and Related Work . . . . . . . . . . . . . . . . . . . . 23
3 Security Policies 29
3.1 Locality-based security policies . . . . . . . . . . . . . . . . . . . 31
3.2 History-based Release . . . . . . . . . . . . . . . . . . . . . . . . 36
3.3 Transitive Security Policies . . . . . . . . . . . . . . . . . . . . . 41
3.4 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
4 Information Flow Analysis 49
4.1 Local dependencies in CoreVHDL . . . . . . . . . . . . . . . . . 50
4.2 Soundness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
4.3 History-based Release . . . . . . . . . . . . . . . . . . . . . . . . 62
4.4 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
5 Reaching Deﬁnitions Analysis 73
5.1 Analysing CoreVHDL . . . . . . . . . . . . . . . . . . . . . . . 74
5.2 Global dependencies . . . . . . . . . . . . . . . . . . . . . . . . . 81
5.3 Analysing Advanced Encryption Standard . . . . . . . . . . . . . 86
5.4 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
6 Timing Leaks 89
6.1 CoreVHDL with Timing Behaviours . . . . . . . . . . . . . . . 91
6.2 Absence of Timing Leaks . . . . . . . . . . . . . . . . . . . . . . 97
6.3 Execution Path Analysis . . . . . . . . . . . . . . . . . . . . . . . 102
CONTENTS xi
6.4 Soundness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
6.5 Analysing Advanced Encryption Standard . . . . . . . . . . . . . 124
6.6 Discussion of practical issues . . . . . . . . . . . . . . . . . . . . 125
6.7 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
7 Conclusion 131
7.1 Final remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
xii CONTENTS
C h a p t e r 1
Introduction
There is something to be learned from a rainstorm. When meeting with a
sudden shower, you try not to get wet and run quickly along the road. But
doing such things as passing under the eaves of houses, you still get wet. When
you are resolved from the beginning, you will not be perplexed, though you still
get the same soaking. This understanding extends to everything.
— Yamamoto Tsunetomo
Every individual comes into contact with over a hundred embedded computer
systems every day [Mat04]. Many exist in our homes and many more operate
the commonplace items in the world around us. They are now common in house-
holds through cameras, televisions, video players, refrigerators, lawn sprinkler
systems, and many other items. They are in the world around us controlling
our street lighting, door openers, intruder alert systems, product theft security,
speed cameras, and much more. Furthermore several embedded systems per-
form safety critical operations where malfunction might cause the loss of human
lives, for example in pacemakers, steering aid for cars and ﬂy-by-wire systems
for airplanes.
Every day additional functionality are added to existing systems and new sys-
tems are integrated into more devices. In fact the growth in the complexity of
embedded systems is said to be exponential, commonly referred to as Moore’s
law, that state that the number of transistors in a integrated circuit is doubled
every 18 months. At the same time the size and price of the circuit is halved.
According to [MED04] the electronics industry totalled a $800 billion market in
2003. The main threat identiﬁed in [SEM03] to the growth of this market is the
2 Introduction
cost connected to the design of systems. The fact that about 60% to 70% of the
total development time of a circuit is spent on simulation [MED02] makes it of
great concern.
The concept of security for these systems is traditionally very low because the
designer has always been able to depend on the physical security of an enclosed
box. However, as more of the ”boxes” are connected together networks come
into being and opportunities for access and malfunction, whether through poor
design, unforeseen circumstances, or foul play, become possible. Their security
is at risk in many cases, much of it due to ”security through obscurity”. The
simulation phase of the development cycle is rarely concerned with verifying se-
curity properties. Instead the focus is on validating the behaviour of the system
on “standard” well-formed input, to make sure that the required functionality is
implemented. However the security of systems is often compromised because of
non-standard input, that might be the result of unforeseen usage of the system
or hostile behaviour.
The need for reliable performance of computerised systems is well-known, yet
the ad-hoc design of systems that become increasingly complex makes docu-
menting and verifying security properties hard. Therefore to document the
veriﬁcation of a number of well-known security properties (e.g. authenticity,
conﬁdentiality and integrity) standards and frameworks have been proposed.
In this thesis the focus will be on the Common Criteria [CC98] standard pro-
posed and maintained by the International Standard Organization (ISO). The
Common Criteria supersedes the Trusted Computer System Evaluation Criteria
(TCSEC) [DOD85], the Information Technology Security Evaluation Criteria
(ITSEC) [ITS91] and the Canadian Trusted Computer Product Evaluation Cri-
teria (CTCPEC). The Common Criteria standard greatly beneﬁts from being
an internationally accepted standard, e.g. the United Nations have chosen the
standard for the documentation of the security of systems used by the military
of member countries.
The Common Criteria standard is a collection of objectives describing security
properties for all kinds of systems, descriptions of assurances to match each
objective and assurance levels that deﬁne the kind of methods used to provide
the assurances. When documenting a system’s security the designer needs to
identify a set of reasonable objectives with respect to the setting and usage of
the system. Based on these objectives assurances need to be given and docu-
mented. Each assurance is given within a level specifying the manner of the
veriﬁcation. Assurances given in the lower levels need to document details on
the requirements for the system and the tests performed (for example by simu-
lation) to ensure that the system behaves accordingly. Assurances in the higher
levels require that formal methods are applied to verify the system.
3In contrast to simulation, formal methods can be exhaustive, even for complex
systems with inﬁnitely many states, as they deal with proving the correctness
of a system. One could prove the correctness of a system in the same fashion
as theorems are proved. This would demand much time and eﬀort. Hence
assistance from automated theorem provers could aid the designers or evaluators.
Still, the amount of expertise and knowledge required often result in only core
functions of real-life systems being veriﬁed.
Another option is to validate the behaviour of the system by performing an
exhaustive search on all possible input, model checking does so. However this
approach might suﬀer from the complexity of systems, commonly referred to
as the state explosion problem. Therefore many approaches based on model
checking rely on techniques for reducing the state space, heuristics and ran-
domisation. These techniques have shown to be powerful in ﬁnding ﬂaws, but
in general they are not suitable for proving the absence of ﬂaws. However this
would be a main goal for assuring a Common Criteria objective.
Therefore important properties of the formal methods assisting in the veriﬁca-
tion of Common Criteria assurances would have to be
Automatic: Demands a minimum of eﬀort from the designer
Correctness: Guarantees that veriﬁcation implies assurance
Eﬃcient: Handles the complexity of realistic systems
Exhaustiveness: Must cover all executions on all input
To fulﬁll these properties we use static program analysis [NNH99]. Static pro-
gram analysis beneﬁts from being developed within well-founded frameworks
with clear guidelines for their implementation, resulting in tools that are auto-
matic and exhaustive. The limitation of static program analysis is that one is
forced to sacriﬁce precision in return for eﬃciency. Precision is lost due to using
abstractions of the analysed system. Still analyses can be designed to perform
well on real-life systems, being both eﬃcient and suﬃciently precise. To achieve
the correctness of the method it is therefore important that all abstractions in-
troduced in the analysis still allow us to verify programs that fulﬁll the desired
objectives.
4 Introduction
1.1 Main thesis
The main thesis of this report is therefore to show that static program analy-
ses can be designed and implemented, such that they result in tools that can
automatically and eﬃciently verify speciﬁcations of integrated circuits and give
exhaustive and correct assurances of Common Criteria objectives.
For this purpose we consider the objectives Information ﬂow control policy
(FDP IFC) and Information ﬂow control functions (FDP IFF) from the Com-
mon Criteria standard, that deal with the conﬁdentiality of information manip-
ulated by the system. In this thesis the ﬂow of information through a system
is viewed as a directed graph and the deﬁnition of information ﬂow policies is
based on this view. This is contrary to much of the literature available in the
ﬁeld on information ﬂow security (see [SM03a] for references). The traditional
view is that information can be divided into hierarchical levels. This matches
the intuition of military systems where information is labelled with security
annotations such as Top Secret, Conﬁdential and Unclassiﬁed. In the more
general setting of multiple systems participating in collaborative transactions
(e.g. online shopping, tax auditing and service oriented computing) a natural
underlying hierarchical order is not always apparent. Hence in this thesis we
will investigate the usage of graph-based policies for information ﬂow security.
The ﬂow of information is veriﬁed by a set of analyses dealing with diﬀerent
facets; ﬁrst an analysis verifying the ﬂow of information due to control- and
data-ﬂow during execution of the program and second an analysis that deals
with covert channels introduced by diﬀerences in the timing behaviour of the
system. Together, these analyses will give a large part of the assurance for a
system needed when making the Common Criteria evaluation document.
Another main goal is that the designed analyses validate speciﬁcations of in-
tegrated circuits directly, rather than analysing on a process calculi, thereby
forcing the developers to translate the system, and possibly introducing ﬂaws in
the process. The presented analyses are all speciﬁed on a fragment of VHSIC1
Hardware Description Language (VHDL). The fragment will be referred to as
CoreVHDL and is expressive enough to deal with speciﬁcations of integrated
circuits not designed for veriﬁcation purposes.
1Very High Speed Integrated Circuit
1.2 Overview 5
1.2 Overview
In the following chapters the investigation of information ﬂow security in the
hardware setting is investigated. First the semantical model for CoreVHDL
is deﬁned in Chapter 2, which allows us to formalise the semantical meaning
of the Locality-based security policies in Chapter 3. Chapter 3 also proposes a
generalised non-interference property, named History-based Release, that per-
mits information ﬂows based on the execution history of the involved principals.
Chapter 4 presents an Information Flow analysis that allows for the automatic
veriﬁcation of hardware speciﬁcations. The analysis is extended in Chapter 5 by
a Reaching Deﬁnitions analysis, which tracks the control ﬂow in the program. In
Chapter 6 timing leaks in integrated circuits are investigated. A security prop-
erty for the absence of timing leaks in a CoreVHDL speciﬁcation is proposed
and an automated analysis for verifying programs is presented.
During the investigations presented is this thesis much of the work has been
inspired by a real communications system sought to be veriﬁed within the Com-
mon Criteria. The communications system was developed by the Danish com-
pany Maersk Data Defence, as a contractor for the military sector. The pre-
sented analyses were successful in verifying the available parts of the system that
were previously veriﬁed by a paper-and-pencil approach. Unfortunately due to
contractual obligations the system can not be discussed in this thesis. Instead
we will continuously consider a reference implementation of the Advanced En-
cryption Standard (AES) [WBRF00]. This implementation will be a running
example aiding in illustrating the techniques presented in the chapters.
1.3 Contributions
The main contributions of this thesis are:
Chapter 2 presents a detailed semantical model of VHDL. In particular, prac-
tical issues of the semantics for VHDL is treated formally in accordance
with state-or-the-art simulators. These issues are previously neglected or
formalised in an incorrect manner, i.e. with respect to the VHDL stan-
dard [IEE01]. Parts of this contribution has previously been published in
[TNN05] and [TN06].
Chapter 3 investigates the usage of graph based security policies for infor-
mation ﬂow security. Furthermore the policies are extended with a no-
tion of localities and execution history that results in a generalised non-
6 Introduction
interference property, History-based Release. Parts of the graph based
policies for information ﬂow was originally published in [TNN05], while
parts of the locality-based policies and the history-based release property
for the process calculi Klaim [BBN+03] was published in [TNH06].
Chapter 4 presents the automated analysis of a VHDL subset for information
ﬂow security. Especially the treatment of synchronisation in VHDL leads
to novel results. Furthermore the automated analysis for programs that
comply with the History-based Release property. Parts of these contribu-
tions have previously been published in [TNN05, TNH06].
Chapter 5 motivates the need for control ﬂow sensitive analyses for informa-
tion ﬂow security. The chapter presents a Reaching Deﬁnitions analy-
sis, and discusses previously published approaches to static analysers for
VHDL. The Reaching Deﬁnitions analysis was ﬁrst published in [TNN05].
Chapter 6 considers timing leaks in hardware speciﬁcations. A novel property
for the absence of timing leaks is presented together with an automated
analysis for veriﬁcation of systems. The property is the ﬁrst of its kind
that supports the composition with generalised non-interference proper-
ties. Parts of the work was ﬁrst published in [TN06].
Furthermore nontrivial extensions and additions have been necessary to com-
plete the work presented in this thesis. In particular the work presented in
this thesis removes several simpliﬁcations made on the hardware setting in the
published papers.
C h a p t e r 2
VHDL
The diﬀerence between virtuality and life is very
simple. In a construct you know everything is being
run by an all-powerful machine. Reality doesn’t oﬀer
this assurance, so it’s very easy to develop the mistaken
impression that you’re in control.
— Richard K. Morgan
Very High Speed Integrated Circuit Hardware Description Language, commonly
referred to as VHSIC Hardware Description Language or VHDL, is one of the
most widely used hardware description languages. Development was initiated in
1981 under a research programme initiated by the US Department of Defense to
accommodate the rising need for documenting integrated circuits. Hence early
on VHDL focussed on describing the behaviour of hardware in a manner that
allowed speciﬁcations to be decomposed hierarchically while providing a well-
deﬁned interface for composing elements. With the details available in a VHDL
description the possibility of simulating speciﬁcations became apparent. This
possibility of simulating hardware descriptions before synthesising the circuit
had great impact, as it severely cut the development cost and time, and therefore
participated in shaping a new hardware design methodology. Finally, tools for
automatic synthesis of descriptions were developed. During the mid-1980s all
rights to the language deﬁnition were given to IEEE, who standardised the
language as IEEE standard 1076-1987 [IEE87].
A problem not solved in the original standard was that of an electrical signal’s
driving strength. This is a result of not only having the pure boolean values
8 VHDL
true and false in digital hardware design, but also having the possibility of
e.g. turning oﬀ a signal in the synthesised circuit. The IEEE standard 1164-
1993 [IEE93a] introduced the multi-valued logic std logic, not only including
values for driving strengths but also an unknown value (primarily for simulation
purposes). The VHDL standard was revised accordingly [IEE93b] while taking
other issues into account as well, such as making the syntax more consistent
and introducing more logical operators. Like all other IEEE standards the
VHDL standard is revised every ﬁve years to ensure an ongoing relevance to the
industry. The most recent revision is IEEE standard 1164-2001 [IEE01].
In this thesis we will focus on a subset of the latest revision. The subset is
identiﬁed around the main concepts in register transfer level (RTL) VHDL, the
interpretation of which common language simulators and synthesisers should
agree on [IEC05]. The subset will be referred to asCoreVHDL and is presented
in Section 2.1. Furthermore we will discuss some of the language constructs left
out, and their pre-compilation into the CoreVHDL subset.
In order to reason about VHDL descriptions we ﬁrst need to deﬁne their se-
mantics. The semantics will be a cornerstone in the techniques presented later.
Hence deﬁning the semantics is the main goal of this chapter. The rest of the
chapter will be structured as follows; the semantics is presented in Section 2.2.
Section 2.4 presents the running example to be used throughout the thesis, which
is based on an implementation of the Advanced Encryption Standard. Finally
we discuss related work in Section 2.5.
2.1 CoreVHDL
Prior to the introduction of VHDL most hardware was documented in an ad-
hoc manner. Hence with the introduction of VHDL it was important to have a
description language with a well-deﬁned syntax and semantics. The original syn-
tax of VHDL was essentially a subset of the Ada programming language, where
special constructs were added to handle the parallelism inherent in hardware
design. A central issue in hardware design is the behaviour of the underlying
circuit, which the hardware description should document with enough precision
to allow simulation and automatic synthesis. However, since VHDL is primar-
ily developed for documenting hardware, only a subset of the language can be
simulated and synthesised automatically. While many simulators often support
larger subsets their simulations are only required to agree on the Register Trans-
fer Level subset [IEC05]. Thus our investigation is limited to a subset of RTL
VHDL to give some assurance of compliance with tools for synthesis.
2.1 CoreVHDL 9
10
Past Now Delta Future
Present
Signals Signals
Active
Figure 2.1: The representation of abstract time in the signal store.
A VHDL description may contain a mixture of behavioural and structural spec-
iﬁcations. A behavioural speciﬁcation describes the functionality in much the
same way as a program in a traditional programming language. A structural
speciﬁcation describes how structures are connected into a more complex archi-
tecture. For a speciﬁcation to be synthesizable the behaviour of the program
must be completely speciﬁed, i.e. all parts of the VHDL speciﬁcation must be
given by a behavioural speciﬁcation or the speciﬁcations used in the structural
speciﬁcation are all present either as library structures or constructed of smaller
behavioural speciﬁcations.
CoreVHDL is a fragment of RTL VHDL that concentrates on the behavioural
speciﬁcation of models. A program in CoreVHDL consists of entities and
architectures, uniquely identiﬁed by indices ie, ia ∈ Id. An entity describes
a component’s interface to the environment. An architecture comprises the
behavioural or structural speciﬁcation of an entity.
An entity speciﬁes a set of signals referred to as ports (prt ∈ Prt), each port is
represented by a signal (s ∈ Sig) used for reference in the speciﬁcation of the
architecture; furthermore a notion of the intended usage of the signal is speciﬁed
by the keywords in and out determining if the signals value can be altered or
read by the environment, and the type of the signal’s value.
An architecture model is speciﬁed by a family of concurrent statements (css ∈
Css) running in parallel; mainly processes, here the index ip ∈ Id is a unique
identiﬁer in a ﬁnite set of process identiﬁers (Ip ⊆ﬁn Id). Each process has a
statement (ss ∈ Stmt) as body and may use logical values (m ∈ LV al), local
variables (x ∈ V ar) as well as signals (s ∈ Sig, S ⊆ﬁn Sig). When accessing
variables and signals we always refer to their present value and when we assign
to variables it is always the present value that is modiﬁed. However, when
assigning to a signal its present value is not modiﬁed, rather its so-called active
value is modiﬁed; this representation of signal’s values, as illustrated in Figure
2.1, is used to take care of the physical aspect of propagating an electrical
current through a system, the time consumed by the propagation is usually
called a delta-delay. The wait statements are synchronisation points, where the
active values of signals are used to determine the new present values that will
10 VHDL
pgm ∈ Pgm programs
pgm ::= ent | arch | pgm1 pgm2
ent ∈ Ent entities
ent ::= entity ie is port(prt); end ie;
prt ∈ Prt ports
prt ::= s : in type | s : out type | prt1; prt2
type ∈ Type types
type ::= std logic
arch ∈ Arch architectures
arch ::= architecture ia of ie is begin css; end ia;
css ∈ Css concurrent statements
css ::= ip : process decl; begin ss; end process ip
| ib : block decl; begin css; end block ib
| css1 ‖ css2
decl ∈ Decl declarations
decl ::= variable x : type := e
| signal s : type := e
| decl1; decl2
ss ∈ Stmt statements
ss ::= null | ss1; ss2 | if e then ss1 else ss2
| x := e | s <= e
| wait on S until e
e ∈ Exp expressions
e ::= m | opu e | e1 opb e2 | x | s
Figure 2.2: The subset CoreVHDL of VHDL.
be common to all processes. This will be further discussed in Section 2.2.
Concurrent statements could also be block statements that allow local signal
declarations for the use of internal communication between processes declared
within the block. The index ib ∈ Id is a unique identiﬁer in a ﬁnite set of
block identiﬁers (Ib ⊆fin Id). The scope of the local signals declared by a block
deﬁnition is the concurrent statements speciﬁed inside the block.
2.1 CoreVHDL 11
Since VHDL describe digital hardware we are concerned with the details of
electrical signals, and it is therefore necessary to include types to represent
digitally encoded values. We consider logical values (LV al) of the standard
logic type std logic, that includes traditional boolean values as well as values for
electrical properties.
The formal syntax is given in Figure 2.2. In VHDL it is allowed to omit com-
ponents of wait statements. Writing FS(e) for the free signals in e, the eﬀect of
’on FS(e)’ may be obtained by omitting the ’on S’ component, and the eﬀect
of ’until true’ may be obtained by omitting the ’until e’ component. (In
other words, the default values of S and e are FS(e) and true, respectively.)
Semantically, S is the set of signals waited on, i.e. at least one of the signals of
S must have a new active value, and e is a condition on the resulting present
values that must be fulﬁlled, in order to leave the wait statement.
The syntax does not include any loops. In general the loops in VHDL can not
be synthesised, as the synthesising tool needs to produce timing guarantees on
ﬁnishing the loop. Instead, looping behaviour is obtained using processes and
iterator signals. However, loops aid in making high-level speciﬁcations succinct.
Hence in Section 2.1.1 we discuss the unrolling of loops during pre-compilation.
In CoreVHDL the notion of signals is simpliﬁed with respect to full VHDL and
does not allow references further ahead in time than the following delta-cycle.
This correspond to the choice made in RTL VHDL and not only simpliﬁes
the analysis but also simpliﬁes the deﬁnition of the semantics: Of the many
accounts to be found in the literature [Goo95, TE01] we have found the one of
[TE01] to best correspond to our practical experiments, based on test programs
simulated with the ModelSim SE 5.7d VHDL simulator [Men03]. Even with
this restriction CoreVHDL is suﬃciently expressive to deal with the programs
of the AES implementation.
2.1.1 Pre-compiling RTL VHDL to CoreVHDL
The CoreVHDL subset of RTL VHDL is restricted in its expressiveness. Here
we discuss some commonly used syntactical constructs and their pre-compilation
to CoreVHDL. The following operations are performed right after a RTL
VHDL speciﬁcation has been parsed.
Hierarchy ﬂattening The VHDL standard [IEE01] describe how the hierar-
chical structure of a speciﬁcation can be ﬂattened. The pre-compiler instantiates
12 VHDL
all the modules and in-line functions. This enables us to handle structural spec-
iﬁcations by ﬂattening them to elaborate behavioural speciﬁcations.
Concurrent Assignment Signal assignment can be performed as a concur-
rent statement, this corresponds to a process that is sensitive to the free sig-
nals in the right-hand side expression and that has the same assignment inside
[Ash02].
Loop unrolling Loops are also allowed at the level of concurrent statements,
these are commonly used to produce a multitude of processes with similar be-
haviour. Furthermore loops can be applied within processes, with semantics
similar to that of imperative languages, see e.g. [NN92]. If the speciﬁcation is
synthesizable all loops need to result in a ﬁnite execution [IEC05]. Hence when
considering synthesizable speciﬁcations loops are unrolled.
Scalarisation of vectors Following the approach presented in [SV00] vectors
are scalarized and replace the new signals named like the vector and postﬁxed
with the index, this is possible as only statically deﬁned vectors are available in
RTL VHDL [IEC05].
2.2 Semantics
Before we can deﬁne the semantics for CoreVHDL we need to understand how
integrated circuits work. Most tools for synthesising circuits from VHDL de-
scriptions support the conﬁguration of Field Programmable Gate Arrays (FPGA).
A FPGA consist of Logical Blocks (LB) and Input/Output Blocks (IOB), the
structure is illustrated in Figure 2.3. The blocks are connected by wires, that in
switch points can be interconnected or not. The synthesising step of the hard-
ware design methodology is to decide the conﬁguration of the switch points,
thus giving the paths between LBs and IOBs. IOBs are the interface to the
environment. The IOBs can also connect an outgoing wire to an incoming wire.
One important aspect of the synthesis step is that signals are mapped down to
the wires connecting LBs and IOBs. It is also important to observe that the
FPGA does not execute the VHDL speciﬁcation, but instead provides a layout
of the switches. The value of each signal will therefore be carried to and from
the LB on diﬀerent wires. In VHDL this is captured by dividing the values of
signals into an active value and an present value, these match the from and to
2.2 Semantics 13
Figure 2.3: The structure of a FPGA.
wire, respectively. The time spent on stabilising and propagating the electrical
current over the gates is called a delta-delay.
Another important aspect is that the integrated circuit does not stop working
or otherwise end, in fact whenever the input is modiﬁed the new currents are
propagated through the FPGA until it has stabilised again. To capture this
behaviour when simulating hardware speciﬁcations we consider a simulation
cycle as consisting of two phases:
• the signal update phase, and
• the process execution phase
In the signal update phase, simulation time is advanced to the time of the next
scheduled active value, then all active values are applied to the correspond-
ing signals. This may cause events to occur. In the process execution phase,
all processes that wait on these events are resumed and executed until again
suspended at wait statements. The simulation cycle is then repeated.
The main idea when deﬁning the semantics for CoreVHDL programs is there-
fore to execute each process by itself until a synchronisation point is reached (i.e.
a wait statement). When all processes of the program have reached a synchro-
nisation point synchronisation is handled, while taking care of the resolution of
signals in case a signal has been assigned diﬀerent values by the processes. This
14 VHDL
synchronisation will leave the processes in a state where they are ready either
to continue execution by themselves or wait for the next synchronisation.
Basic semantic domains The syntax of programs in CoreVHDL is limited
to statements operating on a state of logical values. These logical values are
deﬁned as v ∈ LV al = {’U’, ’X’, ’0’, ’1’, ’Z’, ’W’, ’L’, ’H’, ’-’} where the values
indicate the properties
’U’ Uninitialised ’X’ Forcing Unknown ’0’ Forcing zero
’1’ Forcing one ’Z’ High Impedance ’W’ Weak Unknown
’L’ Weak zero ’H’ Weak one ’-’ Don’t care
these logical values capture the behaviour of an electrical system better than
traditional boolean values. Hence they have been included in the VHDL stan-
dard from the second revision [IEE93b], see [Ash02] for further details. We
have a function mapping logicals in the syntax to logical values in the semantics
L : LV al → V alue.
Constructed semantic domains CoreVHDL includes local variables and
signals. The values of the local variables are stored in a local state, which is a
mapping from variable names to logical values.
σ ∈ State = (V ar → V alue)
The idea is that we have a local state for each process, keeping track of assign-
ments to local variables encountered in the execution of the process so far.
For communication between the processes we have signals, the values of which
are stored in local states. The processes communicate by synchronising the
signals of their local signal state with other processes.
ϕ ∈ Signals = (Sig → ({0, 1} ↪→ V alue))
The value assigned to a signal is available after the following synchronisation,
therefore we keep the present value of a signal s in ϕ s 0. In ϕ s 1 we store the
assigned value, meaning that it is available in the following delta-cycle. Each
signal state has a time line for each signal. Values in the past are not used and
therefore forgotten by the semantics; in CoreVHDL it is not possible to assign
values to signals further into the future than one delta-cycle.
2.2 Semantics 15
E [[m]]〈σ, ϕ〉 = L[[m]]
E [[x]]〈σ, ϕ〉 = σ x
E [[s]]〈σ, ϕ〉 = ϕ s 0
E [[opu e]]〈σ, ϕ〉 = opu v where E [[e]]〈σ, ϕ〉 = v
and opu v deﬁned
E [[e1 opb e2]]〈σ, ϕ〉 = v1 opb v2 where E [[e1]]〈σ, ϕ〉 = v1
and E [[e2]]〈σ, ϕ〉 = v2
and v1 opb v2 deﬁned
Table 2.1: Semantics of Expressions
All signals have a present value, so ϕ s 0 is deﬁned for all s. Not all signals need
to be active meaning they have a new value waiting in the following delta-cycle,
i.e. ϕ s 1 need not be deﬁned. Hence we use {0, 1} ↪→ V alue in the deﬁnition
of the signal state to indicate that it is a partial function.
The semantics handles expressions following the ideas of [NN92]. For expressions
E : Exp → (State× Signals ↪→ V alue)
evaluates the expression. The function is deﬁned in Table 2.1. Note that for
signals we use the current value of the signal, i.e. ϕ s 0.
2.2.1 Statements
The semantics of statements and concurrent statements are speciﬁed by tran-
sition systems, more precisely by structural operational semantics [Plo04]. For
statements we shall use conﬁgurations of the form:
〈ss′, σ, ϕ〉 ∈ Stmt′ × State× Signals
Here Stmt′ refers to the statements from the syntactical category Stmt with
an additional statement (final) indicating that a ﬁnal conﬁguration has been
reached. Therefore the transition relation for statements has the form:
〈ss, σ, ϕ〉 ⇒ 〈ss′, σ′, ϕ′〉
which speciﬁes one step of computation. The transition relation is speciﬁed in
Table 2.2 and brieﬂy commented upon below.
16 VHDL
[Local Variable Assignment] :
〈x := e, σ, ϕ〉 ⇒ 〈final, σ[x → v], ϕ〉
where E [[e]]〈σ, ϕ〉 = v
[Signal Assignment] :
〈s <= e, σ, ϕ〉 ⇒ 〈final, σ, ϕ[1][s → v]〉
where E [[e]]〈σ, ϕ〉 = v
[Skip] :
〈null, σ, ϕ〉 ⇒ 〈final, σ, ϕ〉
[Composition] :
〈ss1, σ, ϕ〉 ⇒ 〈ss′1, σ′, ϕ′〉
〈ss1; ss2, σ, ϕ〉 ⇒ 〈ss′1; ss2, σ′, ϕ′〉
where ss′1 ∈ Stmt
〈ss1, σ, ϕ〉 ⇒ 〈final, σ′, ϕ′〉
〈ss1; ss2, σ, ϕ〉 ⇒ 〈ss2, σ′, ϕ′〉
[Conditional] :
〈if e then ss1 else ss2, ϕ〉 ⇒ 〈ss1, σ, ϕ〉
if E [[e]]〈σ, ϕ〉 = ’1’
〈if e then ss1 else ss2, ϕ〉 ⇒ 〈ss2, σ, ϕ〉
if E [[e]]〈σ, ϕ〉 = ’0’
Table 2.2: Statements
An assignment to a signal is deﬁned as an update to the value at the delta-time,
i.e. ϕ s 1. We use the notation ϕ[i][s → v] to mean ϕ[s → ϕ(s)[i → v]].
Because the wait statement is in fact a synchronisation point of the processes it
is handled in Section 2.2.2, along with the handling of the concurrent processes.
2.2.2 Concurrent Statements
The semantics of concurrent statements handles the concurrent processes and
the synchronisations of a CoreVHDL program. The transition system for
concurrent statements has conﬁgurations of the form:
‖i∈I 〈css′i, σi, ϕi〉
2.2 Semantics 17
for I ⊆ﬁn Id and css′i ∈ Css′, σi ∈ State, ϕi ∈ Signals for all i ∈ Id. Thus
each process has a local variable and signal state. Here Css′ refers to the
concurrent statements from the syntactical category Css with the additional
option of statement from the category Stmt preceding a concurrent statement.
This allows for a succinct semantics for process statements.
The initial conﬁguration of a CoreVHDL program is:
‖i∈I 〈i : process decli; begin ssi; end process i, σ0i , ϕ0i 〉
The ith process uses an initial state for signals deﬁned by the semantics for
declarations of signals. If no initial value is speciﬁed the following are used:
σ0i x = ’U’ and ϕ
0
i s 0 = ’U’ for all signals used in the process ssi. ϕ
0
i s 1 is
undef for all signals used in the process ssi.
The transition relation for concurrent statements has the form:
‖i∈I 〈css′i, σi, ϕi〉 =⇒‖i∈I 〈cssi′′, σ′i, ϕ′i〉
which speciﬁes one step of computation.
The transition relation is speciﬁed in Table 2.3 and explained below.
As mentioned, the idea when deﬁning the semantics of programs in CoreVHDL
is that we execute processes locally until they have all arrived at a wait state-
ment; this is reﬂected in the rule [Handle non-waiting processes (H)].
When all processes are ready to execute a wait statement we perform a syn-
chronisation covered by the rule [Active signals (A)]. If a signal waited for is
active, the processes waiting for that signal may proceed; this is expressed using
the predicate active(ϕ) deﬁned by
active(ϕ) ≡ ∃s∃v : ϕ s 1 = v
The delta-delayed values of signals will be synchronised for all processes and in
order to do this we use a resolution function fs of the form:
fs : multiset(V alue)→ V alue
Thus fs combines the multi-set of values assigned to a signal into one value that
then will be the new (unique) value of the signal. VHDL allow a resolution
function to be speciﬁed in a syntax much like that of a process. We assume that
18 VHDL
[Handle non-waiting processes (H)] :
〈ssj , σj , ϕj〉 ⇒ 〈ss′j , σ′j , ϕ′j〉
‖i∈I∪{j} 〈ssi; cssi, σi, ϕi〉 =⇒‖i∈I∪{j} 〈ss′i; cssi, σ′i, ϕ′i〉
where ss′i = ssi ∧ σ′i = σi ∧ ϕ′i = ϕi for all i = j.
〈ssj , σj , ϕj〉 ⇒ 〈final, σ′j , ϕ′j〉
‖i∈I∪{j} 〈ssi; cssi, σi, ϕi〉 =⇒‖i∈I∪{j} 〈css′i, σ′i, ϕ′i〉
where css′i = cssi for all i = j and
css′i = ssi; cssi ∧ σ′i = σi ∧ ϕ′i = ϕi for all i = j.
[Active signals (A)] :
‖i∈I 〈wait on Si until ei; cssi, σi, ϕi〉 =⇒‖i∈I 〈css′i, σi, ϕ′i〉
if ∃i ∈ I. active(ϕi)
where
ϕ′i s 0 =
{
fs{{U(ϕk, s) | k ∈ I}} if ∃j ∈ I. ϕj s 1 is deﬁned
v otherwise, ϕi s 0 = v
ϕ′i s 1 = undef
css′i =
⎧⎨
⎩
cssi if ((∃s ∈ Si. ϕi s 0 = ϕ′i s 0)
∧ E [[ei]]〈σi, ϕ′i〉 =′ 1′)
wait on Si until bi; cssi otherwise
[Processes (P)] :
‖i∈I 〈i : process decli; begin ssi; end process i, σi, ϕi〉 =⇒
‖i∈I 〈ssi; i : process decli; begin ssi; end process i, σi, ϕi〉
Table 2.3: Concurrent statements
all signals handled in resolution functions are in the argument of the function.
The resolution function is applied to the active values of a signal, however if a
signal is not active in a local signal state of a process the present value is used
instead. We introduce the function
U(ϕi, s) =
{
v if ϕi s 1 = v
v otherwise, ϕi s 0 = v
to determine whether the active value or the present value is used.
The VHDL standard [IEE01] deﬁnes a resolution function for the type std logic
called resolve. The function is applied on a list of values for the signal. If the
function is passed an empty list, it returns the value ′Z ′. If there is only one
driving value, the function returns that value unchanged. Otherwise, the func-
2.2 Semantics 19
′U ′ ′X ′ ′0′ ′1′ ′Z ′ ′W ′ ′L′ ′H ′ ′−′
′U ′ ′U ′ ′U ′ ′U ′ ′U ′ ′U ′ ′U ′ ′U ′ ′U ′ ′U ′
′X ′ ′U ′ ′X ′ ′X ′ ′X ′ ′X ′ ′X ′ ′X ′ ′X ′ ′X ′
′0′ ′U ′ ′X ′ ′0′ ′X ′ ′0′ ′0′ ′0′ ′0′ ′X ′
′1′ ′U ′ ′X ′ ′X ′ ′1′ ′1′ ′1′ ′1′ ′1′ ′X ′
′Z ′ ′U ′ ′X ′ ′0′ ′1′ ′Z ′ ′W ′ ′L′ ′H ′ ′X ′
′W ′ ′U ′ ′X ′ ′0′ ′1′ ′W ′ ′W ′ ′W ′ ′W ′ ′X ′
′L′ ′U ′ ′X ′ ′0′ ′1′ ′L′ ′W ′ ′L′ ′W ′ ′X ′
′H ′ ′U ′ ′X ′ ′0′ ′1′ ′H ′ ′W ′ ′W ′ ′H ′ ′X ′
′−′ ′U ′ ′X ′ ′X ′ ′X ′ ′X ′ ′X ′ ′X ′ ′X ′ ′X ′
Table 2.4: Resolution table rt
tion uses a resolution table to resolve driving values
resolve{{s1, s2, . . . , sn}} = rt(s1, rt(s2, rt(. . . , sn) · · · )))
where the resolution table rt is deﬁned in Table 2.4.
Notice that even though a signal, which a wait statement is waiting for becomes
active, it is not enough to guarantee that it proceeds with its execution. This is
because we have the side condition ’until e’. This is reﬂected in the deﬁnition
of the statement css′i of the next conﬁguration. Notice that the state of local
variables is unchanged.
Recall that it is the intention to repeat the statement ssi indeﬁnitely in a process
declaration i: process decli; begin ssi; end process i , this is reﬂected
in the rule [Processes (P)].
In the following chapters we will investigate security policies and mechanisms
that dynamically change due to constraints on the history of execution. There-
fore we will now deﬁne an execution trace. The point of interest is that speciﬁc
executions take place prior to releasing speciﬁc information. Hence the seman-
tics are annotated with the identiﬁer of the process that gets to evaluate part
of its body. Thus we write
‖i∈I 〈ssi; cssi, σi, ϕi〉 i=⇒‖i∈I 〈ss′i; cssi, σ′i, ϕ′i〉
when an evaluation step with the rule [Handle non-waiting processes (H)]
evaluated one step of process i. As a result an execution trace is then deﬁned
as the transitive reﬂexive closure of the semantics, and we write
‖i∈I 〈ssi; cssi, σi, ϕi〉 ω=⇒∗ ‖i∈I 〈ss′i; cssi, σ′i, ϕ′i〉
20 VHDL
where ω is a string of identiﬁers.
2.2.3 Architectures
The Semantics for architectures basically initialises the local variable and signal
stores for each process. As no actual evaluation is taking place when handling
the architectures, we merely consider speciﬁcations where the variable and signal
declarations are stripped. Hence no further formal deﬁnitions are considered.
2.3 Properties of the Semantics
In this section we will state properties of the Semantics that will aid us in es-
tablishing correctness results of the analyses presented in later Chapters. One
property of the Semantics is that the execution of a statement ss1 is not inﬂu-
enced by the statement following.
Lemma 2.1 If 〈ss1, σ, ϕ〉 ⇒k 〈final, σ′, ϕ′〉 then 〈ss1; ss2, σ, ϕ〉 ⇒k 〈ss2, σ′, ϕ′〉.
Proof. The proof proceeds by induction in the length of the derivation sequence.
If k = 0 the result holds vacuously. For the induction step we assume that the
lemma holds for k ≤ k0 and we shall prove it for k0 + 1. So assume that
〈ss1, σ, ϕ〉 ⇒k0+1 〈final, σ′, ϕ′〉
hence the derivation sequence can be written
〈ss1, σ, ϕ〉 ⇒ γ ⇒k0 〈final, σ′, ϕ′〉
for some conﬁguration γ. Now we know that the rule [Composition] was used
to obtain
〈ss1, σ, ϕ〉 ⇒ γ
Hence we consider the two cases, ﬁrst the case where statement ss1 evaluates
to ss′1 in one step
〈ss1, σ, ϕ〉 ⇒ 〈ss′1, σ′′, ϕ′′〉
〈ss1; ss2, σ, ϕ〉 ⇒ 〈ss′1; ss2, σ′′, ϕ′′〉
2.4 Example: Advanced Encryption Standard 21
and get
〈ss1; ss2, σ, ϕ〉 ⇒ 〈ss′1; ss2, σ′′, ϕ′′〉 ⇒k0 〈ss2, σ′, ϕ′〉
and we can apply the induction hypothesis on the derivation sequence
〈ss′1; ss2, σ′′, ϕ′′〉 ⇒k0 〈ss2, σ′, ϕ′〉
The second case is when ss1 ﬁnish evaluation in one step
〈ss1, σ, ϕ〉 ⇒ 〈final, σ′′, ϕ′′〉
〈ss1; ss2, σ, ϕ〉 ⇒ 〈ss2, σ′′, ϕ′′〉
where the result follows immediately. 
2.4 Example: Advanced Encryption Standard
The techniques presented in this thesis will be applied to the standard imple-
mentation of the Advanced Encryption Standard [WBRF00]. We shall consider
the pipelined 128 bit version of the NSA Advanced Encryption Standard imple-
mentation of the algorithm. As the speciﬁcation is rather substantial, and large
parts are merely concerned with control signals and registers, we will present
two subprograms, which will be used to illustrate the presented analyses.
The 128 bit version of the algorithm works on blocks of 128 bit, that are en-
crypted through 10 rounds. Each round consists of 4 stages that substitute,
shift, mix and add a round key to the block, respectively. Decryption is done
by reversing the order of the inverse stages in each round.
The ﬁrst subprogram is the shift function that is part of an encryption or de-
cryption round.
-- iteration no. 1
temp(0) := a(1)(1);
temp(1) := a(1)(2);
temp(2) := a(1)(3);
temp(3) := a(1)(0);
a(1)(0) := temp(0);
22 VHDL
a(1)(1) := temp(1);
a(1)(2) := temp(2);
a(1)(3) := temp(3);
-- iteration no. 2
temp(0) := a(2)(2);
temp(1) := a(2)(3);
temp(2) := a(2)(0);
temp(3) := a(2)(1);
a(2)(0) := temp(0);
a(2)(1) := temp(1);
a(2)(2) := temp(2);
a(2)(3) := temp(3);
-- iteration no. 3
temp(0) := a(3)(3);
temp(1) := a(3)(0);
temp(2) := a(3)(1);
temp(3) := a(3)(2);
a(3)(0) := temp(0);
a(3)(1) := temp(1);
a(3)(2) := temp(2);
a(3)(3) := temp(3);
The second subprogram is the process that determines the control ﬂow of round
blocks, and decides whether the key is added before or after the 10 rounds. This
is the diﬀerence between the encryption and the decryption algorithms. The
implementation considered performs either encryption or decryption depending
on the value of the incoming signal ALG ENC. For encryption this is done before
the ﬁrst round instead.
POST_ADD_KEY <= ALG_KEY_10;
POST_ADD: process begin
b(0)(0) := FINAL_OUT_REG(0)(0) xor POST_ADD_KEY(0)(0);
b(0)(1) := FINAL_OUT_REG(0)(1) xor POST_ADD_KEY(0)(1);
b(0)(2) := FINAL_OUT_REG(0)(2) xor POST_ADD_KEY(0)(2);
b(0)(3) := FINAL_OUT_REG(0)(3) xor POST_ADD_KEY(0)(3);
b(1)(0) := FINAL_OUT_REG(1)(0) xor POST_ADD_KEY(1)(0);
2.5 Discussion and Related Work 23
b(1)(1) := FINAL_OUT_REG(1)(1) xor POST_ADD_KEY(1)(1);
b(1)(2) := FINAL_OUT_REG(1)(2) xor POST_ADD_KEY(1)(2);
b(1)(3) := FINAL_OUT_REG(1)(3) xor POST_ADD_KEY(1)(3);
b(2)(0) := FINAL_OUT_REG(2)(0) xor POST_ADD_KEY(2)(0);
b(2)(1) := FINAL_OUT_REG(2)(1) xor POST_ADD_KEY(2)(1);
b(2)(2) := FINAL_OUT_REG(2)(2) xor POST_ADD_KEY(2)(2);
b(2)(3) := FINAL_OUT_REG(2)(3) xor POST_ADD_KEY(2)(3);
b(3)(0) := FINAL_OUT_REG(3)(0) xor POST_ADD_KEY(3)(0);
b(3)(1) := FINAL_OUT_REG(3)(1) xor POST_ADD_KEY(3)(1);
b(3)(2) := FINAL_OUT_REG(3)(2) xor POST_ADD_KEY(3)(2);
b(3)(3) := FINAL_OUT_REG(3)(3) xor POST_ADD_KEY(3)(3);
POST_OUT_INT <= b;
end process POST_ADD;
ALG_DATA_LAST <= POST_OUT_INT when ALG_ENC = ’0’ else
FINAL_OUT;
2.5 Discussion and Related Work
In this thesis focus will be on VHDL. However, other hardware description lan-
guages exists. The most predominant alternative to VHDL is the Verilog Hard-
ware Description Language [IEE95]. The choice of VHDL was made because
of the wide acceptance and support of the language in the industry. Still the
common foundation of hardware description languages should allow for a fairly
straightforward adaption of the techniques presented in the following chapters
to other languages.
Another alternative might be the system description language SystemC [IEE05].
The SystemC language provides a greater freedom of expressiveness as it consists
of libraries and macros for C++, hence allowing the C++ language facilities to
be used in hardware descriptions. However, when synthesising designs, the
procedure is normally to compile the SystemC descriptions to VHDL, where
further development might be necessary. Therefore the analyses presented in
this thesis can be applied at the VHDL level, to achieve similar results for
SystemC speciﬁcations.
24 VHDL
2.5.1 Semantics for VHDL
There exists alternative deﬁnitions of semantics for VHDL. In the following we
will discuss these and argue for some of the choices, that make our semantics
diﬀer from others. The reason for these diﬀerences is primarily the ambiguity
and complexity of the IEEE standard [IEE01], which allows for varying inter-
pretations. To validate the choices made we therefore focus on the speciﬁcation
of synthesising RTL VHDL [IEC05] and the ModelSim SE 5.7d VHDL simulator
[Men03].
The semantics presented in this chapter is based on the structural operational
semantics presented by Goossens [Goo95], which aims to formalise the simula-
tion algorithm described in the original VHDL standard [IEE87]. Thirunarayan
and Ewing [TE01] extended this semantics to comply with the 1993 standard.
The presented semantics is very close to these approaches, but still there are two
issues that we address diﬀerently. First the progression of time at synchronisa-
tion points that update the present values of signals was erroneously formalised.
Thirunarayan and Ewing points out the problem in their paper [TE01], however
they correction does not solve the issue, but instead introduces a copying of the
active value of signals whenever no processes can continue past their synchro-
nisation points. Thereafter a process might mistakenly observe the signal as
being active twice. Thirunarayan has acknowledged this issue and agreed to the
solution presented in this thesis [Thi03].
The second issue has to do with the resolution of signals. In [Goo95, TE01] the
resolution function is applied only on the active values of signals. However there
is no distinction between the active and the present value in hardware and hence
the resolution function should in fact be applied on both. This observation is
supported by [Ash02] and ModelSim simulations of test speciﬁcations.
There are other alternatives. Many leave out important issues in the hardware
model, such as
“For simplicity, delta-delayed signal assignments are not treated.” [BFK94],
which allows Breuer et al. to deﬁne a clean semantics of VHDL. Van Tassel
[vT93] makes similar simpliﬁcation to the considered subset of VHDL. These
semantics do not match the understanding of hardware design investigated in
this thesis.
Van Tassel [vT93] embeds the semantics of a VHDL subset in HOL, in this
manner allowing for proof assistance. In the same line of research Russinoﬀ
[Rus95] deﬁnes the semantics of a simple hardware description language, which
is similar to a subset of VHDL, in Boyer-Moore logic. Another approach that
deﬁnes the semantics of VHDL in a logical language (i.e. ACL) is [RBG00].
2.5 Discussion and Related Work 25
These embeddings into proof assistants aid the formal veriﬁcation of VHDL
speciﬁcations.
Several hardware description languages are focused completely on ﬁnite state
machines, such as Esterel [Est05]. In fact most VHDL speciﬁcation were focused
on describing globally synchronous speciﬁcations, that can be mapped to ﬁnite
state machines. This is still one of its primary usages. Hence much work has
been done on compiling VHDL descriptions into ﬁnite state machines, see e.g.
[BLPV94, DB93, DB95].
Hymans [Hym02] deﬁnes a semantics that is based on Goossens’ [Goo95] ap-
proach. The considered subset of VHDL is very close to the one at hand. The
main diﬀerences is that Hymans introduces functions for random number gener-
ation to the language. These are not present in VHDL and are not synthesizable.
Hymans’ reason for introducing them is to accommodate veriﬁcation of systems.
Hence only a test bench process would use the functions. The semantics, how-
ever, has been modiﬁed to not include resolution of active signals. Instead
Hymans utilises a global state that allows signal assignments to overwrite each
other. This forces Hymans to assume that each signal is only assigned to in one
process.
To verify that the presented deﬁnition of the semantics is accurate several test
speciﬁcations were made that support or reject design choices in the semantics.
The test speciﬁcations were simulated with the ModelSim simulator [Men03].
Although this does not provide any formal guarantee, it does allow us to debug
the formal speciﬁcations. Below we report on two of the example speciﬁcations
and the results of simulation them.
Waiting on signals In the semantics of programs the condition for allowing
a process to continue execution after waiting for a signal is limited to signals
that have actually changed value. I.e. using the deﬁnition of active signals is not
suﬃcient to determine if processes continue execution in the rule [Active sig-
nals (A)]. We see from the below described program that we need the condition
∃s ∈ Si. ϕi s 0 = ϕ′i s 0.
To illustrate this decision in the semantics we present a program, consisting of
two processes. One process will continue to set the value of a signal to a constant
value. The second process will wait on the signal set by the ﬁrst process, and
when allowed to continue execution it will alter another signal. This allows us
to detect that the process is not halted while waiting on the signal. The signal
CLK is a clock signal set by the simulator. It is inverted with a frequency of 500
ns.
26 VHDL
Figure 2.4: Result of simulating the program.
The result of simulating the program with the ModelSim SE 5.7d VHDL sim-
ulator is presented in Figure 2.4. Since the value of the signal B only changes
once, namely after 500 ns and not again after 1000 ns or 1500 ns, we observe
that the second process can not continue execution at the wait statement even
though the ﬁrst process sets an active value for the signal A.
library IEEE;
use IEEE.STD_LOGIC_1164.all;
entity test is
signal CLK : in STD_LOGIC;
end test;
architecture model of test is
signal A : STD_LOGIC := ’0’;
signal B : STD_LOGIC := ’0’;
begin
process begin
wait on CLK;
A <= ’1’;
end process;
process begin
wait on A;
B <= not B;
end process;
end test;
Resolution oﬀ signals In the semantics of programs it is speciﬁed how sig-
nals are resolved with a resolution function. Diﬀerent test programs have been
2.5 Discussion and Related Work 27
Figure 2.5: Result of simulating the program.
simulated and the behaviour corresponds to the resolution function speciﬁed in
[Ash02].
The simulated programs are of a form similar to the program presented below.
The program consists of two processes running in parallel, each of them setting
the value of the signal A. When the processes synchronise at the wait statements
the resolution of the signal is performed. By altering the values assigned to A
each entry in the resolution table can be tested. As above the signal CLK is a
clock signal set by the simulator. It is inverted with a frequency of 500 ns.
The result of simulating the test program is presented in Figure 2.5.
library IEEE;
use IEEE.STD_LOGIC_1164.all;
entity test is
signal CLK : in STD_LOGIC;
end test;
architecture model of test is
signal A : STD_LOGIC := ’0’;
begin
process begin
wait on CLK;
A <= ’1’;
end process;
process begin
wait on CLK;
A <= ’0’;
end process;
end model;
28 VHDL
C h a p t e r 3
Security Policies
The only thing necessary for the triumph of evil
is for good men to do nothing.
— Edmund Burke
Security veriﬁcation of a system is divided into two parts; a security policy and
a security mechanism. The security policy is a high-level speciﬁcation of the
security properties that the given system should possess; typically it consists
of statements describing goals of the security veriﬁcation. These goals should
be driven by our understanding of threats rather than how the system is im-
plemented. Hence a policy might express goals regarding the access to objects
or how information ﬂows through the system. On the other hand the security
mechanism enforces the security properties on the given system. In this chap-
ter we investigate security policies for information ﬂow. Security mechanisms
matching the security policies are investigated in Chapter 4 and 5.
The concept of security policies came from the military sector. The ﬁrst security
policy model, Bell-LaPadula [BL73], was developed in 1973 to formalise the U.S.
Department of Defense multilevel security policy. The model describes a set of
access control rules through security labels on resources and clearances for users.
Informally said, the model protects the conﬁdentiality of information through a
hierarchy of security levels. A user can not read information from levels higher
than the users own, no read up, and the user can not write information to
lower levels, no write down. This model became the standard military approach
when evaluating systems, according to the U.S. Department of Defense “Orange
30 Security Policies
Book” [DOD85]. However for general usage the model has proved to be too
restrictive, in particular due to it relying on dynamic security mechanisms that
have problems with enforcing the policy in the presence of implicit ﬂows. Here
we make the distinction between explicit and implicit information ﬂows; where
explicit information ﬂows are statements that directly aﬀects one resource by
reading another resource, e.g.
x := y
where the value of y is copied to x. An implicit ﬂow occurs in connection
with statements that alter the control ﬂow of the program based on reading a
resource, e.g.
y := 0; if x then y := 1 else null
where the value of x will determine which branch will be taken and ﬁnally the
value of y. Observe that the implicit ﬂow occur even when x = true as the
attacker may observe that the value of y is 0.
Due to these issues investigation began on policies and mechanisms for preserv-
ing conﬁdentiality in a system. On one hand Denning and Denning [Den76,
DD77] developed static mechanisms for verifying the security of a system, while
on the other hand Lampson [Lam73] and later Cohen [Coh77, Coh78] inves-
tigated notions for the conﬁnement problem and strong secrecy. Goguen and
Meseguer [GM82, GM84] introduced the security property, non-interference,
that has later become the most inﬂuential property of information ﬂow policies.
Informally, non-interference means that an attacker of the system, who can view
low conﬁdentiality information, is not permitted to observe any diﬀerences after
two executions of a program that only diﬀer on its conﬁdential inputs. An-
other weaker property, non-deducibility, was proposed by Sutherland [Sut86].
It was the ﬁrst nondeterministic version of non-interference. It is weaker than
non-interference as it allows the two executions of the program to modify the
observable part of the resources as long as no connection between conﬁden-
tial information and resulting low conﬁdentiality information can be made with
complete certainty. The non-deducibility property has no practical usage, since
a guarantee that allows the attacker to determine a secret with 99% probability
is no better than no guarantee.
At about the same time Kemmerer [Kem82, Kem02] presented the shared re-
source matrix methodology aimed at identifying covert channels in real systems.
The method is centred around the notion of a resource matrix, which is a ma-
trix where the rows represent the resources available in the considered system
and the columns represent the actions (referred to as primitives). Each ﬁeld in
the matrix state the access right for the action on the resource. In this model
there are two access rights, read and modify. The resource matrix model allows
3.1 Locality-based security policies 31
the security analyst to abstract on the resources and actions, and hence include
resources such as the process scheduler and the system clock, while grouping
actions into processes and programs. The strength of the shared resource matrix
approach is verifying real systems, which has been illustrated in several cases
(e.g. [HKMY86, KT96]). One drawback of the approach is that it does not
formalise a security property, instead it aims at identifying information ﬂows
(and more generally covert channels). Thus if no leaks occur we are left without
any guarantees.
In this chapter we aim to combine the expressive power of the security policies
in the shared resource matrix approach with the strong end-to-end guaran-
tee of non-interference. Arguments regarding the inapplicability of noninter-
ference in the setting of many real systems have been raised [RMMG01]. One
approach that has been relatively successful in dealing with this issue is in-
troducing trusted components that are allowed to break the security policies,
often referred to as intransitive noninterference [HY86, Rus92, RG99]. The pro-
posed policies and security property incorporate a notion of intransitive nonin-
terference and extend it with constraints on the execution history of the pro-
gram. Previously security policies for access control based on execution history
[AF03, BN04, BDF05] have been investigated and shown to provide a natural
approach to specifying security policies. Furthermore the proposed policies and
security property must be placed within the setting of hardware descriptions.
For this purpose we build on the semantics presented in Chapter 2.
3.1 Locality-based security policies
To protect conﬁdentiality within a system, it is important to control how in-
formation ﬂows so that secret information is prevented from being released on
unintended channels. The allowed ﬂow of information in a system is speciﬁed in
a security policy. In this section we present a policy language based on graphs.
Here vertices represent security domains, describing the resources available in
the program. A security domain is related to sets of resources available in the
considered system.
This model allows for the granularity of the mapping from resources to security
domains to be very ﬁne-grained. For example we can introduce a security do-
main for each resource. For improved precision we could partition the usage of
a resource into lifetime periods and introduce a domain for each, hence having
more than one security domain for each resource used in the program. This
would allow us to abstract from e.g. reuse of limited resources in the implemen-
tation, instead of introducing new gates for each lifetime period of a signal, and
32 Security Policies
thereby potentially increasing the size of the gate layout quadratically [HS06].
In our setting the variables and signals are our resources, hence they are related
to security domains. This allows us to reason about groups of resources together,
as well as singling out speciﬁc resources and isolate these in their own security
domains. The security policies therefore focus on the information ﬂow between
intended domains of resources. Consequently we assume that variables and
signals can be uniquely mapped to security domains.
Deﬁnition 3.1 (Security Domains) For a given program we have a mapping
from variables and signals V ar ∪ Sig to security domains V
· : V ar ∪ Sig → V
We write x and s for the security domain of the variable x and signal s,
respectively.
As stated above the security policies are based on graphs. Therefore the edges
specify permitted ﬂows of information. Information ﬂow between resources can
be restricted subject to fulﬁlment of constraints with respect to certain events
taking place prior to the ﬂow. Formally we propose the following deﬁnition of
security polices.
Deﬁnition 3.2 (Locality-based security policies) A security policy is a labelled
graph G = (V, λ), consisting of a set of vertices V representing security domains
and a total function λ mapping pairs of vertices to labels λ : V × V → ∆. We
deﬁne G to be the set of policies. The structure, ∆, of labels is deﬁned below.
In a ﬂow graph the set of vertices V represent security domains. A security
domain indicates the usage of a resource in the system. The edges in the ﬂow
graph describe the allowed information ﬂow between resources. Hence an edge
from the vertex for security domain v1 to the vertex for security domain v2
indicates that information is allowed to ﬂow between the resources in these
domains subject to the label attached to the edge.
The edges are labelled with constraints that the program must fulﬁll in order
for the ﬂow of information to be permitted. These constraints will include
restrictions with respect to localities in the program. Hence we will consider
local ﬂows permitted in speciﬁc processes or blocks. Each process and block is
uniquely referenced by identiﬁers Id that we map to security localities.
Deﬁnition 3.3 (Security Localities) For a given program we have a mapping
3.1 Locality-based security policies 33
from identiﬁers Id to security localities L
· : Id → L
A policy that restrict a information ﬂow to a security location l should permit
information ﬂows when the execution resulting in the ﬂow takes place in a
process ip or block ib that is in the location, i.e. ip = l or ib = l, respectively.
We lift the mapping of identiﬁers to security localities such that we write ω
when the mapping is in fact applied to each identiﬁer in a execution trace, thus
resulting in a string of locations.
The edges in the ﬂow graph are described by the function λ : V × V → ∆.
We write v1
δ
 v2 for an edge from vertex v1 to v2 constrained by δ ∈ ∆, i.e.
λ(v1, v2) = δ. Information ﬂow might be constrained by certain obligations
that the system must fulﬁll before the ﬂow can take place. Here we describe
a novel constraint language that allows the security policy to be speciﬁc about
intransitive information ﬂows in the ﬂow graph. Constraints are speciﬁed in the
following syntax δ ∈ ∆:
δ ::= true | false | l | δ1 · δ2 | δ1 ∧ δ2 | δ1 ∨ δ2 | δ ∗
A constraint may be trivially true or false. The constraint l enforces that ﬂows
occur at speciﬁc locations, thus that the ﬂow is only permitted at locations
that is part of the security location l (i.e. i = l). The constraint δ1 · δ2
enforces that the ﬂow is only allowed to occur if events described in δ1 precedes
events described in δ2. Common logical operators ∧ and ∨ are available to
compose constraints. Finally Kleene’s star ∗ allows the policies to express cyclic
behaviour.
We might omit the constraint, writing v1  v2 for v1
true
 v2. Similarly we
might omit an edge in a ﬂow graph indicating that the constraint can never be
fulﬁlled, i.e. v1
false
 v2.
Example 3.1 To illustrate the usage of ﬂow graphs as security policies we here
discuss the three examples given in Figure 3.1. The ﬁrst ﬂow graph (a) allows a
ﬂow from v1 to v2 and v2 to v3 but not from v1 to v3. That is neither directly nor
through v2! In this manner the intransitive and temporal nature of the policies
allow us to have constraints on the order of information ﬂows and the further
propagation of information.
The second ﬂow graph (b) allows the ﬂow from v1 to v2, v2 to v3 and from
v1 to v3 as well. The ﬂow can be directly from v1 to v3 or through v2. If we
34 Security Policies
v1 v3
v2
v1 v3
v2
v1
i
i · i′
v3
v2
i′
(a) (b) (c)
Figure 3.1: Examples of ﬂow graphs
wish to restrict the ﬂow to go through v2 it could be done as in ﬂow graph (c).
We assume that i and i′ map to security locations that no other processes or
blocks are mapped to. Hence the last ﬂow graph (c) restricts the ﬂows between
the security domains to certain locations. This ensures that for information to
ﬂow from v1 to v3 both locations need to participate.
To give intuition to the above example policies we relate them to a personal
ﬁnance scenario. In the following we let v1, v2, and v3 denote the resources of
the user, the user’s ﬁnancial advisor, and the tax authorities respectively. The
ﬁrst policy (Figure 3.1(a)) states that the user’s ﬁnancial information may be
accessed by the ﬁnancial advisor but not by the tax authorities while still allow-
ing the ﬁnancial advisor to send (other) information to the tax authorities. The
second policy (Figure 3.1(b)) then states that the user’s ﬁnancial information
may be accessed both by the ﬁnancial advisor and by the tax authorities; this
may be necessary during a tax audit. Finally the policy shown in (Figure 3.1(c))
deﬁnes a situation where the user’s ﬁnancial information may be accessed by
both the ﬁnancial advisor and the tax authorities but only through the ﬁnan-
cial advisor; this security policy ensures that the ﬁnancial advisor can review
all relevant information from the user before the tax authorities gain access
to it. These examples match the principle of separation of duty presented by
Clark and Wilson [CW87], as one of the fundamental principles in the Clark-
Wilson model. The principle states that in order to maintain integrity in a
commercial system the concerns of each principal must be separated, and hence
collaboration between principals becomes necessary to achieve the goals of the
individuals, while malicious principals must not be allowed to circumvent the
rights of the well-behaved principals.
A system is given by a program ‖i∈I cssi and a security policy G together with
a domain mapping · and a location mapping · and might be written ‖i∈I cssi
subject to (G, · , · ). However, as the G, · and · components are clear from
context we choose not to incorporate the policies in the syntax of CoreVHDL.
3.1 Locality-based security policies 35
3.1.1 Semantics of constraints
In this subsection we present the semantics of our security policy language. The
semantics is given as a translation to regular expressions over execution traces.
The intuition is that if an execution trace is in the language of the regular
expression derived by the semantics, then the constraint is fulﬁlled.
The main idea behind the locality-based security policies is that they specify
constraints that must be fulﬁlled rather than the total behaviour of the system.
This result in succinct policies. Therefore the semantics of constraints is based
on an understanding of fulﬁlment of a constraint whenever an execution trace
produces the locations speciﬁed. Hence if a trace that fulﬁls a constraint is
preceded or succeeded by other traces the constraint remains fulﬁlled.
The true constraint is always fulﬁlled and hence is translated to the regular
expression L ∗ accepting all execution traces. Similarly the constraint false
cannot be fulﬁlled for any trace, and hence the generated language is ∅. The
constraint l gives the language L ∗ · {l} · L ∗ as we wish to allow the ﬂow only
for executions taking place at l. The constraint δ1 · δ2 indicates that the trace
ω can be split into ω1 and ω2 , where ω1 must be in the language of δ1, and
respectively ω2 must be in the language of δ2. The constraints for δ1 ∧ δ2 and
δ1 ∨ δ2 are straightforward. One obvious deﬁnition of [[δ ∗]] is [[δ]] ∗; however this
choice would invalidate Lemma 3.4 below. Consequently, it is natural to deﬁne
[[δ ∗]] = L ∗ · [[δ]] ∗ · L ∗ as then Lemma 3.4 continues to hold.
The semantics of the security policy language is given in Figure 3.2.
Lemma 3.4 The semantical interpretation of constraint δ does not change by
preceding or succeeding it by other traces ∀δ : [[δ]] = L ∗ · [[δ]] · L ∗
We deﬁne an ordering of constraints as the relation ≤∆⊆ ∆ × ∆, i.e. we say
that δ is a restriction of δ′ if (δ, δ′) ∈≤∆, normally we write δ ≤∆ δ′.
Deﬁnition 3.5 We say that a constraint δ is a restriction of δ′, written δ ≤∆ δ′
if we have [[δ]] ⊆ [[δ′]].
Similarly we deﬁne a restriction relation between ﬂow graphs.
Deﬁnition 3.6 We say that a ﬂow graph G = (V, λ) is a restriction of G′ =
(V ′, λ′), written G ≤ G′ if we have that
V = V ′ ∧ ∀v1, v2 : λ(v1, v2) ≤∆ λ′(v1, v2)
36 Security Policies
[[true]] = L ∗
[[false]] = ∅
[[l]] = L ∗ · {l} · L ∗
[[δ1 · δ2]] = [[δ1]] · [[δ2]]
[[δ1 ∧ δ2]] = [[δ1]] ∩ [[δ2]]
[[δ1 ∨ δ2]] = [[δ1]] ∪ [[δ2]]
[[δ ∗]] = L ∗ · [[δ]] ∗ · L ∗
Figure 3.2: Semantics of constraints
3.2 History-based Release
To determine whether a program is secure or not, we need some condition for
security. In this section we therefore present our deﬁnition of secure programs.
The intuition is similar to that of non-interference, however we aim to generalise
the traditional non-interference condition to permit release of conﬁdential infor-
mation, based on constraints on the history of the execution and it’s present
location. We call this condition History-based Release.
3.2.1 Security Condition
Before we formalise the main security condition we need to formalise what an
attacker can observe. Consider an attacker that has access to a subset V of the
variables and signals that are available in the program under consideration. We
formalise the observable part of the resources by assuming that the attacker has
knowledge of all the processes that exist in the program, and hence it is feasible
to assume that two variable or signal states can be compared on all variables
or signals, respectively. Thus for two programs ‖i∈I cssi1 and ‖i∈I cssi2 an
attacker that observes at security domain V can compare the observable parts
of the variable states as σ1 ∼V σ2.
Deﬁnition 3.7 (V-observable equivalence) Two variable states σ1 and σ2 are
for the resources in domain V observably equivalent σ1 ∼V σ2 iﬀ
∀x : x = V ⇒ σ1 x = σ2 x
We deﬁne the observable parts of signal states in the same manner.
Deﬁnition 3.8 (V-observable equivalence) Two signal states ϕ1 and ϕ2 are for
the resources in domain V observably equivalent ϕ1 ∼V ϕ2 iﬀ
∀s : ∀j ∈ {0, 1} : s = V ⇒ ϕ1 s j = ϕ2 s j
3.2 History-based Release 37
Where we overload the observational equivalence to consider both variable and
signal states.
We deﬁne the function ∇ : P(V ) × G × Ω → P(V ) for extending a set of
security domains with the domains that are permitted to interfere with the
observed domains due to the fulﬁlment of constraints by the execution trace ω.
The resulting set of security domains describe the permitted information ﬂows
during the execution.
Deﬁnition 3.9 (V Observable) For a security policy G and a execution trace
ω an observer at V can observe the localities
∇(V , G, ω) = V ∪ {v1 | v2 ∈ V ∧ ω ∈ [[λ(v1, v2)]]}
If the considered policy is changed to a less restrictive policy, ∇ will never reduce
the observable part of the variables and signals. This allows us to establish the
following fact.
Fact 1. If G ≤ G′ then ∇(V , G, ω) ⊆ ∇(V , G′, ω).
We consider a program secure if in no execution trace, neither a single step nor
a series of steps, will an attacker observing the system at the level of a set of
security domains V be able to observe a diﬀerence on any resource, when all
resources permitted to interfere with the resource are observably equivalent be-
fore the evaluation. We formalise the condition as a bisimulation over execution
traces on programs.
Deﬁnition 3.10 (Bisimulation) A (G,V)-bisimulation is a symmetric relation
R on programs whenever
‖i∈I 〈css′i1, σi1, ϕi1〉 ω=⇒∗ ‖i∈I 〈cssi1′′, σ′i1, ϕ′i1〉 ∧
‖i∈I css′i1 R ‖i∈I css′i2 ∧
σi1 ∼∇(V,G,ω) σi2 ∧
ϕi1 ∼∇(V,G,ω) ϕi2
then there exists ‖i∈I css′′i2, σ′i2, ϕ′i2 and ω′ such that
‖i∈I 〈css′i2, σi2, ϕi2〉 ω
′
=⇒∗ ‖i∈I 〈cssi2′′, σ′i2, ϕ′i2〉 ∧
‖i∈I css′′i1 R ‖i∈I css′′i2 ∧
σ′i1 ∼V σ′i2 ∧
ϕ′i1 ∼V ϕ′i2
38 Security Policies
The bisimulation follows the approach of Sabelfeld and Sands [SS00] in utilising
a resetting of the state between subtraces. This follows from modelling the at-
tacker’s ability to modify signals concurrently with the execution. Furthermore
it accommodates the dynamically changing nature of the security policies due
to the fulﬁlment of constraints, as seen in [MS04]. The deﬁnition is transitive
but not reﬂexive. That the deﬁnition is not reﬂexive follows from observing that
the program
p : process begin
l := h;
end process p
is not self-similar whenever information is not permitted to ﬂow from h to l.
Fact 2. If G ≤ G′ and R is a (G,V)-bisimulation then R is also a (G′,V)-
bisimulation.
Deﬁnition 3.11 A G-bisimulation is a relation R such that for all V , R is a
(G,V)-bisimulation. Denote the largest G-bisimulation ≈G.
Now we can deﬁne the security condition as a program being bisimilar to itself.
Deﬁnition 3.12 (History-based Release) A program ‖i∈I cssi is secure wrt.
the security policy G if and only if we have ‖i∈I cssi ≈G ‖i∈I cssi.
Example 3.2 In the following we will consider a number of example programs
that illustrate the strength of History-based Release. First consider the program
p : process begin
y <= x;
end process p
which reads the signal x and modiﬁes y. With the policy x
p
y , the
program is secure, while changing the policy to x
p′
y makes the program
insecure. The reason that the program is insecure with the second policy is
because the bisimulation forces us to consider all possible traces, so even if the
above program was modiﬁed to execute a process named p′ concurrently with the
considered one, p, the result would be the same. This corresponds to intransitive
non-interference [MB05] (or lexically scoped ﬂows according to [BS06]).
3.2 History-based Release 39
Example 3.3 History-based Release goes beyond lexically scoped ﬂows as the
policy might constrain the history of a process. This is illustrated by the following
example. Consider the security policy in Fig. 3.1(c) and assume that x = v1,
y = v2 and z = v3, for which the program
i : process begin
y <= x;
end process i
i’ : process begin
z <= y;
end process i’
is secure. On the other hand the program
i : process begin
y <= x;
end process i
i’ : process begin
z <= x;
end process i’
is insecure because the process i′ might evaluate prior to the process i.
Example 3.4 Another concern is the handling of indirect ﬂows. Consider the
program
p : process begin
if x then y <= not y else null
end process p
and an attacker observing whether the signal y is modiﬁed or not. Based on
this the attacker will know when the the signal x carries the value ’1’. Therefore
History-based Release allows the program for the policy x
p
y , but not for
x
false y .
Example 3.5 Finally we wish to look at an example program that is insecure
in the traditional setting where lattices are used as security policies. Consider
the program
40 Security Policies
p : process begin
y := ’0’;
z := y;
y := x;
end process p
which is secure for the policy in Fig. 3.1(a) when x = v1, y = v2 and z = v3.
This is because evaluating the program does not result in information ﬂowing
from x to z.
3.2.2 Consistency of History-based Release
In this subsection we argue the consistency of the deﬁnition of History-based
Release. In particular we will discuss two of the principles presented by Sabelfeld
and Sands in [SS05]. In the following we consider declassiﬁcation to refer to
constraints that are not trivially evaluated to true or false.
Conservativity: Security for programs with no declassiﬁcation is equivalent
to non-interference.
Limiting all constraints on edges in the ﬂow graphs to only being of the simple
form true, false or l gives us intransitive non-interference. Removing all non-
trivial constraints (i.e. only having the constraints true and false) results in
traditional non-interference.
Monotonicity of release: Adding further declassiﬁcations to a secure pro-
gram cannot render it insecure.
Adding declassiﬁcations to a program corresponds to making our security poli-
cies less restrictive. Hence we aim to show that a program will be secure for
any policy at least as restrictive as the original policy, for which it can be shown
secure.
Lemma 3.13 (Monotonicity) If G ≤ G′ then
‖i∈I cssi1 ≈G ‖i∈I cssi2
implies
‖i∈I cssi1 ≈G′ ‖i∈I cssi2.
3.3 Transitive Security Policies 41
Proof. It follows from Fact 1 that
∀i ∈ I : (σi1 ∼∇(V,G′,ω) σi2) ⇒ (σi1 ∼∇(V,G,ω) σi2)
and
∀i ∈ I : (ϕi1 ∼∇(V,G′,ω) ϕi2) ⇒ (ϕi1 ∼∇(V,G,ω) ϕi2).
The Lemma follows from Fact 2 and observing that to show ‖i∈I cssi1 ≈G′‖i∈I
cssi2 we have either ∀i : σi1 ∼∇(V,G′,ω) σi2 and ∀i : ϕi1 ∼∇(V,G,ω) ϕi2, in which
case we can reuse the proof for ‖i∈I cssi1 ≈G‖i∈I cssi2, and otherwise the result
holds trivially. 
3.3 Transitive Security Policies
In this section we shall investigate a limited version of the locality-based security
policies. The investigation will focus on transitively closed policies and compare
them to the previously presented policies. The goal of the transitively closed
policies is to ﬁnd a subset of the locality-based policies that allows for a more
direct approach to automatic analysis and veriﬁcation of program security. The
transitively closed policies will be utilised in the correctness result for the type
based approach to veriﬁcation of CoreVHDL programs presented in Chapter
4.
First let us deﬁne what a transitively closed Locality-based security policy is.
The intuition is that if information is allowed to ﬂow from one node to a second
node and from the second node to a third node then information should also be
allowed to ﬂow from the ﬁrst node to the third node. Formally this is deﬁned
in the following deﬁnition.
Deﬁnition 3.14 (Transitively Closed Locality-based Security Policies) A secu-
rity policy G is transitively closed whenever
∀ n0 δ1 n1 δ2 n2 δ3 . . . δk nk ∈ G
implies
n0
δ nk ∈ G ∧
[[δ1 · δ2 · · · δk]] ⊆ [[δ]]
42 Security Policies
Observe that this goes against our previous comments on information ﬂows
between principals, who are not allowed to forward each others information
without explicit permission from the originating principal.
The transitively closed policies merely propose a restriction on the policies,
and hence all previously presented results still hold. In particular we will apply
Lemma 3.13 to give guarantees for policies that are not transitively closed when-
ever our analysed system can be veriﬁed to conform to History-based Release
for a more restrictive transitively closed policy.
The goal of the transitively closed policies was to accommodate a simpliﬁed and
more direct approach to analysing the considered programs. Hence we propose a
simpliﬁed security condition, which match the intuition of the restricted policies.
Furthermore for transitive closed policies, the condition will provide a guarantee
that is equally strong to History-based Release. The condition will be centred
around the following bisimulation.
Deﬁnition 3.15 (Transitive Bisimulation) A (G,V)-bisimulation is a symmet-
ric relation R on programs whenever
‖i∈I 〈css′i1, σi1, ϕi1〉 ω=⇒ ‖i∈I 〈cssi1′′, σ′i1, ϕ′i1〉 ∧
‖i∈I css′i1 R ‖i∈I css′i2 ∧
σi1 ∼∇(V,G,ω) σi2 ∧
ϕi1 ∼∇(V,G,ω) ϕi2
then there exists ‖i∈I css′′i2, σ′i2, ϕ′i2 and ω′ such that
‖i∈I 〈css′i2, σi2, ϕi2〉 ω
′
=⇒∗ ‖i∈I 〈cssi2′′, σ′i2, ϕ′i2〉 ∧
‖i∈I css′′i1 R ‖i∈I css′′i2 ∧
σ′i1 ∼V σ′i2 ∧
ϕ′i1 ∼V ϕ′i2
Here we have limited the bisimulation game to one step evaluations of the ﬁrst
program. This will simplify the proof burden on programs under veriﬁcation
and aid us in establishing the correctness result of the static analyses presented
in the following chapters.
Again the bisimulation follows the approach of Sabelfeld and Sands [SS00] in
utilising a resetting of the state between subtraces. This follows from modelling
the attacker’s ability to modify signals concurrently with the execution. The
deﬁnition is transitive but not reﬂexive.
3.3 Transitive Security Policies 43
Deﬁnition 3.16 A transitive G-bisimulation is a relationR such that for all V ,
R is a transitive (G,V)-bisimulation. Denote the largest transitiveG-bisimulation
≈+G.
Now we can deﬁne the transitive security condition as a program being bisimilar
to itself.
Deﬁnition 3.17 (Transitive History-based Release) A program ‖i∈I cssi is se-
cure wrt. the security policy G if and only if we have ‖i∈I cssi ≈+G ‖i∈I cssi.
One should observe that the temporal properties of having information ﬂows
that are due to collaboration of several principals are lost. This is due to the
resetting of the state between execution steps. Hence the Transitive History-
based Release condition is a weakened condition compared to History-based
Release. We also observe that for a transitively closed security policies the
two conditions coincide and are equally strong. We investigate this further in
the following two lemmas. The ﬁrst lemma states that History-based Release
and Transitive History-based Release are equally strong for a transitively closed
policy.
Lemma 3.18 If a program conforms with Transitive History-based Release for
a Transitively Closed Policy G then the program also conforms with History-
based Release for G.
Proof. The proof proceeds by induction in the length of the evaluation sequence
of the program ‖i∈I 〈css′i1, σi1, ϕi1〉. Consider the evaluation sequence
‖i∈I 〈css′i1, σi1, ϕi1〉 ω=⇒k ‖i∈I 〈cssi1′′, σ′i1, ϕ′i1〉
If k = 0 the result follows vacuously. For the induction step we assume that the
result holds for k ≤ k0 and we shall prove it for k0 + 1. Divide the evaluation
sequence into the ﬁrst step and the rest. Applying Deﬁnition 3.15 gives us that
the program conforms with Transitive History-based Release after evaluating
one step. The remaining evaluation sequence is shorter, hence we apply the
induction hypothesis and get that the last steps conform with History-based
Release. The evaluation sequence has the form
‖i∈I 〈css′i1, σi1, ϕi1〉 ω
′
=⇒ ‖i∈I 〈cssi1′′′, σ′′i1, ϕ′′i1〉 ω
′′
=⇒k0 ‖i∈I 〈cssi1′′, σ′i1, ϕ′i1〉
Thus we need to consider the changes of the states. If a variable or signal has
changed its value in the ﬁnal state, one of the following cases must hold; ﬁrst if
44 Security Policies
the variable or signal is unobservable, the result follows. Second if the variable
or signal is observable then we know that any diﬀerences between the resulting
states are due to the ﬁrst step modifying the states used in the rest of the
evaluation. Now as the policy is a Transitively Closed Policy we have that there
exists an edge annotated with a constraint δ such that ω′ · ω′′ ∈ [[δ]] and hence
there can be no diﬀerence in the states that are observable. 
The second lemma state that there exist programs that are secure by Transitive
History-based Release and insecure by History-based Release with respect to a
(non-transitive) policy.
Lemma 3.19 If a program conforms with Transitive History-based Release for
a policy G that is not transitively closed then the program might not conform
with History-based Release for G.
Proof. The proof proceeds by counter example. The ﬁrst program presented
in Example 3.3 conforms with Transitive History-based Release for the policy
given in Figure 3.1(a). However it does not conform with History-based Release
for the same policy. 
3.4 Discussion
Traditionally, policies for information ﬂow security have been of the form of
security lattices [BL73, Den76] where an underlying hierarchical structure on
the principals in the system is assumed and reﬂected in the security lattice.
Hence the principals are tied to security levels and an ordering of security levels
indicate what information is observable to a principal. Security lattices have
found a widespread usage in language-based approaches to information ﬂow
security, see e.g. [VSI96, SM03a].
The security policies presented in this chapter are base on labelled graphs, i.e.
without assigning an underlying ordering. Due to the lack of underlying or-
dering the expressiveness of the policies is increased, allowing for simpliﬁed
speciﬁcations of security policies for systems. One example is systems that let a
principal act on resources in diﬀerent security domains without causing a ﬂow
of information in between. The expressiveness gained is due to the lack of the
transitive nature of the ordering in a lattice. These policies relate back to re-
source matrices applied for e.g. covert channel identiﬁcation [Kem82, McH95].
3.4 Discussion 45
A comparison [HKMY86] on the veriﬁcation of a real systems, the Honeywell
Secure Ada Target (SAT), using the non-interference approach [GM82] and the
shared resource matrix approach [Kem82] highlighted issues with the transi-
tivity of the non-interference property. Further investigation illustrated that
information ﬂow policies are in general not transitive [HY86, Rus92].
Clearly the translation of a policy speciﬁed as a lattice to a labelled graph is
straightforward. For each security level a security domain is introduced. Edges
(labelled true) are added between security domains according to the ordering
of the corresponding security levels.
The Decentralized Label Model by Myers and Liskov [ML97, Mye99a] is a frame-
work for security policies that allows owners of information to specify who is
permitted to read that information. The basis model is still a lattice and does
not provide expressiveness similar to what is presented in this chapter.
3.4.1 Semantical security conditions
The goal of specifying whether a system complies with an information ﬂow pol-
icy has been formally stated as non-interference [Coh77, GM82]. Informally
non-interference states that for all input to a system, that varies only on in-
formation not observable to the attacker, the resulting output will only vary
on information not observable to the attacker. Since the original formalisation
several generalised non-interference properties have been published. In Section
3.2.2 we showed that History-based Release generalises non-interference, so in
this Section other properties will be discussed and compared to History-based
Release.
Non-Disclosure by Matos and Boudol [MB05] proposes extending the syntax
of a ML-like calculus with speciﬁc constructs for loosening the security policy.
These constructs have the form
flow A ≺ B in M
where M is an expression and A and B are security levels. The construct
extends the security relation to permit information to ﬂow from A to B in M
and thereby permits disclosure of conﬁdential information in lexically scoped
parts of programs. The policies presented in this chapter allow for ﬂows to
be scoped within speciﬁed locations, i.e. locations associated with a security
domain. Clearly, by introducing a security domain tied to a fresh location for
each ﬂow construct and constraining the information ﬂow to only happen in
46 Security Policies
execution traces containing the security location we get scoped ﬂows. Finally
due to the transitive nature of underlying lattice structure in [MB05], we need
to perform a transitive closure on the resulting graph to achieve the same eﬀect
in our policies. In this manner the Non-Disclosure property can be seen as
a specialisation of the History-based Release property. Obviously the Non-
Disclosure property does not have the expressiveness to handle constraints on
execution traces.
Intransitive non-interference. Goguen and Meseguer [GM84] generalised
non-interference to intransitive non-interference while observing that informa-
tion ﬂows might be permitted when properly ﬁltered at speciﬁed security lev-
els. The property was further investigated in [HY86, Rus92] and adapted to a
language-based setting by Mantel and Sands [MS04]. Mantel and Sands [MS04]
formalise intransitive non-interference so that two goals are achieved. First, the
place in the program where information ﬂow is limited through a syntactical
extension of the language. Second the security level where information ﬂows
through is speciﬁed through an extension of the security lattice by an intransi-
tive component.
History-based Release incorporates these concerns. The place in the program
where information ﬂow is guaranteed in the same way as described above for
the non-disclosure property. Furthermore the locality-based security policies are
intransitive due to being based on graphs rather than lattices.
Non-interference until by Chong and Myers [CM04] propose adding condi-
tions to security policies based on lattices. This is done by introducing a special
annotated ﬂow of the form 0
c1 · · · ck k into the security policies, which
states that information can be gradually downgraded along with the fulﬁlment
of the conditions c1, . . . , ck. It is straightforward to represent the downgrading
condition with History-based Release.
However, observe that once the conditions are fulﬁlled, information can ﬂow di-
rectly from 0 to any of the security levels 1, . . . , k. Therefore non-interference
until does not provide the intransitive guarantees of History-based Release. An-
other point is the temporal constraints that History-based Release enforce on
execution traces. Non-interference until provides simple temporal guarantees,
namely that conditions are fulﬁlled prior to downgrading. However neither the
order of the fulﬁlment nor the conditions allow for temporal constraints.
Chong and Myers [CM05] extend the policies to consider erasure. This extension
go beyond the scope of this chapter. Yet, one can consider the erasure policies
3.4 Discussion 47
to be lifetime partitionings of variables and signals, where the program must
guarantee that the variable or signal that is to be erased is overwritten along
with the fulﬁlment of the constraints in the security policy. Chapter 5 present
further investigation and discussion of of partitioning of security domains.
Flow Locks. Recently Broberg and Sands [BS06] introduced the novel con-
cept of ﬂow locks as a framework for dynamic information ﬂow policies. The
policies are speciﬁed in syntactical constructs introduced in an ML-like calculus.
The constructs are utilised in the opening and closing of ﬂow locks, these locks
are used in constraining the information ﬂows in the policies. The policies have
the form {σ1 ⇒ A1; . . . ;σn ⇒ An} and are used to annotate declarations of vari-
ables in the programs. These policies correspond to ours, where a policy needs
to specify where information might ﬂow globally during execution and is hence
not transitively closed. The major diﬀerence is that our policies can include
temporal constraints which cannot be expressed in the ﬂow locks policies.
Another major diﬀerence between [BS06] and the present work is the intuition
behind the security condition. In the ﬂow lock setting information can ﬂow to
security levels as speciﬁed in the policies, as long as necessary locks are opened
beforehand. This diﬀers from our deﬁnition in not being tied to the actual ﬂow
of information. E.g. once a lock is open information can ﬂow from several levels
and several times. Furthermore ﬂow locks have no way of observing if a lock has
been closed and opened again between two ﬂows. In our setting the constraints
on the execution trace must be fulﬁlled for every single ﬂow, hence it is not
suﬃcient that another process is executed at the right location, just before or
after considered ﬂow.
48 Security Policies
C h a p t e r 4
Information Flow Analysis
It’s impossible to move, to live, to operate at any level
without leaving traces, bits, seemingly meaningless fragments
of personal information
— William Gibson
A main concern in computer security is conﬁdentiality, the assurance that in-
formation is only available to authorised principals. The ﬁrst approaches to en-
forcing conﬁdentiality were access control mechanisms granting access to infor-
mation only to authorised principals. Often discretionary access control mech-
anisms will not track the usage of information after access clearance is granted,
and hence trusts the principal (or process acting for the principal) to prop-
agate the information in a conﬁdentiality preserving manner [Lam73]. This
has lead to an increased attention on mechanisms for mandatory access control
[BL73] and information ﬂow analysis [Den76]. While dynamic approaches en-
forcing information ﬂow control has been proposed [DOD85] their approaches
to determining dependencies, including implicit ones, often make them overly
restrictive and impractical [Mye99b]. Thus much investigation of static analysis
for information ﬂow control has been done. Volpano et al. [VSI96] developed
an automatic static analysis and showed the coupling to the security property
of non-interference. This resulted in numerous investigations of static informa-
tion ﬂow analysis for real programming languages, e.g. [Mye99a] and [HR98],
concurrency, e.g. [SV98] and [SS01], covert channels, e.g. [Aga00], and declas-
siﬁcation, e.g. [ML97], [ZM01] and [SM03b] — for a thorough overview see
[SM03a].
50 Information Flow Analysis
This chapter develops a static information ﬂow analysis for CoreVHDL. The
approach taken is that of Kemmerer [Kem82, Kem02], where the identiﬁcation of
local dependencies and the end-to-end dependencies are separated and computed
in two steps. This is diﬀerent from the approach taken in [VSI96, Mye99a] (and
others [SM03a]) where the transitivity of the underlying lattice-based security
policies makes checking of local dependencies suﬃcient. Taking this view we
develop the analysis and prove that it enforces the security properties presented
in Chapter 3. Hence the analysis presented in this chapter is ﬂow insensitive
meaning that the execution order is not taken into account by the analysis
[NNH99]. In Chapter 5 we will investigate a ﬂow sensitive analysis in order
to strengthen the information ﬂow analysis by guiding the transitive closure
through the removal of spurious control ﬂows.
4.1 Local dependencies in CoreVHDL
The Information Flow analysis is performed in two steps. First we identify the
ﬂow of information to a variable or signal locally at each assignment; this is
speciﬁed in this section. However instead of performing a transitive closure of
this information, as speciﬁed by Kemmerer [Kem82], we base our correctness
result on the transitively closed security policies and the matching property,
transitive History-based Release.
The result of the Information Flow analysis is given in the form of a directed
graph. The graph has a node for each variable or signal used in the program,
and an edge from the node n1 to the node n2 if information might ﬂow from n1
to n2 in the program.
The analysis is based on an understanding of which statements cause information
to ﬂow between signals. It is clear that an assignment of a variable to another
variable will cause a ﬂow of information. As an example,
a := b
causes a ﬂow of information from b to a. We also need to consider implicit ﬂows
due to conditional statements. As an example,
if c then a := b else null
has an implicit ﬂow from c to a because an observer could use the resulting value
of a to gain information about the value of c. Observe that the presented security
4.1 Local dependencies in CoreVHDL 51
properties does not capture information leaking through covert channels. Thus
we here ignore issues regarding e.g. termination and timing of the statements.
These issues will be discussed in detail in Chapter 5.
In the presented analyses we are going to use a labelling scheme. The labelling
scheme is deﬁned so that each block has a label which is initially unique for the
program. During execution the labels might not be unique within the processes,
but the same label is not found in two diﬀerent processes. Hence, we shall
sometimes implicitly use that to each label (l ∈ Lab) there is a unique process
identiﬁer (i ∈ Id) in which it occurs. In fact we shall freely use labels instead
of process identiﬁers. The syntax of statements with labelled blocks
ss ::= [null]l | ss1; ss2 | if [e]l then ss1 else ss2
| [x := e]l | [s <= e]l | [wait on S until e]l
Often we will annotate the evaluation with the structural operational semantics
of a statement by the label of the block that has been evaluated. Hence we write
〈ss, σ, ϕ〉 l⇒ 〈ss′, σ′, ϕ′〉
when the block labelled l is evaluated.
Analysing a CoreVHDL program is done by checking that neither explicit nor
implicit ﬂow are present. In this fashion we must consider all the statements of
CoreVHDL and determine how information might ﬂow. For a CoreVHDL
program we deﬁne a set of structural rules that deﬁne the set of dependencies
between local variables and signals. The analysis is deﬁned using judgements of
the form
B  ss : RM
where B ⊆ (Var∪Sig), ss ∈ Stmt andRM ⊆ ((Var∪Sig)×Lab×{M0,M1, R0,
R1}). Here ss is the statement analysed under the assumption that it is only
reachable when values of variables and signals in B have certain values. The
result is the set RM containing entries (n, l,Mj) if the variable or signal n might
be modiﬁed at label l in ss; we use M0 for variables and present values of signals
and M1 for active values of signals. Similarly, RM contains entries (n, l, Rj) if
the variable or signal n might be read at label l in ss; we use R0 for variables
and present values of signals and R1 for the synchronisation of active values of
signals.
The local dependency analysis of the ﬂow between variables and signals is speci-
ﬁed in Table 4.1 and is explained below. Assignments to variables result in local
52 Information Flow Analysis
[Local Variable Assignment] :
B  [x := e]l : {(x, l,M0)} ∪ {(n, l, R0) | n ∈ FV (e) ∪ FS(e) ∪B}
[Signal Assignment] :
B  [s <= e]l : {(s, l,M1)} ∪ {(n, l, R0) | n ∈ FV (e) ∪ FS(e) ∪B}
[Skip] :
B  [null]l : ∅
[Composition] :
B  ss1 : RM1 B  ss2 : RM2
B  ss1; ss2 : RM1 ∪RM2
[Conditional] :
B′  ss1 : RM1 B′  ss2 : RM2
B  if [e]l then ss1 else ss2 : RM1 ∪RM2
where B′ = B ∪ FV (e) ∪ FS(e)
[Synchronization] :
B  [wait on S until e]l : {(s, l, R1) | s ∈ FS(ssi)}∪
{(n, l, R0) | n ∈ B ∪ S ∪ FV (e) ∪ FS(e)}
where ssi is the body of process i in which l resides
Table 4.1: Structural rules for constructing a Resource Matrix for the process
i : process decli begin ssi; end process i
dependencies, there are no other statements that causes information to ﬂow into
variables.
Observe that for the active signals in a program information can only ﬂow to the
signal through signal assignment. Hence only the signal assignment contributes
dependencies to the resulting set. Notice that the information ﬂowing to active
signals (M1) might come from both local variables and the present value of
signals, but never from the active value of signals.
The variables and signals used in the evaluation of conditions within if state-
ments are collected in the block-set B as they might implicitly ﬂow into assigned
variables or signals in the branches. This is taken care of in rule [Conditional].
Again notice that this rule does not handle timing channels that might occur,
timing channels will be discussed in Chapter 6.
The synchronisation statement (i.e. wait) causes information about the active
signals to ﬂow to the present value of the same signals. Hence we will update
4.2 Soundness 53
(writing R1) all signals present in the process considered.
4.2 Soundness
Before showing that the analysis provides the necessary static guarantee for the
security properties presented in Chapter 3 the typical soundness result of subject
reduction [NNH99] is shown. This result give some insight in the technical details
of semantical soundness for CoreVHDL as well as serving as a sanity check on
the speciﬁcation of the type system. When stating a subject reduction result it
is imperative to determine a relation between typing environments before and
after a semantical evaluation of a considered speciﬁcation. In this matter the
issues of the block component B for tracking implicit ﬂows in the static analysis
is seen to be neither covariant nor contravariant. This is seen by observing that
when analysing a conditional statement the block component is extended with
the variables and signals branched on. However, when leaving a branch the
block components is reduced accordingly. To overcome this issue the semantics
is instrumented with a similar component for tracking the branching context.
The instrumented semantics is deﬁned on conﬁgurations of the form
B  〈ssB, σ, ϕ〉 ∈ (V ar ∪ Sig)× StmtB × State× Signals
where StmtB is an extension of the syntactical category for statements including
the special construct [B]ssB that impose a lexically scoped block component on
the statement ssB. The Stmt′ category is extended in the same manner to
StmtB ′.
The instrumented semantics for CoreVHDL is presented in Table 4.2 where
we include the locality labels and the context in the notation of the statements.
The instrumented semantics introduce two new rules, [Branch] for evaluating
statements within a context. Notice that the instrumented semantics is limited
to evaluate speciﬁcations that do not contain wait statements nested within
conditionals.
Observe that the block component in the instrumented semantics collect precise
information, opposite to the block component in the type system. Furthermore
the block component has no inﬂuence on the evaluation of the statement.
Lemma 4.1 If ss = ssBB and ss′ = ssB ′B then
〈ss, σ, ϕ〉 ⇒ 〈ss′, σ′, ϕ′〉 iﬀ. B  〈ssB, σ, ϕ〉 ⇒ 〈ssB ′, σ′, ϕ′〉
54 Information Flow Analysis
[Local Variable Assignment] :
B  〈[x := e]l, σ, ϕ〉 ⇒ 〈final, σ[x → v], ϕ〉 where E [[e]]〈σ, ϕ〉 = v
[Signal Assignment] :
B  〈[s <= e]l, σ, ϕ〉 ⇒ 〈final, σ, 1[s][v →〉] where E [[e]]〈σ, ϕ〉 = v
[Skip] :
B  〈[null]l, σ, ϕ〉 ⇒ 〈final, σ, ϕ〉
[Composition] :
B  〈ssB1 , σ, ϕ〉 ⇒ 〈ssB1 ′, σ′, ϕ′〉
B  〈ssB1 ; ssB2 , σ, ϕ〉 ⇒ 〈ssB1 ′; ssB2 , σ′, ϕ′〉
where ssB1
′ ∈ StmtB
B  〈ssB1 , σ, ϕ〉 ⇒ 〈final, σ′, ϕ′〉
B  〈ssB1 ; ssB2 , σ, ϕ〉 ⇒ 〈ssB2 , σ′, ϕ′〉
[Conditional] :
B  〈if [e]l then ssB1 else ssB2 , ϕ〉 ⇒ 〈[FV (e) ∪ FS(e)]ssB1 , σ, ϕ〉
if E [[e]]〈σ, ϕ〉 = ’1’
B  〈if [e]l then ssB1 else ssB2 , ϕ〉 ⇒ 〈[FV (e) ∪ FS(e)]ssB2 , σ, ϕ〉
if E [[e]]〈σ, ϕ〉 = ’0’
[Branch] :
B ∪ B˜  〈ssB, σ, ϕ〉 ⇒ 〈ssB ′, σ′, ϕ′〉
B  〈[B˜]ssB, σ, ϕ〉 ⇒ 〈[B˜]ssB ′, σ′, ϕ′〉
B ∪ B˜  〈ssB, σ, ϕ〉 ⇒ 〈final, σ′, ϕ′〉
B  〈[B˜]ssB, σ, ϕ〉 ⇒ 〈final, σ′, ϕ′〉
Table 4.2: Statements
The function ·B removes locally scoped block components.
Proof. The proof proceeds by a two way induction in the shape of the derivation
tree and follows by simply inspecting the semantical rules and applying the
induction hypothesis. 
To handle the new syntactical construct introduced above we add the following
4.2 Soundness 55
two rules to the Local Dependencies Analysis for CoreVHDL
B  final : ∅ B ∪ B˜  ss
B : RM
B  [B˜]ssB : RM
The instrumented semantics allows us to keep the block component invariant
during evaluation of speciﬁcations. Therefore we are now ready to show the
subject reduction result.
Lemma 4.2 For every statement ssB of CoreVHDL, where the Semantics
changes the state in one step as B  〈ssB, σ, ϕ〉 ⇒ 〈ssB ′, σ′, ϕ′〉, we have
B  ssB : RM ⇒
⎧⎪⎪⎨
⎪⎪⎩
∃B′ : ∃RM ′ :
B′  ssB ′ : RM ′
∧ RM ′ ⊆ RM
∧ B′ = B
Proof. The proof proceeds by induction on the shape of the derivation tree for
the Local Dependencies analysis on statement ssB.
Case [x := e]l: For assignment the Semantics evaluate the statement as
B  〈[x := e]l, σ, ϕ〉 ⇒ 〈final, σ[x → v], ϕ〉 where E [[e]]〈σ, ϕ〉 = v
and the Local Dependencies analysis gives
B  [x := e]l : RM
where RM = {(x, l,M0)} ∪ {(n, l, R0) | n ∈ FV (e) ∪ FS(e) ∪ B} according to
Table 4.1. Now choose B = B′. Then applying the analysis to the statement
after evaluating one step of the Semantics
B′  final : RM ′ = ∅
Now it follows
RM ′ ⊆ RM
56 Information Flow Analysis
Case [s <= e]l: Straightforward as above.
Case [null]l: Evaluating a null statement in the Semantics gives
B  〈[null]l, σ, ϕ〉 ⇒ 〈final, σ, ϕ〉
and the result of the analysis is
B  [null]l : RM
where RM = ∅. Again we choose B = B′, for which applying the analysis gives
B′  final : RM ′ = ∅
From which it follows that
RM ′ ⊆ RM
Case ssB1 ; ss
B
2 : There are two possibilities for the Semantics, we consider them
separately. First we consider the case where ssB1 is not evaluated in a single step
B  〈ssB1 , σ, ϕ〉 ⇒ 〈ssB1 ′, σ′, ϕ′〉
B  〈ssB1 ; ssB2 , σ, ϕ〉 ⇒ 〈ssB1 ′; ssB2 , σ′, ϕ′〉
where ssB1
′ ∈ StmtB
So the result of the analysis when applied to the original statement
B  ssB1 : RM1 B  ssB2 : RM2
B  ssB1 ; ssB2 : RM1 ∪RM2
we apply the induction hypothesis on B  〈ssB1 , σ, ϕ〉 ⇒ 〈ssB1 ′, σ′, ϕ′〉 which
gives
4.2 Soundness 57
B  ssB1 : RM1 ⇒
⎧⎪⎪⎨
⎪⎪⎩
∃B′1 : ∃RM ′1 :
B′1  ssB1 ′ : RM ′1
∧ RM ′1 ⊆ RM1
∧ B′1 = B
Now choose B′ = B′1. The result of applying the analysis after evaluating one
step of the Semantics is
B′  ssB1 ′ : RM ′1 B′  ssB2 : RM2
B′  ssB1 ′; ssB2 : RM ′1 ∪RM2
and it follows
RM ′1 ∪RM2 ⊆ RM1 ∪RM2
Secondly we consider the case where ssB1 is completely evaluated in a single step
B  〈ssB1 , σ, ϕ〉 ⇒ 〈final, σ′, ϕ′〉
B  〈ssB1 ; ssB2 , σ, ϕ〉 ⇒ 〈ssB2 , σ′, ϕ′〉
and for the original statement the analysis gives
B  ssB1 : RM1 B  ssB2 : RM2
B  ssB1 ; ssB2 : RM1 ∪RM2
Choose B = B′. Then applying the analysis gives
B′  ssB2 : RM ′
where RM ′ = RM2. Therefore it follows
RM ′ ⊆ RM1 ∪RM2
58 Information Flow Analysis
Case if [e]l then ssB1 else ssB2 : For a given σ and ϕ we consider the cases
where e evaluates to ’1’ and ’0’.
If E [[e]]〈σ, ϕ〉 = ’1’: One step of the Semantics give
B  〈if e then ssB1 else ssB2 , σ, ϕ〉 ⇒ 〈[FV (e) ∪ FS(e)]ssB1 , σ, ϕ〉
Applying the analysis gives
B′′  ssB1 : RM1 B′′  ssB2 : RM2
B  if [e]l then ssB1 else ssB2 : RM1 ∪RM2
where B′′ = B ∪ FV (e) ∪ FS(e). We choose B′ = B and apply the analysis
B′ ∪ FV (e) ∪ FS(e)  ssB1 : RM ′
B′  [FV (e) ∪ FS(e)]ssB1 : RM ′
where RM ′ = RM1, it follows that
RM ′ ⊆ RM1 ∪RM2
If E [[e]]〈σ, ϕ〉 = ’0’: One step of the Semantics give
B  〈if e then ssB1 else ssB2 , σ, ϕ〉 ⇒ 〈ssB2 , σ, ϕ〉
Applying the analysis gives
B′′  ssB1 : RM1 B′′  ssB2 : RM2
B  if [e]l then ssB1 else ssB2 : RM1 ∪RM2
where B′′ = B ∪ FV (e) ∪ FS(e). We choose B′ = B and apply the analysis
4.2 Soundness 59
B′ ∪ FV (e) ∪ FS(e)  ssB2 : RM ′
B′  [FV (e) ∪ FS(e)]ssB2 : RM ′
where RM ′ = RM2 therefore
RM ′ ⊆ RM1 ∪RM2
Case [B˜]ssB: There are two cases for evaluating the statement in the Seman-
tics. First assume that the Semantics give
B ∪ B˜  〈ssB, σ, ϕ〉 ⇒ 〈ssB ′, σ′, ϕ′〉
B  〈[B˜]ssB, σ, ϕ〉 ⇒ 〈[B˜]ssB ′, σ′, ϕ′〉
applying the analysis on the statement before taking one step in the Semantics
gives us
B ∪ B˜  ssB : RM
B  [B˜]ssB : RM
now we choose B′ = B, then applying the analysis on the statement after the
step in the Semantics gives us
B′ ∪ B˜  ssB ′ : RM ′
B′  [B˜]ssB ′ : RM ′
if we apply the Induction Hypothesis on B ∪ B˜  〈ssB, σ, ϕ〉 ⇒ 〈ssB ′, σ′, ϕ′〉 we
get
B ∪ B˜  ssB : RM ⇒
⎧⎪⎪⎨
⎪⎪⎩
∃B′′ : ∃RM ′ :
B′′  ssB ′ : RM ′
∧ RM ′ ⊆ RM
∧ B′′ = B ∪ B˜
and therefore
60 Information Flow Analysis
RM ′ ⊆ RM
Now assume that the Semantics give
B ∪ B˜  〈ssB , σ, ϕ〉 ⇒ 〈final, σ′, ϕ′〉
B  〈[B˜]ssB, σ, ϕ〉 ⇒ 〈final, σ′, ϕ′〉
applying the analysis on the statement before taking one step in the Semantics
gives us
B ∪ B˜  ssB : RM
B  [B˜]ssB : RM
no we choose B′ = B, then applying the analysis on the statement after the
step in the Semantics gives us
B′  final : ∅
clearly
∅ ⊆ RM
This proves the Lemma. 
Similarly we wish to prove the following Lemma for the correctness ofCoreVHDL
programs.
Lemma 4.3 For every set of concurrent statements css of CoreVHDL, where
the Semantics changes the state in one step as ‖i∈I 〈ssBi , σi, ϕi〉 =⇒‖i∈I 〈ssBi ′, σ′i, ϕ′i〉,
we have
Bi  ssBi : RMi ⇒
⎧⎪⎪⎨
⎪⎪⎩
∃B′1, . . . , B′n : ∃RM ′1, . . . , RM ′n :
B′i  ssBi ′ : RM ′i
∧ RM ′i ⊆ RMi
∧ B′i = Bi
Proof. The proof proceeds by inspection of the two cases in the Semantics of
Concurrent statements.
4.2 Soundness 61
Case Handle non-waiting processes (H): If none of the processes are
waiting the Semantics evaluates one step as
∅  〈ssBj , σj , ϕj〉 ⇒ 〈ssBj ′, σ′j , ϕ′j〉
‖i∈I∪{j} 〈ssBi ; cssi, σi, ϕi〉 =⇒‖i∈I∪{j} 〈ssBi ′; cssi, σ′i, ϕ′i〉
where ssBi
′ = ssBi , σ
′
i = σi and ϕ
′
i = ϕi for all i = j. For the jth statement the
result follows from Lemma 4.2. For the ith statement, i.e. i = j, ssBi = ssBi ′, so
assume
Bi  ssBi : RMi
now choose B′i = Bi, then the analysis of ss
B
i
′ gives
B′i  ssBi ′ : RM ′i
it follows that RM ′i ⊆ RMi.
Case Active signals (A): If all processes are waiting the Semantics considers
the active signals
‖i∈I 〈wait on Si until ei; ssBi , σi, ϕi〉 =⇒‖i∈I 〈ssBi ′, σi, ϕ′i〉
where ssBi
′ is deﬁned depending on
ssBi
′ =
⎧⎪⎪⎨
⎪⎪⎩
ssBi if
((∃s ∈ Si. ϕi s 0 = ϕ′i s 0)∧
E [[ei]]〈σ′i, ϕ′i〉 =′ 1′)
wait on Si until bi; ssBi otherwise
We consider the two cases in turn.
62 Information Flow Analysis
If ((∃s ∈ Si. ϕi s 0 = ϕ′i s 0) ∧ E [[ei]]〈σ′i, ϕ′i〉 =′ 1′): The Semantics continues
execution, i.e. ssBi
′ = ssBi . Assume that the analyses of the process before
evaluating the wait statement is
Bi  [wait on S until e]l : RMi1 Bi  ssBi : RMi2
Bi  [wait on S until e]l; ssBi : RMi1 ∪RMi2
where RMi1 = {(s, l, R1) | s ∈ FS(ssBi ′′)}∪{(n, l, R0) | n ∈ B∪FV (e)∪FS(e)}
and ssBi
′′ is the body of process i in which l resides. Choose B′i = Bi then
B′i  ssBi : RM ′i
where RM ′i = RMi2. Now it follows
RM ′i ⊆ RMi1 ∪RMi2
Otherwise: Trivial as ssBi
′ = wait on Si until ei; ssBi .
Case Processes (P): Holds vacuously. 
4.3 History-based Release
The main result in this chapter is to show that the developed information ﬂow
analysis provides static guarantees for the security property History-based Re-
lease for a considered Locality-based security policy. In the formal results we
make the assumption that the security policies are transitively closed. This re-
striction and how to lift it will be discussed in detail in Chapter 5. Hence we
aim to show that analysing a program with the above presented analysis result
in a static guarantee that match the transitive History-based release property
presented in Section 3.3. Thus it follows from Lemma 3.18 that for a transitively
closed security policy the analysis guarantee History-based Release.
First we state when the result of the Information Flow Analysis of a program is
secure wrt. a security policy. We need to do this because the analysis will not
4.3 History-based Release 63
reject insecure programs (as it is often done by other information ﬂow analyses,
e.g. [VSI96, SM03a]), instead we choose to analyse the ﬂow of information in
a program, and afterwards compare the result with the security policy. This is
merely a technicality as the related analyses could most often be modiﬁed to
infer the security types.
Deﬁnition 4.4 (Secure Analysis Result) A CoreVHDL program ‖i∈I ssi has
a secure analysis result wrt. to a security policy (V, λ) if the result of the
Information Flow analysis RMlo satisﬁes
∀n, n′, l, i : {(n, l,Mi), (n′, l, R0)} ⊆ RMlo ⇒ l ≤∆ λ(n′ , n )
and
∀n, n′, l : {(n, l, R1), (n′, l, R0)} ⊆ RMlo ⇒ l ≤∆ λ(n′ , n )
When verifying a program we sometimes need to consider conditionals that de-
pend on variables and signals which are not observable to an attacker, in this
case it is imperative that branches do not give away information about the
result of evaluating the condition, thus resulting in an implicit ﬂow of informa-
tion. Therefore we consider the class of statements that have the property of
never modifying the observable part of the states. We shall classify this class of
statements as being operationally unobservable.
Deﬁnition 4.5 (Operationally unobservable statement) A statement ss is said
to be operationally unobservable for an observer V if
〈ss, σ, ϕ〉 ⇒∗ 〈ss′, σ′, ϕ′〉
implies
σ ∼V σ′ and ϕ ∼V ϕ′
Observe that this deﬁnition allows the statement to contain assignments to
observable variables and signals, as long as they are either never evaluated or
guaranteed to result in the same states (e.g. x := x).
In the resource matrix used when analysing a statement we can gain information
that allows us to determine whether the statement might modify the observable
part of the states. Hence we say that a statement is syntactically unobservable
when the resource matrix used by the analysis of the statement does not contain
any modiﬁcations (M0 or M1) of an observable variable or signal.
64 Information Flow Analysis
Deﬁnition 4.6 (Syntactically unobservable statement) A statement ss is said
to be syntactically unobservable for an observer V if
B  ss : RM
implies
{(n, l,Mi) | n ∈ V ∧ l ∈ Lab(ss) ∧ i ∈ {0, 1}} ∩RM = ∅
Now we can show that syntactically unobservable statements are also opera-
tionally unobservable. First we show that evaluating one step of the statement
is not observable.
Lemma 4.7 If a statement ss is syntactically unobservable for V then we have
〈ss, σ, ϕ〉 ⇒ 〈ss′, σ′, ϕ′〉
implies
σ ∼V σ′ and ϕ ∼V ϕ′
Proof. The proof proceeds by induction in the shape of the analysis.
Case [x := e]l: Analysing the statement gives
B  [x := e]l : RM
where RM = {(x, l,M0)} ∪ {(n, l, R0) | n ∈ FV (e) ∪ FS(e) ∪B}. Applying the
semantics on the assignment gives
〈[x := e]l, σ, ϕ〉 ⇒ 〈final, σ[x → v], ϕ〉
where E [[e]]〈σ1, ϕ1〉 = v. Because the statement is syntactically unobservable it
follows from Deﬁnition 4.6 that x ∈ V . Hence we have that σ ∼V σ′ and ϕ ∼V ϕ′
holds vacuously.
Case [s <= e]l: Straightforward as above.
Case [null]l: Holds trivially.
4.3 History-based Release 65
Case ss; ss′′: The analysis of the statement gives
B  ss1 : RM1 B  ss2 : RM2
B  ss1; ss2 : RM1 ∪RM2
Now RM1 is a valid resource matrix for ss1. Hence from Deﬁnition 4.6 and by
observing that RM1 ⊆ RM1 ∪ RM2 we can conclude that ss1 is syntactically
unobservable for V . Now assume that applying the semantics on the statement
ss1 gives
〈ss1, σ, ϕ〉 ⇒ 〈ss′1, σ′, ϕ′〉
hence applying the induction hypothesis gives σ ∼V σ′ and ϕ ∼V ϕ′. We need
to consider two cases. First if ss1 = final we can apply the rule
〈ss1, σ, ϕ〉 ⇒ 〈final, σ′, ϕ′〉
〈ss1; ss2, σ, ϕ〉 ⇒ 〈ss2, σ′, ϕ′〉
and the case follows. Similar if ss1 = final we can apply the rule
〈ss1, σ, ϕ〉 ⇒ 〈ss′1, σ′, ϕ′〉
〈ss1; ss2, σ, ϕ〉 ⇒ 〈ss′1; ss2, σ′, ϕ′〉
which concludes the proof of this case.
Case if [e]l then ss1 else ss2: Holds trivially as evaluating one step in the
semantics does not modify the states. 
We can now show that evaluating any number of steps does not result in the
attacker gaining information.
Lemma 4.8 . If a statement ss is syntactically unobservable for V then it is
also operationally unobservable for V .
Proof. The Lemma follows from the transitive reﬂexive closure of Lemma 4.7.

To show the main result we can build a symmetric relation between statements.
The binary relation is deﬁned such that two statement when evaluated will
66 Information Flow Analysis
modify the same observable variables and signals. The relation is called TG,V ,
and state that two statements can either be equal or have preﬁxes that are
syntactically unobservable.
Deﬁnition 4.9 (TG,V) Deﬁne TG,V as a relation on statement where we have
that ss1 TG,V ss2 if one of the following holds
• ss1 = ss2, or
• ss1 = ss1; ss′1 and ss2 = ss2; ss′2 where ss1 and ss2 are operationally
unobservable for V and ss′1 TG,V ss′2, or
• ss1 and ss2 are operationally unobservable for V .
Now we are ready to show that two statements, which are related by TG,V and
are secure by Deﬁnition 4.4, will also be related during each step of computation.
Lemma 4.10 If two CoreVHDL statements ss1 and ss2 are secure wrt. G
and V , when analysed in context B and we have that
〈ss1, σ1, ϕ1〉 l⇒ 〈ss′1, σ′1, ϕ′1〉 ∧
ss1 TG,V ss2 ∧
σ1 ∼∇(V,G,l) σ2 ∧
ϕ1 ∼∇(V,G,l) ϕ2
then there exists ss′2, σ′2 and ϕ′2 such that
〈ss2, σ2, ϕ2〉 l
′⇒ 〈ss′2, σ′2, ϕ′2〉 ∧
ss′1 TG,V ss′2 ∧
σ′1 ∼V σ′2 ∧
ϕ′1 ∼V ϕ′2
Proof. We need to consider each of the cases following from the clauses of De-
ﬁnition 4.9. First consider the case where ss1 = ss1; ss and ss1 is operationally
unobservable for V . Assume that semantics evaluate ss1 as
〈ss1, σ1, ϕ1〉 ⇒ 〈final, σ′1, ϕ′1〉
Applying the semantical rule [Composition] gives us
〈ss1, σ1, ϕ1〉 ⇒ 〈final, σ′1, ϕ′1〉
〈ss1; ss, σ1, ϕ1〉 ⇒ 〈ss, σ′1, ϕ′1〉
4.3 History-based Release 67
We know from Deﬁnition 4.9 that ss2 = ss2; ss, Now choose the evaluation
sequence
〈ss2, σ2, ϕ2〉 ⇒k 〈final, σ′2, ϕ′2〉
and from Lemma 2.1 we get that
〈ss2; ss, σ2, ϕ2〉 ⇒k 〈ss, σ′2, ϕ′2〉
and the result follows from Deﬁnition 4.5.
Now, assume that the semantics did not evaluate ss1 completely in one step
then we choose not to evaluate ss2. Hence Deﬁnition 4.5 and observing that the
relation between the resulting statements are preserved gives the result.
If ss1 is operationally unobservable for V , we execute one step as
〈ss1, σ1, ϕ1〉 ⇒ 〈ss′1, σ′1, ϕ′1〉
now if ss′1 = final then we evaluate ss2 completely and the result follows from
Deﬁnition 4.5, otherwise we do not apply the semantics on ss2 and the result
follows.
Finally we need to show the result when ss1 = ss2. The proof proceeds by
induction in the shape of the derivation tree for the Structural Operational
Semantics on the statement ss1.
Case [x := e]l: There are two subcases. First if x ∈ V , we have that the
semantics evaluate one step as
〈[x := e]l, σ1, ϕ1〉 ⇒ 〈[final, σ1[x → v], ϕ1〉
where E [[e]]〈σ1, ϕ1〉 = v. Applying the analysis gives us
B  [x := e]l : RM
where RM = {(x, l,M0)} ∪ {(n, l, R0) | n ∈ FV (e) ∪ FS(e) ∪ B}. Because the
statement is secure and following from Deﬁnition 3.9 and Fact 1 we know that
E [[e]]〈σ1, ϕ1〉 = E [[e]]〈σ2, ϕ2〉
68 Information Flow Analysis
Therefore we get σ1 ∼V σ2, while ϕ1 ∼V ϕ2 and final TG,V final follows
vacuously.
If x ∈ V the case follow immediately by observing that evaluating one step in
the semantics on both ss1 and ss2 in respective states fulﬁls the requirement
directly.
Case [s <= e]l: Straightforward as above.
Case [null]l: Holds trivially.
Case ss; ss′′: Evaluating one step in the semantics results in two cases ﬁrst
assume that the evaluation has the form
〈ss, σ1, ϕ1〉 ⇒ 〈ss′1, σ′1, ϕ′1〉
〈ss; ss′′, σ1, ϕ1〉 ⇒ 〈ss′1; ss′′, σ′1, ϕ′1〉
Now it follows from applying the induction hypothesis that there exists ss′2, σ
′
2
and ϕ′2 such that
〈ss, σ2, ϕ2〉 ⇒∗ 〈ss′2, σ′2, ϕ′2〉 ∧
ss′1 TG,V ss′2 ∧
σ′1 ∼V σ′2 ∧
ϕ′1 ∼V σ′2
The case follows from observing that ss′1; ss
′′ TG,V ss′2; ss′′.
Now assume that the semantics evaluate one step as
〈ss, σ1, ϕ1〉 ⇒ 〈final, σ′1, ϕ′1〉
〈ss; ss′′, σ1, ϕ1〉 ⇒ 〈ss′′, σ′1, ϕ′1〉
Hence it follows from applying the induction hypothesis that there exists ss′2,
σ′2 and ϕ
′
2 such that
〈ss, σ2, ϕ2〉 ⇒∗ 〈ss′2, σ′2, ϕ′2〉 ∧
final TG,V ss′2 ∧
σ′1 ∼V σ′2 ∧
ϕ′1 ∼V σ′2
4.3 History-based Release 69
Deﬁnition 4.9 gives us that ss′2 = final or ss′2 is operationally unobservable for
V . In the second case we apply the semantics as
〈ss′2, σ′2, ϕ′2〉 ⇒∗ 〈final, σ′′2 , ϕ′′2 〉
Where we have that σ′2 ∼V σ′′2 and ϕ′2 ∼V ϕ′′2 . Now we know the ss′′ TG,V ss′′
and the case follows.
Case if [e]l then ss else ss′: We apply the semantics as
〈if [e]l then ss else ss′, σ1, ϕ1〉 ⇒ 〈ss′1, σ1, ϕ1〉
We need to consider two cases. First if
∀n : n ∈ FV (e) ∪ FS(e) ⇒ n ∈ ∇(V , G, l)
then we know that
E [[e]]〈σ1, ϕ1〉 = E [[e]]〈σ2, ϕ2〉
and hence we can choose to apply the semantics as
〈if [e]l then ss else ss′, σ2, ϕ2〉 ⇒ 〈ss′1, σ2, ϕ2〉
and the result follows immediately.
However, if
∃n : n ∈ FV (e) ∪ FS(e) ∧ n ∈ ∇(V , G, l)
we know from Deﬁnition 4.4 and Lemma 4.8 that ss and ss′ are operationally
unobservable for V and hence ss TG,V ss′ so no matter which branch we choose
by applying the semantics the result holds. 
Finally we can show the main result. To do so we lift the relation TG,V to
CoreVHDL programs.
Deﬁnition 4.11 (UG,V) Deﬁne UG,V as a relation on programs where we have
that ‖i∈I cssi1 UG,V ‖i∈I cssi2 if for all i ∈ I one of the following holds
70 Information Flow Analysis
• cssi1 = cssi2, or
• cssi1 = ss1; css′1i and cssi2 = ss2; css′i2 where ss1 TU,V ss2 and
css′i1 UU,V css′i2.
Now, when two programs are analysed and considered secure, and each state-
ment in the body of the processes can be related by UG,V , we have that the
statements and states resulting of evaluating one step by the semantical rela-
tion preserves the secrecy of unobservable information.
Theorem 4.12 If two CoreVHDL programs ‖i∈I cssi1 and ‖i∈I cssi2 are
secure wrt. G and V , when analysed in context B and we have that
‖i∈I 〈css′i1, σi1, ϕi1〉 i=⇒ ‖i∈I 〈cssi1′′, σ′i1, ϕ′i1〉 ∧
‖i∈I cssi1 UG,V ‖i∈I cssi2 ∧
σi1 ∼∇(V,G,l) σi2 ∧
ϕi1 ∼∇(V,G,l) ϕi2
then there exists ss′i2, σ
′
i2 and ϕ
′
i2 such that
‖i∈I 〈css′i2, σi2, ϕi2〉 i
′
=⇒ ‖i∈I 〈cssi2′′, σ′i2, ϕ′i2〉 ∧
‖i∈I css′i1 UG,V ‖i∈I css′i2 ∧
σ′i1 ∼V σ′i2 ∧
ϕ′i1 ∼V ϕ′i2
Proof. The proof proceeds by induction in the shape of the derivation tree for
the Structural Operational Semantics on the concurrent statement cssi1.
Case Handle non-waiting processes (H): This case follows from Lemma
4.10.
Case Active signals (A): The states are modiﬁed by clearing the active val-
ues, while moving the active values to the present values. Finally the condition
on the synchronisation point (until e) must evaluate to the same because the
analysis result for the program is secure.
Case Processes (P): This case holds vacuously. 
4.4 Discussion 71
a
1
c
b
2
a
1
1·2 c
b
2
(a) (b)
Figure 4.1: Result of the Information Flow Analysis for programs (a) and (b).
A result of Theorem 4.12 is that UG,V is a bisimulation of satisfying Deﬁnition
3.15 for programs that can be analysed as secure. Furthermore UG,V can be
seen as satisfying Deﬁnition 3.10 for transitively closed security policies.
4.4 Discussion
In this chapter transitively closed security policies have been investigated. How-
ever, a security policy is given in the form of a directed graph. This graph will
in general be non-transitive. To illustrate this point consider the following pro-
grams:
(a): [c := b]1; [b := a]2 (b) : [b := a]1; [c := b]2
In program (a) there is a ﬂow from b to c and a ﬂow from a to b and therefore
the security policy shown in Figure 4.1(a) has an edge from node b to node
c and an edge from node a to node b. There is no ﬂow from a to c and
indeed there is no edge from a to c . In program (b) on the other hand there
is a ﬂow from a to c and the security policy shown in Figure 4.1(b) indeed has
an edge from a to c . Analysing the two program (a) and (b) result in the
same ﬂow graph (i.e. Figure 4.1(b)), hence not allowing us to verify program
(a) with respect to the security policy given in Figure 4.1(a). This is due to
the ﬂow insensitivity in the presented information ﬂow analysis. Keeping this
in mind we observe most investigations of information ﬂow analyses are ﬂow-
insensitive e.g. [Den76, VSI96, Mye99a] and many more, see [SM03a] for an
overview. In comparison the ﬂow-sensitivity approaches are far more limited in
numbers: [CHH02, AB04, HS06]. However all except for [AB04] rely on lattice-
based (and hence transitively closed) security policies. This seems surprising as
one can not express a transitively closed policy for program (a) without having
to transform the program. Therefore we will continue the investigation of the
information ﬂow analysis in the following chapter, and discuss a ﬂow sensitive
extension and the beneﬁt in expressing policies with it.
72 Information Flow Analysis
C h a p t e r 5
Reaching Definitions Analysis
Reviling a locust tree when pointing at a mulberry tree.
— Chinese proverb
The previous chapter presented an ﬂow insensitive analysis, that provided static
guarantees suﬃcient for verifying systems when their security policies were tran-
sitively closed. This approach follows the tradition of information ﬂow analy-
sis [VSI96, ML97, Mye99a, Mye99b, SS00, SS01, SM03a]. Yet, investigations
by Kemmerer [Kem82] have consider the information ﬂows found by these ap-
proaches to be only the ﬁrst step in the analysis of information ﬂow. Indeed
Kemmerer divides the analysis into two phases; ﬁrst the local dependencies are
identiﬁed, and second the global dependencies are calculated. In the previous
chapter we proved that the analysis of local dependencies are suﬃcient to verify
a program compliance with a transitively closed policy. Which match the results
for the earlier presented analyses, due to their lattice based policies. However for
our graph based policies this limitation seems to hinder the full expressiveness.
In fact, previous investigations have shown the need for control ﬂow sensitive
mechanisms in information ﬂow analyses [McH83]. Hence we aim to lift this
constraint by extending the analysis by a ﬂow sensitive component.
The approach taken will not be to modify the existing analysis, instead we
choose to develop an analysis tracking the data ﬂow in the program, and use it
to remove the unwanted edges introduced in the security policy by restricting it
to be transitively closed. The investigation will focus on the classical data ﬂow
analysis Reaching Deﬁnitions. In the following we will adapt a Reaching Deﬁn-
itions analysis to the setting of hardware descriptions. Some of the main issues
74 Reaching Definitions Analysis
concerning the synchronisation and timing in hardware speciﬁcations make this
to be a nontrivial task.
5.1 Analysing CoreVHDL
The main purpose of the Reaching Deﬁnitions analysis is to gather information
about which assignments may have been made and not overwritten, when the
execution reaches each point in the program.
The semantics divides signal states into two parts, namely the present value of a
signal and the active value of a signal. Following this the analysis is divided into
two parts as well, one for the active value of a signal and one for local variables
and the present value of a signal. The two parts are connected since the active
values of a signal inﬂuence the present value of the signal after the following
synchronisation. Therefore we will ﬁrst deﬁne the analysis of active signals in
Section 5.1.2, and then, that of the local variables and present values of signals
in Section 5.1.3.
The analysis for active signals is concerned only with a single process, and thus
has no information about the other processes. It collects information about
which signals might be active in order to gather all the inﬂuences on the present
value; this information is gathered for the process i by an over-approximation
analysis of the active signals RD∪ iϕ . It also collects information about which
signals must be active so that the overwritten signals can be removed from
the analysis result; this information is gathered for the process i by an under-
approximation analysis of the active signals RD∩ iϕ .
The analysis of the local variables and present values of signals will be an over-
approximation. It is concerned with the entire program and thus collects infor-
mation for all processes at the same time.
5.1.1 Common analysis domains
The analyses use a labelling scheme, a block deﬁnition and a ﬂow relation,
similar to the ones described in [NNH99], the only diﬀerence being the wait
statements which are given labels and treated as blocks. For each process i in
a program
‖i∈I i : process decli; begin ssi; end process i
5.1 Analysing CoreVHDL 75
the set of blocks is denoted blocks(ssi) and the ﬂow relation is denoted flow(ssi).
Similarly we use init(ssi) to denote the label of the initial block when executing
the process i.
Data ﬂow analyses are deﬁned by pairs of functions that map labels to the
appropriate sets; one function in each pair speciﬁes information that is true
on the entry to block, the second speciﬁes information that is true at the exit.
To aid us in deﬁning these functions we will ﬁrst deﬁne a number of simple
operations on programs and labels. These are all simple adaptations of the
operations speciﬁed in the classical data ﬂow analyses [NNH99].
First we deﬁne a operation that returns the initial label of a statement
init : Stmt→ Lab
init([x := e]l) = l
init([s <= e]l) = l
init([null]l) = l
init(ss1; ss2) = init(ss1)
init(if [e]l then ss1 else ss2) = l
init([wait on S until e]l) = l
We also need to deﬁne a operation which returns the set of ﬁnal labels in a
statement; contrary to the fact that a sequence of statements has an isolated
initial label, it may have multiple ﬁnal labels, this is due to the conditionals.
final : Stmt→ P(Lab)
final([x := e]l) = {l}
final([s <= e]l) = {l}
final([null]l) = {l}
final(ss1; ss2) = final(ss2)
final(if [e]l then ss1 else ss2) = final(ss1) ∪ final(ss2)
final([wait on S until e]l) = {l}
The Blocks in a program or statement is the labelled elements, e.g. [x := e]l] or
[e]l. Therefore to access the Blocks, i.e. the statements, tests or synchronisation
76 Reaching Definitions Analysis
points associated with a label, in a program we deﬁne the operation
blocks : Stmt → P(Blocks)
blocks([x := e]l) = {[x := e]l}
blocks([s <= e]l) = {[s <= e]l}
blocks([null]l) = {[null]l}
blocks(ss1; ss2) = blocks(ss1) ∪ blocks(ss2)
blocks(if [e]l then ss1 else ss2) = {[e]l} ∪ blocks(ss1) ∪ blocks(ss2)
blocks([wait on S until e]l) = {[wait on S until e]l}
Finally we deﬁne an operation on the ﬂow between labels in a statement
flow : Stmt→ P(Lab× Lab)
flow([x := e]l) = ∅
flow([s <= e]l) = ∅
flow([null]l) = ∅
flow(ss1; ss2) = flow(ss1) ∪ flow(ss2)
∪{(l, init(ss2)) | l ∈ final(ss1)}
flow(if [e]l then ss1 else ss2) = flow(ss1) ∪ flow(ss2)
∪{(l, init(ss1)), (l, init(ss2))}
flow([wait on S until e]l) = ∅
We deﬁne the cross ﬂow relation cf for a program as the set of all possible
synchronisations, i.e. cf is the Cartesian product of the set of labels of wait
statements in each process.
The analyses are presented in a simpliﬁed way, following the tradition of the
literature (see [NNH99]), where all programs considered are assumed to have
so-called isolated entries (meaning that the entry nodes cannot be reentered
once left). This is reasonable as each process in CoreVHDL can be considered
as a skip statement followed by a loop with an always true condition around
the statement deﬁning the process. We shall write FV (ss) for the set of free
variables of the statement ss and similarly FS(ss) for the set of free signals.
5.1.2 Analysis of active signals
The Reaching Deﬁnitions analysis takes the form of a Monotone Framework
as given in [NNH99]. It is a forward Data Flow analysis, with both an over-
5.1 Analysing CoreVHDL 77
(RD∪ iϕ ) and an under- (RD∩ iϕ ) approximation part; it operates over a complete
lattice P(Sig × Lab) where Sig is the set of signals and Lab is the set of
labels present in the program.
In both cases we shall introduce functions recording the required information at
the entry and at the exit of the program points. So for the over-approximation
we have
RD∪ iϕentry, RD
∪ i
ϕexit : Lab → P(Sig × Lab)
and similarly for the under-approximation
RD∩ iϕentry, RD
∩ i
ϕexit : Lab → P(Sig × Lab)
To deﬁne the analysis we deﬁne in Table 5.1 a function
killiRDϕ : Blocks → P(Sig × Lab)
which produces a set of pairs of signals and labels corresponding to the assign-
ments that are killed by the block. A signal assignment can be killed for two
reasons: Another block in the same process assigns a new value to the already
active signal, or a wait statement in the same process will synchronise all active
signals, and therefore kill all signal assignments.
In Table 5.1 we also deﬁne the function
geniRDϕ : Blocks → P(Sig × Lab)
that produces a set of pairs of signals and labels corresponding to the assign-
ments generated by the block.
The over-approximation part of the analysis is deﬁned in terms of the infor-
mation that may be available at the entry of the statement. Therefore the
over-approximation part considers a union of the information available at the
exit of all statements that have a ﬂow directly to the statement considered. In
terms of the scenario of Figure 5.1(a) we have:
RD∪ iϕentry(l) = RD
∪ i
ϕexit(l1) ∪RD∪ iϕexit(l2)
The under-approximation part of the analysis is deﬁned in terms of the infor-
mation that must be available at the entry of the statement. Therefore the
under-approximation part considers an intersection of the information available
78 Reaching Definitions Analysis
[...]l
[...]l1 [...]l2
RD∪ iϕexit(l2)
RD∪ iϕentry(l)
RD∪ iϕexit(l1)
[...]l
[...]l1 [...]l2
RD∩ iϕexit(l2)RD
∩ i
ϕexit(l1)
RD∩ iϕentry(l)
(a) (b)
Figure 5.1: Relation between RD∪ iϕentry(l) and RD
∪ i
ϕexit(l) (a), and RD
∩ i
ϕentry(l)
and RD∩ iϕexit(l) (b) for a process pi
at the exit of all statements that have a ﬂow directly to the statement considered.
In terms of the scenario of Figure 5.1(b) we have:
RD∩ iϕentry(l) = RD
∩ i
ϕexit(l1) ∩RD∩ iϕexit(l2)
The full details are presented in Table 5.1.
For the under-approximation analysis we deﬁne a special intersection operator;⋂˙∅ = ∅, and ⋂˙X = ⋂X for X = ∅, to guarantee that RD∩ iϕentry ⊆ RD∪ iϕentry,
will hold for the smallest solution to the equation systems.
5.1.3 Analysis of local variables and present values of sig-
nals
The Reaching Deﬁnitions analysis for the local variables corresponds to the
Reaching Deﬁnitions analysis given in [NNH99]. For the present value of signals
it will use the result of the Reaching Deﬁnitions analysis for active signals. The
idea is that if a signal has an active value when execution of the program arrives
at a synchronisation point, then the active value of the signal will become the
present value of the signal after the synchronisation.
The result of the Reaching Deﬁnitions analysis for active signals can be com-
puted before we perform the Reaching Deﬁnitions analysis for local variables
and signals. Hence the result can be considered a static set, and therefore the
Reaching Deﬁnitions analysis for local variables and signals remains an instance
of a Monotone Framework.
5.1 Analysing CoreVHDL 79
kill and gen functions for the process
i : process decli; begin ssi; end process i
killiRDϕ([s <= e]
l) = {(s, l′)|Bl′ assigns to s in process i}
killiRDϕ([wait on S until e]
l) = {(s, l′)|Bl′ assigns to s in process i}
killiRDϕ([. . . ]
l) = ∅ otherwise
geniRDϕ([s <= e]
l) = {(s, l)}
geniRDϕ([. . . ]
l) = ∅ otherwise
data ﬂow equations: RDϕ for the process
i : process decli; begin ssi; end process i
RD∪ iϕentry(l) =
{ ∅ if l = init(ssi)⋃{RD∪ iϕexit(l′)|(l′, l) ∈ flow(ssi)} otherwise
RD∪ iϕexit(l) = (RD
∪ i
ϕentry(l)\killiRDϕ(Bl)) ∪ geniRDϕ(Bl)
RD∩ iϕentry(l) =
{ ∅ if l = init(ssi)⋂˙{RD∩ iϕexit(l′)|(l′, l) ∈ flow(ssi)} otherwise
RD∩ iϕexit(l) = (RD
∩ i
ϕentry(l)\killiRDϕ(Bl)) ∪ geniRDϕ(Bl)
Table 5.1: Reaching Deﬁnitions Analysis for active signals; labels l are implicitly
assumed to occur in process i : process decli; begin ssi; end process i
The Reaching Deﬁnitions analysis for present values of signals operates over the
complete lattice P(Sig×Lab) and is a forward data ﬂow analysis. It yields an
over-approximation of the assignments that might have inﬂuenced the present
value of the signal. Its goal is to deﬁne two functions holding the information
at the entry and exit of a given label in the program:
RDcfentry, RD
cf
exit : Lab → P((V ar ∪ Sig)× Lab)
The Reaching Deﬁnitions analysis for local variables and signals is given in Table
5.2 and makes use of two auxiliary functions. One is
killcfRD : Blocks → P((V ar ∪ Sig)× Lab)
80 Reaching Definitions Analysis
kill and gen functions
killcfRD([x := e]
l) = {(x, ?)}∪
{(x, l′)|Bl′ assigns to x in process i}
killcfRD([wait on S until e]
l) =
⋂˙
(l1,...,ln)∈cf,s.t. li=l⋃n
j=1 fst(RD
∩ i
ϕentry(lj))× wS(ssi)
killcfRD([. . . ]
l) = ∅ otherwise
gencfRD([x := e]
l) = {(x, l)}
gencfRD([wait on S until e]
l) =
⋃
(l1,...,ln)∈cf,s.t. li=l⋃n
j=1 fst(RD
∪ i
ϕentry(lj))× {l}
gencfRD([. . . ]
l) = ∅ otherwise
data ﬂow equations: RD
RDcfentry(l) ={ {(x, ?) | x ∈ FV (ssi)} ∪ {(s, ?) | s ∈ FS(ssi)} if l = init(ssi)⋃{RDcfexit(l′)|(l′, l) ∈ flow(ssi)} otherwise
where B and i is uniquely given by Bl ∈ blocks(ssi)
RDcfexit(l) = RD
cf
entry(l)\killcfRD(Bl) ∪ gencfRD(Bl)
Table 5.2: Reaching Deﬁnitions Analysis for the local variables and
present value of signals, for all labels l in the program ‖i∈I i :
process decli; begin ssi; end process i.
that produces a set of pairs of variables or signals and labels corresponding to
assignments that are overwritten by the block. An assignment to a local variable
will overwrite all previous assignments on the execution path. A signal value can
only be overwritten by a wait statement where at least one of the synchronising
processes has an active value for the signal. To guarantee that an active value
for a signal is available, the under-approximation analysis (RD∩ iϕ ) described
above in Section 5.1.2 is used.
Since the active signal has to be present in all possible processes the considered
wait statement could synchronise with, an intersection over the set cf of cross
ﬂow information is needed.
5.2 Global dependencies 81
The other auxiliary function is
gencfRD : Blocks → P((V ar ∪ Sig)× Lab)
that produces a set of pairs of variables or signals, and labels corresponding to
the assignments generated by the block. Only assignments to local variables
generate deﬁnitions of a variable. Only wait statements are capable of changing
a signal’s value at present time. This means that in our analysis signals will get
their present value at wait statements in the processes. The result of the over-
approximation analysis (RD∪ iϕ ) contains all the signals that might be active and
thus deﬁnes the present value after the synchronisation. Therefore we perform
a union over all the signals that might be active in any process, that might be
synchronised with.
Finally, all signals are considered to have an initial value in CoreVHDL hence
a special label (?) is introduced to indicate that the initial value might be the
one deﬁning a signal at present time. The operator fst is deﬁned by fst(D) =
{s | (s, l) ∈ D} and extracts the ﬁrst components of pairs.
5.2 Global dependencies
Using the local dependencies deﬁned above we can construct a Resource Matrix
specifying for each point in the program which resources (i.e. a variable or sig-
nal) was modiﬁed and which resources were read meanwhile [McH95]. First we
apply the local dependency analysis on each process in the considered program
the result is collected in RMlo =
⋃
i RMi where ∅  ssi : RMi. Then we need
to compute the global dependencies; one way to do this is to take the transitive
closure of the local dependencies; this method is attributed to Kemmerer and
is described in [McH95] in case of traditional programming languages.
Let us evaluate the traditional method for constructing the Resource Matrix.
For this we consider the program (a) presented in Section 4.4. The result of
the transitive closure will correspond to the graph presented in Figure 4.1(b),
but not to the true behaviour of the program as depicted in the graph in Figure
4.1(a). This is due to the ﬂow-insensitivity of the transitive closure method:
The imprecision is a result of the method failing to consider information about
the ﬂow between labels in the programs.
82 Reaching Definitions Analysis
[RD for active signals]
(s, li, R1) ∈ RMlo (s, l) ∈ RD∪ iϕentry(li)
(s, l) ∈ RD†ϕ(li)
if ∃−→l ∈ cf : li occurs in −→l
[RD for present signals and local variables]
(n, l′, R0) ∈ RMlo (n, l) ∈ RDcfentry(l′)
(n, l) ∈ RD†(l′)
Table 5.3: Specialisation of RD∪ iϕentry and RD
cf
entry
[Initialisation]
(n, l, A) ∈ RMlo
(n, l, A, [[l]]) ∈ RMgl where A ∈ {R0, R1,M0,M1}
[Present values and local variables]
(n′, l, R0, δ′′) ∈ RMgl (n′, l′) ∈ RD†(l)
(n, l′, R0, δ′) ∈ RMgl δ′ · δ′′ ⊆ δ
(n, l, R0, δ) ∈ RMgl
[Synchronised values]
(s′, li) ∈ RD†(l) (s′, l′′) ∈ RD†ϕ(lj)
(s, l′′, R0, δ′) ∈ RMgl δ′ ⊆ δ
(s, l, R0, δ) ∈ RMgl
if ∃−→l ∈ cf : li and lj occur in −→l
Table 5.4: Transitive closure of Resource Matrix, based on RD† and RD†ϕ
5.2.1 Closure based on Reaching Definitions.
This motivates modifying the closure condition to make use of Reaching Deﬁ-
nitions information. Indeed the Reaching Deﬁnitions analysis speciﬁed in this
Chapter supplies us with the needed information to exclude some of the “spu-
rious ﬂows” when performing the transitive closure.
Before doing so we specialise in Table 5.3 the result of the Reaching Deﬁnitions
analysis to allow a better precision in the closure of the Resource Matrix. The
specialisation ensures that deﬁnitions are only considered to reach a labelled
construct if they are actually used in the labelled construct. This is done by
5.2 Global dependencies 83
c◦
c•
c
a
c
b b
a
(b)
a◦
a• b◦
b•
(a)
Figure 5.2: Result of the Information Flow Analysis for program (b).
considering the result of the local dependency analysis; notice the usage of the
cross ﬂow relation in rule [RD for active signals] which determines if the
signal might in fact be synchronised.
We can now update the speciﬁcation of the transitive closure using the result
of the Reaching Deﬁnitions analysis, as is done in Table 5.4. We specify a rule
for initialising the Global Resource Matrix [Initialisation]. Observe that we
add an extra element in the resource matrix. This element is a regular language
over execution traces (where we take the freedom of expressing them by their
program labels rather than process identiﬁers). The regular language deﬁne the
execution traces that might lead to a ﬂow of information.
The closure is done by rule [Present values and local variables] considering
the result of the Reaching Deﬁnitions analyses for the program. For the present
value of a signal and for local variables we consider each entry in the Resource
Matrix, if the present value of a variable or signal is read (R0) we can use the
information of the Reaching Deﬁnitions analysis to ﬁnd the label where the
variable or signal was deﬁned. Therefore we copy all the entries about variables
and signals read at this label in the Resource Matrix. This rule also handles the
case where information ﬂows from the variables and signals in a condition on a
synchronisation point.
The rule [Synchronised values] uses the result of the Reaching Deﬁnitions
analysis to determine which signals were read in the Resource Matrix and follow
them to their deﬁnition. When synchronising signals the matter is complicated
as the signal is deﬁned at a synchronisation point, therefore the rule needs to
consider all the information about signals ﬂowing into the synchronisation points
that might be synchronised with. Which synchronisation points the deﬁnition
point synchronises with is gathered in the cf predicate, hence we apply the
Reaching Deﬁnitions analysis for active signals on all the synchronisation points
and copy all the entries indicating variables and signals being read from the
84 Reaching Definitions Analysis
point the signal could be deﬁned.
5.2.2 Improvement of the Information Flow Analysis
For the example program (b) (i.e. [b := a]1; [c := b]2) we previously described
how the Information Flow Analysis would yield the result presented in Figure
5.2(a). In fact the resulting graph indicates that the resulting value of the
variable b can be read from the resulting value of the variable c, which is entirely
correct. However, the initial value of the variable b cannot be read from the
variable c; to see this consider a scenario where b initially contained a value,
this value would never ﬂow to c, as the ﬁrst assignment would overwrite the
variable.
The Information Flow Analysis based on the Reaching Deﬁnitions Analysis can
be improved to handle the initial and outgoing values of signals with greater
accuracy. The idea is to add a node to the graph for each incoming signal,
annotating the incoming node of a variable with a ◦, and for each outgoing
signal, annotating the outgoing node with a •. Using this scheme a more precise
result for program (b) can be constructed as shown in Figure 5.2(b), where we
consider the last statement to be outcoming and therefore update the Resource
Matrix in the same fashion as for wait statements.
The extension of the analysis is based on adding special variables and signals
for incoming and outgoing values. The rules for improving the information ﬂow
analysis are presented in Table 5.5 and explained below.
In a traditional sequential programming language the improvement could be
handled by adding assignments of the form x := x◦ for each variable read in
front of the program, and similarly adding assignments x• := x in the end for
handling the outgoing values. Having this in mind we introduce the rule [Initial
values] that uses the special symbol (?) from the Reaching Deﬁnitions analysis
to propagate the initial value of a variable or locally deﬁned signal.
CoreVHDL consists of processes running as inﬁnite loops in parallel with other
processes and under the inﬂuence of the environment. Therefore signals might
carry incoming values at any synchronisation point, similarly a process might
communicate values out of the system at any synchronisation point. We intro-
duce a new process π to illustrate how the incoming and outgoing signals are
handled. The process has the form
π : process begin [sin1 <= s◦1]; . . . [wait on Sπ]; [s•1 <= sout1 ]
ls•1 ; . . .
end process π
5.3 Analysing Advanced Encryption Standard 85
[Initial values]
(n, ?) ∈ RD†(l)
(n◦, l, R0, [[true]]) ∈ RMgl
[Incoming values]
(n, l′) ∈ RD†(l) l′ ∈ WS
(n◦, l, R0, [[true]]) ∈ RMgl
[Outgoing values]
n ∈ Sigout
(n•, ln• ,M1, [[true]]) ∈ RMgl
[Outcoming values]
l ∈ WS (n, l′) ∈ RD†ϕ(l) (n′, l′, R0, δ′) ∈ RMgl δ′ ⊆ δ
(n′, ln• , R0, δ) ∈ RMgl
Table 5.5: Rules for the improved Information Flow Analysis
where sin1 , s
in
2 , . . . are the incoming signals, s
out
1 , s
out
2 , . . . are the outgoing signals
and Sπ is the set of all incoming and outgoing signals, as speciﬁed in the entity
declaration of the program.
The assignments prior to the synchronisation point in process π can be syn-
chronised into the system at each wait statement and this is handled by rule
[Incoming values] where WS =
⋃
i WS(ssi) are all the wait statements in the
program.
We add two rules for the outgoing values to the closure method. The ﬁrst rule
[Outgoing values] speciﬁes a special label for each signal (i.e. the label of the
assignment to n• in process π) used on the left-hand side in an assignment, at
which the signal is set to be modiﬁed in the Resource Matrix. The second rule
[Outcoming values] handles the right-hand side of the outgoing assignments
in process π by considering all active signals coming into a wait statement,
the values read when these active signals where modiﬁed are the signals that
inﬂuence the outgoing value. Sigout is the set of signals that are declared as
outgoing (i.e. with the keyword out in the entity declaration).
86 Reaching Definitions Analysis
a(1)(1)
a(3)(2)
a(1)(2)
a(1)(3)
a(1)(0)
a(2)(2)
a(2)(3)
a(2)(0)
a(2)(1)
a(3)(3)
a(3)(0)
a(3)(1)
(a)
a(3)(1)
a(3)(2)
a(3)(3)
a(3)(0)
a(2)(3)
a(2)(1)
a(2)(2)
a(2)(0)
a(1)(1)
a(1)(0)
a(1)(3)
a(1)(2)
(b)
Figure 5.3: Result of the Information Flow Analysis; by Kemmerer’s method
(a) and by the presented method (b).
5.3 Analysing Advanced Encryption Standard
For comparison between Kemmeres method and the one presented in this pa-
per we consider part of the NSA Advanced Encryption Standard test imple-
mentation of the 128 bit version of the encryption algorithm Rijndael (i.e.
rijndael pkg.vhdl) [WBRF00]. In particular we consider the part of the en-
cryption algorithm performing the shift of a state. It is implemented using a
number of temporary local variables. These are overwritten several times and
therefore Kemmeres method mixes all the values up as shown in ﬁgure 5.3(a).
Our implementation of the presented method computes the precise result as
shown in ﬁgure 5.3(b).
The NSA Advanced Encryption Standard test implementation use temporary
5.4 Discussion 87
local variables in many parts of the program, therefore the correct handling of
overwritten signals presented in our analysis is needed to analyse the implemen-
tation precise enough.
5.4 Discussion
Modern technical equipment often depends on the reliable performance of em-
bedded systems. The veriﬁcation of these systems have often relied on adapting
existing techniques developed for software in to the setting of hardware speci-
ﬁcations. The following three papers are some examples where static program
analyses have been adapted for hardware, Hsieh and Levitan use data ﬂow
analyses for semantical extraction [HL98], Clarke et al. adapt a program slicing
tool for veriﬁcation of VHDL descriptions [CFR+99], and Hymans present an
abstract interpretation for veriﬁcation of safety properties [Hym02].
The paper by Hsieh and Levitan [HL98] considers a similar fragment of VHDL
and is concerned with optimising the synthesis process by avoiding the genera-
tion of circuits needed to store values of signals. One component of the required
analyses is a Reaching Deﬁnitions analysis with a similar scope to ours although
speciﬁed in a rather diﬀerent manner. Comparing the precision of their approach
(to the extent actually explained in the paper) with the present one, it is clear
that the present analysis is more precise in that it allows also to kill signals be-
ing set in other processes than where they are used. Furthermore the presented
analysis is only correct for processes with one synchronisation point, because
deﬁnition sets are only inﬂuenced by deﬁnitions in other processes at the end
(or beginning) of a process. Therefore deﬁnitions are lost if they are present at
a synchronisation point within the process but overwritten before the end of the
process.
The paper by Clarke et al. [CFR+99] adapt the program slicing tool for ver-
iﬁcation of VHDL descriptions. The approach taken is mapping the language
constructs to constructs in a traditional programming language. This approach
allows the authors to consider an almost complete subset of the VHDL lan-
guage, and provides professional user interfaces on the developed tool. However
the mapping seems to disregard certain important aspects of the VHDL ex-
ecution model, ignoring e.g. the subtleties regarding the timing behaviour of
signals.
The paper by Hymans [Hym02] uses abstract interpretation to give an over-
approximation of the set of reachable conﬁgurations for a fragment of VHDL
not unlike ours. However there are some issues with the presented semantics
as mentioned in Section 2.5. The presented analyses suﬃces for checking safety
88 Reaching Definitions Analysis
properties: if the safety property is true on all states in the over-approximation
it will be true for all executions of the VHDL program. Hence when synthesising
the VHDL speciﬁcation one does not need to generate circuits for enforcing the
reference monitor (called an observer in [Hym02]).
The presented approach is based around adapting a Reaching Deﬁnitions analy-
sis (along the lines of [NNH99]) to the setting of CoreVHDL. A novel feature
of the analysis is that it has two components for tracking the ﬂow of values
of active signals: one is the traditional over-approximation whereas the other
is an under-approximation. Finally, a Reaching Deﬁnitions analysis tracks the
ﬂow of variables and present values of signals. This combination of analyses en-
ables us to deal with the special semantics found in VHDL and other hardware
description languages due to the underlying timing model of the synthesised
circuits.
The author is unaware of any other approach that using static analyses investi-
gate Kemmerer’s approach, including the method of identifying local and global
dependencies. Previous investigations have considered using theorem provers
for identifying information ﬂow and covert channels, see e.g. [McH95] for an
overview.
Furthermore extending the approach to include execution traces has not been
presented before. The constraints on execution traces found in the security
policy can be used in the closure condition. However, the constraints can be
automatically inferred using the textbook approach for transforming a ﬁnite au-
tomaton in to a regular expression. The approach, commonly referred to as the
Pigeon Hole Principle [HMU01], is applied to each set of nodes in the resource
matrix, and the resulting regular expression is the constraint on the resulting
edge between the two nodes. In a similar fashion the prototype implementation
of the system uses a textbook algorithm for determining the inclusion of con-
straints in the resource matrix and the related constraints used in the security
policy.
C h a p t e r 6
Timing Leaks
Defer no time, delays have dangerous ends
— William Shakespeare
A security issue closely related to information ﬂow and noninterference is sepa-
rability [Lam73], originally dating back before noninterference. Separability is a
very strong conﬁdentiality property, that deal not only with the information ﬂow
through overt channels but also with information ﬂow through covert channels.
A covert channel is a channel that in the systems speciﬁcation is meant included
for a given purpose but can be exploited to leak information contrary to the se-
curity policy for the system. Traditionally two kinds of covert channels were
identiﬁed; i.e. timing channels and storage channels. In this chapter we will
investigate the ﬁrst kind in the hardware setting. In cryptographic algorithms
these channels are often referred to as side channels. Side channels focus only
on how information ﬂow occur outside the semantical speciﬁcation of a system,
rather than covert channels that focus on the information ﬂows that occurs in
the semantical model as well. Since the ﬂows that occur in the semantical model
have already been investigated in the previous chapter, this investigation will
be focused on the side channels.
Practical implementations of embedded systems and synthesised circuits are
vulnerable to side channel attacks. Side channels are often introduced at time
of implementation, where information ﬂow is added that was not originally de-
scribed in the speciﬁcation of the system. A key component is the security
of the cryptographic algorithms often used in embedded systems. Much work
90 Timing Leaks
has been done to verify the security of such algorithms at speciﬁcation level.
However, Kocher [Koc96] showed that by observing physical aspects of imple-
mentations, like input-dependent diﬀerences in the execution time of a program,
one could determine information that was considered secure in the speciﬁcations
of cryptographic algorithms.
Several other side-channel attacks have been presented and shown to leak enough
information to break commonly used cryptographic algorithms: power consump-
tion [KJJ99], fault-based [KWMK01] and electro magnetic [QS01] channels.
Timing channels have gotten most attention as they have been shown to be
relevant in many practical settings, e.g. in smart cards [DKL+98].
This chapter presents a method for automatically verifying whether speciﬁca-
tions in CoreVHDL  contain timing leaks. We consider a subset of VHDL
allowing synthesizable synchronous speciﬁcations. Meaning that the speciﬁca-
tion will have a global synchronisation signal, or a clock signal. The subset is
similar to CoreVHDL except for the restriction on the synchronisation points.
This restriction is motivated by observing that most VHDL speciﬁcations are
of this kind, including our test speciﬁcation of the AES algorithm. We present
a structural operational semantics for the considered subset of VHDL in Sec-
tion 6.1. The semantics diﬀers from the previously presented semantics for
CoreVHDL by a novel component for recording timing delays.
The problem of eliminating timing leaks has already been addressed in the lit-
erature. Several informal methods and guidelines for implementing algorithms
without timing leaks have been presented, but here we focus on the ones pre-
senting an automatic method for identifying the timing leaks.
Volpano and Smith [VS99] adapt a notion of protected branches of conditionals
with atomic execution time. To do so, the programs considered are not allowed
to include loops in conditionals depending on secret values. This approach
guarantees the removal of timing channels leaking internally in the program;
however Volpano and Smith note that for an external observer timing leaks
might still occur.
Agat [Aga00] presents a method that transform programs so that both branches
of a conditional depending on secret values will have the same execution time.
This is based on a ﬁller-statement that has the same timing properties as the
corresponding statement, but that has no eﬀect on the state of the system.
The programs are transformed such that in each branch, the original branch
and a ﬁller-statement corresponding to the other branch is executed. Sabelfeld
and Sands [SS00, Sab01] extend the method for a concurrent language with
synchronisation points by running the statement and ﬁller-statement in parallel
6.1 CoreVHDL with Timing Behaviours 91
and synchronising them in the end.
Guaranteeing the absence of timing leaks in hardware introduces diﬀerent issues.
The diﬀerences between timing leaks in software and hardware systems are
discussed in Section 6.2 where we propose a security condition for the absence
of timing leaks in hardware speciﬁcations. In Section 6.3 we present a type
based static analysis, that computes the diﬀerent paths from input to output,
allowing us to determine the absence of timing leaks in a VHDL speciﬁcation.
In Section 6.5 we report on our experience from using the method on the Ad-
vanced Encryption Standard (AES).
6.1 CoreVHDL with Timing Behaviours
CoreVHDL  is a fragment of VHDL that concentrates on synthesizable spec-
iﬁcations only. Hence all processes synchronise on the global clock.
The syntax is similar to that of CoreVHDL where a program is speciﬁed by
an indexed family of processes or concurrent statements (css ∈ Css) running
in parallel; here the index i ∈ Id is a unique identiﬁer in a ﬁnite set of process
identiﬁers (I ⊆fin Id). Each process has a statement (ss ∈ Stmt) as body and
may use logical values (m ∈ LV al), local variables (x ∈ V ar) as well as signals
(s ∈ Sig). The main diﬀerence from CoreVHDL is that in CoreVHDL  all
synchronisation points are at the end of processes and synchronisation is with
respect to the clock edge (clk).
Observe that VHDL processes, although seeming sequential in their speciﬁca-
tion, are concurrent in their execution. Because of the delay from a signal
assignment to the new value taking eﬀect (i.e. the delta-cycle), one can in fact
freely exchange the order of execution of the signal assignments within a process,
as long as they are not dependent on variables assigned in the process. For sig-
nals the value to be used is held in memory cells, which are updated along with
the clock edge. Hence signal assignments are not dependent on the other signal
assignments in the process, but rather the signal assignments executed in the
previous cycle of the process.
The synthesising tools guarantee that processes will be ready for synchronisation
with the clock edge. In reality the clock frequency is determined by measuring
the worst case stabilising time of the electrical current through the gates syn-
thesised from the VHDL speciﬁcation. This worst case time can be measured
by tools like SPICE [Tui92], IRSIM [SH89] and VSIM [VSI93]. Since the future
92 Timing Leaks
css ∈ Css concurrent statements
css ::= i : process (clk) begin ss; end process i
| (css1 ‖ css2)
ss ∈ Stmt statements
ss ::= null | x := e | s <= e | ss1; ss2
| if e then ss1 else ss2 | [t]ss
e ∈ Exp expressions
e ::= m | x | s | not e | e1 and e2
| e1 or e2 | e1 xor e2
Table 6.1: The subset CoreVHDL  of VHDL.
values are stored in memory cells not accessible before the synchronisation we
can measure the delay from a value enters the system until a certain point by
counting the synchronisation points on its execution path.
The syntax of CoreVHDL  is given in Table 6.1 where we omit the structural
part of the syntax as it is the same as for CoreVHDL.
6.1.1 Semantics of CoreVHDL 
We adapt the approach used in Chapter 2 when deﬁning the structural opera-
tional semantics for CoreVHDL  where we add a notion of timing of signals
to the semantics; this will prove crucial for developing our analysis.
The main idea is to execute each process by itself until a synchronisation point
is reached. When all processes of the program have reached a synchronisation
point we perform the system-wide synchronisation, while taking care of the res-
olution of signals in case a signal has been assigned diﬀerent values by diﬀerent
processes.
Basic semantic domains. The syntax of speciﬁcations in CoreVHDL 
operate on a state of logical values:
v ∈ LV al = {’U’, ’X’, ’0’, ’1’, ’Z’, ’W’, ’L’, ’H’, ’-’}
We assume the existence of a function mapping logicals in the syntax to logical
6.1 CoreVHDL with Timing Behaviours 93
values in the semantics L : LV al → V alue.
One goal of the semantics is to capture the timing delays of the evaluated
systems, to do so we introduce a notion of time. Timing delays are speciﬁed
relative to incoming signals (in the set SigIN) and the time measured as delays
(in integers Z) they have ﬂowed through the system
t ∈ T ime = P(SigIN ×Z)
If a timing delay t includes the pair (s, z) then t indicates that there is a depen-
dency on the incoming signal s with a delay of |z| clock cycles (where z ≤ 1).
Constructed semantic domains. CoreVHDL  includes local variables
and signals. The values and the timing delays of the local variables are stored
in a local state. The local state is a mapping from variable names to logical
values and timing delays.
σ ∈ State = (V ar → V alue× T ime)
Signals are used for communication between processes and their values and
timing delays are stored in local states.
ϕ ∈ Store = (Sig → ({0, 1} ↪→ V alue× T ime))
The value assigned to a signal is available after the following synchronisation,
therefore we keep the present value and timing delay of a signal s in ϕ s 0.
In ϕ s 1 we store the assigned value and its timing delay, meaning that it is
available after a delta-cycle.
All signals have a present value, so ϕ s 0 is deﬁned for all s. Not all signals need
to be active meaning they have a new value waiting in the following delta-cycle,
thus ϕ s 1 need not be deﬁned; hence we use {0, 1} ↪→ V alue × T ime in the
deﬁnition of the signal state to indicate that it is a partial function.
The semantics handles expressions following the ideas of [NN92]. For expressions
E : Expr → (State× Signals→ V alue× T ime)
evaluates the expression. The function is deﬁned in Table 6.2. Note that for
signals we use the current value and timing delay of the signal, i.e. ϕ s 0.
94 Timing Leaks
E [[m]]〈σ, ϕ〉 = (L[[m]], ∅)
E [[x]]〈σ, ϕ〉 = σ x
E [[s]]〈σ, ϕ〉 = ϕ s 0
E [[not e]]〈σ, ϕ〉 = (not v, t) where E [[e]]〈σ, ϕ〉 = (v, t)
E [[e1 and e2]]〈σ, ϕ〉 = (v1 and v2, t1 ∪ t2) where E [[e1]]〈σ, ϕ〉 = (v1, t1)
and E [[e2]]〈σ, ϕ〉 = (v2, t2)
E [[e1 or e2]]〈σ, ϕ〉 = (v1 or v2, t1 ∪ t2) where E [[e1]]〈σ, ϕ〉 = (v1, t1)
and E [[e2]]〈σ, ϕ〉 = (v2, t2)
E [[e1 xor e2]]〈σ, ϕ〉 = (v1 xor v2, t1 ∪ t2) where E [[e1]]〈σ, ϕ〉 = (v1, t1)
and E [[e2]]〈σ, ϕ〉 = (v2, t2)
Table 6.2: Semantics of Expressions
6.1.2 Statements
The semantics of statements and concurrent statements is given as a structural
operational semantics. For statements we shall use conﬁgurations of the form
t  〈ss′, σ, ϕ〉 ∈ T ime× Stmt′ × State× Signals
Here Stmt′ refers to the statements from the syntactical category Stmt with
an additional statement (final) indicating that a ﬁnal conﬁguration has been
reached. Therefore the transition relation for statements has the form
t  〈ss, σ, ϕ〉 ⇒ 〈ss′, σ′, ϕ′〉
which speciﬁes one step of computation. Here t is the context that might in-
ﬂuence the timing delay of evaluated statements. The transition relation is
speciﬁed in Table 6.3 and brieﬂy commented upon below.
An assignment to a signal is deﬁned as an update to the value and timing
delay at the delta-time, i.e. ϕ s 1. We use the notation ϕ[i][s → (v, t)] to
mean ϕ[s → ϕ(s)[i → (v, t)]]. Conditionals inﬂuence the timing delay of signals
assigned in the branches, therefore we use [t] in front of a statement to indicate
that the execution of the statement depends on the timing delay t.
6.1.3 Concurrent Statements
The semantics for concurrent statements handles the concurrent processes and
their synchronisations of a CoreVHDL  program. The transition system for
6.1 CoreVHDL with Timing Behaviours 95
concurrent statements has conﬁgurations of the form
‖i∈I 〈css′i, σi, ϕi〉
for I ⊆fin Id and css′i ∈ {ss′; css | ss′ ∈ Stmt′ ∧ css ∈ Css} ∪ Css, σi ∈ State,
ϕi ∈ Signals for all i ∈ Id. Thus each process has a local variable and signal
state. The transition relation for concurrent statements has the form
‖i∈I 〈css′i, σi, ϕi〉 =⇒‖i∈I 〈cssi′′, σ′i, ϕ′i〉
which speciﬁes one step of computation. The transition relation is speciﬁed in
Table 6.4 and explained below.
As mentioned before we execute processes locally until they have all arrived
at a synchronisation point; this is reﬂected in the rule [Handle non-waiting
processes (H)]. The body of a process is executed in an empty timing context,
as the execution does not depend on the timing delay of any signal.
When all processes ﬁnish execution we perform a synchronisation covered by
the rule [Active signals (A)]. Applications of this rule indicate the coming
clock edge. This rule is explained in the sequel.
The delta-time values and timing delays of signals will be synchronised for all
processes and in order to do this we use a resolution function fs of the form:
fs : multiset(V alue× T ime)→ V alue× T ime
Thus fs combines the multi-set of values assigned to a signal and their timing
delays into one value and timing delay that then will be the new (unique) value
and timing delay of the signal. VHDL allow a resolution function to be spec-
iﬁed in a syntax much like that of a process. We assume that all signals (and
their timing delays) handled in resolution functions are in the argument of the
function
fs(Rs) = (v, t) ∧ t =
⋃
(v′,t′)∈Rs
t′
where Rs is the multi-set of values and timing delays used to perform the reso-
lution of the new present value for s. The resolution function is applied to the
active values of a signal, however if a signal is not active in a local signal state
of a process the present value is used instead. We introduce the function
U(ϕi, s) =
{
(v, t) if ϕi s 1 = (v, t)
(v, t) otherwise, ϕi s 0 = (v, t)
96 Timing Leaks
[Local Variable Assignment] :
t  〈x := e, σ, ϕ〉 ⇒ 〈final, σ[x → (v, t ∪ t′)], ϕ〉
where E [[e]]〈σ, ϕ〉 = (v, t′)
[Signal Assignment] :
t  〈s <= e, σ, ϕ〉 ⇒ 〈final, σ, ϕ[1][s → (v, t ∪ t′)]〉
where E [[e]]〈σ, ϕ〉 = (v, t′)
[Skip] :
t  〈null, σ, ϕ〉 ⇒ 〈final, σ, ϕ〉
[Composition] :
t  〈ss1, σ, ϕ〉 ⇒ 〈ss′1, σ′, ϕ′〉
t  〈ss1; ss2, σ, ϕ〉 ⇒ 〈ss′1; ss2, σ′, ϕ′〉
where ss′1 ∈ Stmt
t  〈ss1, σ, ϕ〉 ⇒ 〈final, σ′, ϕ′〉
t  〈ss1; ss2, σ, ϕ〉 ⇒ 〈ss2, σ′, ϕ′〉
[Conditional] :
t  〈if e then ss1 else ss2, σ, ϕ〉 ⇒ 〈[t′]ss1, σ, ϕ〉
if E [[e]]〈σ, ϕ〉 = (’1’, t′)
t  〈if e then ss1 else ss2, σ, ϕ〉 ⇒ 〈[t′]ss2, σ, ϕ〉
if E [[e]]〈σ, ϕ〉 = (’0’, t′)
[Branch] :
t ∪ t′  〈ss, σ, ϕ〉 ⇒ 〈ss′, σ′, ϕ′〉
t  〈[t′]ss, σ, ϕ〉 ⇒ 〈[t′]ss′, σ′, ϕ′〉
t ∪ t′  〈ss, σ, ϕ〉 ⇒ 〈final, σ′, ϕ′〉
t  〈[t′]ss, σ, ϕ〉 ⇒ 〈final, σ′, ϕ′〉
Table 6.3: Semantics of Statements
to determine whether the active value or the present value is used.
Incoming signals interact with the processes at synchronisation points. The
incoming values can be modelled as a signal state of the environment which has
the timing delay {(sin, 1)} for all active values of incoming signals sin because
after synchronisation we then obtain the desired timing delay {(sin, 0)} for the
incoming signals.
6.2 Absence of Timing Leaks 97
[Handle non-waiting processes (H)] :
∅  〈ssj , σj , ϕj〉 ⇒ 〈ss′j , σ′j , ϕ′j〉
‖i∈I∪{j} 〈ssi; cssi, σi, ϕi〉 =⇒‖i∈I∪{j} 〈ss′i; cssi, σ′i, ϕ′i〉
where ss′i = ssi ∧ σ′i = σi ∧ ϕ′i = ϕi for all i = j.
∅  〈ssj , σj , ϕj〉 ⇒ 〈final, σ′j , ϕ′j〉
‖i∈I∪{j} 〈ssi; cssi, σi, ϕi〉 =⇒‖i∈I∪{j} 〈css′i, σ′i, ϕ′i〉
where css′i = cssi for all i = j and css
′
i = ssi; cssi ∧ σ′i = σi ∧ ϕ′i = ϕi
for all i = j.
[Active signals (A)] :
‖i∈I 〈i : process (clk) begin ssi; end process i, σi, ϕi〉
=⇒‖i∈I 〈css′i, σi, ϕ′i〉
where
ϕ′i s 0 =
⎧⎨
⎩
fs{{(v, t−−) | U(ϕk, s) = (v, t) ∧ k ∈ I}}
if ∃j ∈ I. ϕj s 1 is deﬁned
(v, t−−) otherwise, ϕi s 0 = (v, t)
ϕ′i s 1 = undef
css′i = ssi; i : process (clk) begin ssi; end process i
Table 6.4: Semantics of Concurrent statements
Synchronisation of signals will modify the time-line in the signal states, therefore
we need to change the timing delays accordingly. Thus if a timing delay includes
(s, z) at the time of synchronisation then the signal s is also synchronised moving
the referred value to (s, z − 1). Therefore we introduce the function −−
t−− = {(s, z − 1) | (s, z) ∈ t}
Notice that the state of local variables is unchanged.
6.2 Absence of Timing Leaks
To argue whether a program is secure or not, we need some condition for secu-
rity. Many of the related methods for handling timing leaks base their security
condition on a kind of non-interference. This deals with all kinds of informa-
tion ﬂow including side channels but its view is usually limited to considering
98 Timing Leaks
only the input and output of programs. Timing channels are often exhibited by
cryptographic algorithms, for which non-interference between the secret plain
text and the public cipher text is hard to establish. Here we focus on timing
channels, and therefore we concentrate on formulating our security condition for
this problem. Before we can deﬁne the security condition let us consider some
requirements for programs.
Timing channels are deﬁned as diﬀerences in the timing delay introduced by
handling of secret information. In software programming languages an example
of such a channel could be
if h = 1 then sleep 100 (∗)
where h is a secret variable. The timing channel allows an observer to gain
information about the value of h, by measuring the execution time of the pro-
gram.
In hardware the setting is diﬀerent. Any statement is encapsulated in a process
synchronised with time. Therefore if a statement as (∗) is placed within a
process, the synthesis of the speciﬁcation must guarantee that the process is
ready for synchronisation at the time of the clock edge. Since the memory
cells hold the previous value for each signal, the value will always be present at
exactly the same time. Furthermore processes loop inﬁnitely, so measuring the
overall execution time of a VHDL speciﬁcation makes no sense.
In our setting we consider an external observer that can measure the time (mea-
sured in clock cycles) between modiﬁcations of ingoing and outgoing signals. By
doing this the observer might gain secret information. As an example, consider
a network of sensors where the sensors communicate with each other by en-
crypted messages. The timing delay of the encryption scheme depends on the
value of the plain text as well as the secret key. Messages will be routed through
other sensors to allow communication between all sensors. Now assume that one
sensor is hostile, and wishes to gain information about the messages passed be-
tween other sensors. The hostile sensor takes the following actions: it sends a
message to another sensor, that it shares a key with, then it measures the time
spent by the receiving sensor on decrypting the message and encrypting it again
and passing it on to yet another sensor. Since the hostile sensor knows the key
with which the messages were originally encrypted it could also calculate the
time spent on the decryption, and hence get some idea of the time spent on the
encryption. By continuously sending messages that vary only on single bits the
hostile sensor can use the timing channel to learn the key shared by the other
two sensors.
6.2 Absence of Timing Leaks 99
buffer: process (clk) begin
b <= a;
end process;
selector: process (clk) begin
if sel then
o <= a;
else
o <= b;
end process;
buffer
selector
o
a
sel
Figure 6.1: The example program selector with process dependencies
Example 6.1 (Selector) Consider a program that selects between the newest
and the previous value of the incoming signal a, based on the incoming signal
sel. The speciﬁcation consists of two processes, i.e. buffer and selector;
the ﬁrst is a buﬀer setting the previous incoming signal on the internal signal
b. The second process branches on the incoming signal sel and assigns either
the incoming signal a or the internal signal b to the outgoing signal o. The
CoreVHDL  speciﬁcation is given in Figure 6.1.
Now the timing delay of o depends on sel. If sel is true then the value of a
ﬂows to o after one clock cycle, and we write o → {(a,−1)}, however if sel
is false then a is delayed two clock cycles before ﬂowing to o, and we write
o → {(a,−2)}. Since only one branch is executed the timing delay of o can be
used to determine the value of sel. Therefore the speciﬁcation is considered to
have a timing leak.
The timing delays can also be found by considering dependency diagrams, like
the one in Figure 6.1 for the selector program. Here the ovals containing signal
names are the incoming and outgoing signals (i.e. a, sel and o). However
b is not drawn in a oval, as it is an internal signal and therefore does not
appear in the timing delays. Instead the arrow between the boxes buffer and
selector represent b. The processes in the speciﬁcation are illustrated as boxes
(i.e. buffer and selector). Finding the timing delay of the outgoing signal o
can be done by ﬁnding the paths through the diagram, increasing the delay (i.e.
decreasing the timing delay) whenever passing a process box. The speciﬁcation
has a timing leak because there are paths of diﬀerent length from the incoming
signal a to the outgoing signal o. One is through both buffer and selector,
and the other is only through selector.
100 Timing Leaks
Unfortunately ﬁnding paths of diﬀerent length in a dependency diagram is not
enough. Modify the selector to perform the computation o <= a xor b xor
sel. The dependency graph is the same, but no timing leak is present. The
diﬀerence between the two speciﬁcations is that in the unmodiﬁed speciﬁcation the
signal o can depend on only one of the paths, while in the modiﬁed speciﬁcation
o depends on both paths.
We say a program is timing secure if on no input should an observer be able to
diﬀerentiate between two executions of the program, by considering the number
of clock cycles elapsed until the outgoing signals change their values. We for-
malise this condition by using the timing delay computed in the semantics for
CoreVHDL . Therefore the program is timing secure if two executions of a
program in diﬀerent states always have the same timing delay for all signals.
In the deﬁnition of a timing secure program we write =⇒∗H as the transitive
reﬂexive closure of applying rule [Handle non-waiting processes (H)] and
we write =⇒A for applying rule [Active signals (A)]. The projection on the
time component |Time is deﬁned as (v, t)|Time = t. Later we will similarly write
|V alue for the projection on the value component (v, t)|V alue = v.
Deﬁnition 6.1 (Timing secure program) A CoreVHDL  program ‖i∈I cssi
is timing secure if
‖i∈I 〈cssi, σ1i, ϕ1i〉 =⇒∗H=⇒A‖i∈I 〈css′i, σ′1i, ϕ′1i〉 ∧
‖i∈I 〈cssi, σ2i, ϕ2i〉 =⇒∗H=⇒A‖i∈I 〈css′i, σ′2i, ϕ′2i〉 ∧
∀i, x : σ1i x|Time = σ2i x|Time ∧
∀i, j, s : ϕ1i s j|Time = ϕ2i s j|Time
where for each index i the two branches produce the same statement css′i implies
∀i, j, s : ϕ′1i s j|Time = ϕ′2i s j|Time
Observation. The deﬁnition of timing secure programs follows from the ob-
servation that processes execute their body and then wait for synchronisation.
Therefore for a program to be timing secure all execution traces of a process’
body must change the timing delay of the aﬀected signals uniformly. Notice
that the timing delay of a variable or signal is changed even when the value is
unmodiﬁed, see [Local Variable Assignment] and [Signal Assignment].
In Example 6.1 we presented a program and showed how an observer could gain
knowledge from observing the timing delays of assignments to a signal. Now
6.2 Absence of Timing Leaks 101
we introduce a notion of security thresholds, that allow us to argue whether an
observer can gain information outside some threshold L : Sig → P(Sig) from
timing delays, where L(s) ⊆ SigIN for all s ∈ Sig. This corresponds to the
observer knowing the values of the signals in the threshold. Hence the above
given program will be timing secure for observers that hold the signal sel in
their threshold.
This leads to considering a program secure for an observer of signal s with
threshold L(s) if the observer cannot observe diﬀerent values of the signal
when no signal within the threshold diﬀer on their incoming value by observing
the timing delays.
Deﬁnition 6.2 ((L, s)-Timing secure program) ACoreVHDL  program ‖i∈I
cssi is (L, s)-timing secure if
‖i∈I 〈cssi, σ1i, ϕ1i〉 =⇒∗H=⇒A‖i∈I 〈css′i, σ′1i, ϕ′1i〉 ∧
‖i∈I 〈cssi, σ2i, ϕ2i〉 =⇒∗H=⇒A‖i∈I 〈css′i, σ′2i, ϕ′2i〉 ∧
∀i, x : σ1i x|Time = σ2i x|Time ∧
∀i, j, s : ϕ1i s j|Time = ϕ2i s j|Time ∧
∀i′, j′, s′ : s′ ∈ L(s) ⇒ ϕ1i′ s′ j′|V alue = ϕ2i′ s′ j′|V alue
where for each index i the two branches produce the same statement css′i implies
∀i, j : ϕ′1i s j|Time = ϕ′2i s j|Time
A speciﬁcation is timing secure if it is secure for observation on all signals.
Hence the security property of a timing secure speciﬁcation with respect to the
threshold L is deﬁned as follows.
Deﬁnition 6.3 (L-Timing secure program) A CoreVHDL  program ‖i∈I
cssi is L-timing secure if it is (L, s)-timing secure for all s ∈ Sig.
The deﬁnition presented resembles that of [SS00] as we apply a kind of mutation
or reseting of the states after each synchronisation point for longer execution
sequence (i.e. between each clock cycle). This allows us to focus on the ob-
servable values without dealing with the values that ﬂow directly from higher
to lower security classes. It follows that we permit controlled declassiﬁcation
without making more information observable through timing channels.
102 Timing Leaks
6.3 Execution Path Analysis
This section presents an automatic type-based analysis for certifying secure
programs. The analysis is an over-approximation, where a type describing the
timing delay of variables and signals manipulated can only be inferred for pro-
grams that can be guaranteed to comply with the security condition presented
in Section 6.2. We prove the correctness of the analysis in Section 6.4.
The aim of the analysis is to determine the diﬀerent paths along which an input
signal can ﬂow through a system until it reaches an outgoing signal. With this
knowledge one can decide if all the paths have the same length with respect
to timing delays. For each point in the program the analysis checks that all
information ﬂows introduced have the same timing delay. As said, the timing
of diﬀerent execution paths in a CoreVHDL  program is determined by the
number of synchronisation points passed. The analysis developed here is limited
to handling programs where all paths are of ﬁnite length, i.e. no process depends
on its own output. This limitation follow the tradition of [VS99, Aga00, SS00,
Sab01].
The analysis of an expressions e has the form
Γ  e : δ
where Γ is an environment that holds the timing eﬀect of variables and signals
(Γ : (Sig ∪ V ar) ↪→ P(T ime)). The timing eﬀect δ (δ ∈ P(T ime)) is the
set of timing delays of the evaluated expression. The analysis of expressions is
presented in Table 6.5.
For the environment Γ it holds that
∀s ∈ SigIN : Γ(s) = {{(s, 0)}}
indicating that for all in-coming signals, the delay from their entry to the system
and to the point where used is always zero clock cycles. This matches the notion
of time presented in the semantics, where the incoming signals are introduced
as active values in the environment, and then become present values when syn-
chronised. Notice that a program is not allowed to write to an in-coming signal
in VHDL [IEE87].
For combining paths we introduce the operator ⊗ as
δ ⊗ δ′ = {t ∪ t′ | t ∈ δ ∧ t′ ∈ δ′}
6.3 Execution Path Analysis 103
Γ  m : ∅ Γ  x : Γ(x) Γ  s : Γ(s)
Γ  e : δ
Γ  not e : δ
Γ  e1 : δ1 Γ  e2 : δ2
Γ  e1 and e2 : δ1 ⊗ δ2
Γ  e1 : δ1 Γ  e2 : δ2
Γ  e1 or e2 : δ1 ⊗ δ2
Γ  e1 : δ1 Γ  e2 : δ2
Γ  e1 xor e2 : δ1 ⊗ δ2
Table 6.5: Typing rules for expressions
The analysis of a statement ss has the form
Γ, δ  ss : τ
where Γ is the environment that holds the timing eﬀect of variables and signals,
identical to the one used for analysing expressions. The timing eﬀect δ (δ ∈
P(T ime)) might aﬀect the manipulated signals’ timing delays due to control
ﬂow in the program. The timing behaviour τ is a map of variables and signals
manipulated by ss, and their timing eﬀect (τ : (V ar ∪ Sig) ↪→ P(T ime))).
When analysing assignments to variables and signals we need to take into ac-
count the timing delays of variables and signals that determine the control ﬂow
of the process. Hence we collect these timing delays in the δ component. The
types of variables and signals therefore need to include this component, and
we check that the Cartesian product of the paths are equal to the type (i.e.
δ⊗ δ′ = Γ(x) for the variable x). Furthermore we need to handle the delay from
assignment of a signal to the value becomes the present value of the signal. The
modiﬁcation of a signal cannot be observed before the following clock edge, so
in the rule for signal assignment the type is modiﬁed accordingly. This is done
by overloading the function −− to apply on all timing delays in a timing eﬀect.
For the composition of statements and concurrent statements we introduce the
operator  on two timing behaviours by
(τ1  τ2)(n) =
{
τ2(n) if n ∈ dom(τ2)
τ1(n) otherwise
104 Timing Leaks
[Local Variable Assignment] :
Γ  e : δ′ δ ⊗ δ′ = Γ(x)
Γ, δ  x := e : [x → δ ⊗ δ′]
[Signal Assignment] :
Γ  e : δ′ (δ ⊗ δ′)−− = Γ(s)
Γ, δ  s <= e : [s → (δ ⊗ δ′)−−]
[Skip] :
Γ, δ  null :⊥
[Final] :
Γ, δ  final :⊥
[Composition] :
Γ, δ  ss1 : τ1 Γ, δ  ss2 : τ2
Γ, δ  ss1; ss2 : τ1  τ2
[Low Conditional] :
FV (e) ∪ FS(e) ⊆ L Γ  e : δ′
Γ, δ ⊗ δ′  ss1 : τ1 Γ, δ ⊗ δ′  ss2 : τ2
Γ, δ  if e then ss1 else ss2 : τ1 uniondbl τ2
[High Conditional] :
FV (e) ∪ FS(e) ⊆ L Γ  e : δ′
Γ, δ ⊗ δ′  ss1 : τ Γ, δ ⊗ δ′  ss2 : τ
Γ, δ  if e then ss1 else ss2 : τ
where ∀n : n ∈ dom(τ) ∧ |τ n| ≤ 1
[Branch] :
Γ, δ ⊗ {t′}  ss : τ
Γ, δ  [t′]ss : τ
where dom(τ1) ∩ dom(τ2) = ∅
[Process] :
Γ, ∅  ss1 : τ
Γ c i : process S begin ss1; end process i : τ
[Concurrency] :
Γ c css1 : τ1 Γ c css2 : τ2
Γ c css1 ‖ css2 : τ1  τ2
where dom(τ1) ∩ dom(τ2) = ∅
Table 6.6: Typing rules for statements and concurrent statements
6.4 Soundness 105
Conditionals might introduce diﬀerences in the timing eﬀect of signals, therefore
if the condition contains signals outside the security threshold L, the analysis
veriﬁes that both branches modify signals based on the same timing behav-
iours. We add to constraint ∀n : n ∈ dom(τ) ∧ |τ n| ≤ 1 to make sure nested
conditionals do not mask timing channels through statements that is unreach-
able. If the condition does not contain any signals above the observers threshold
(FV (e) ∪ FS(e) ⊆ L, where FV and FS are the free variables and signals in
the expression e, respectively) we know that information does not become ob-
servable. Thus we can allow both paths even when they are diﬀerent. We unite
the paths by the operator uniondbl deﬁned as
(τ1 uniondbl τ2) n = (τ1 n) ∪ (τ2 n)
The analysis of concurrent statements has the form
Γ c css : τ
using the same elements as the analysis of statements, except for the timing
eﬀects introduced by conditionals. The analysis veriﬁes the body of each process.
The analysis of statements and concurrent statements is presented in Table 6.6.
6.4 Soundness
We prove the soundness of the analysis with respect to the semantics presented
in Section 6.1. The analysis checks that the points in time where a signal (or
variable) is modiﬁed matches the timing eﬀect, so we prove that for any program
evaluated in the semantics, and if a type eﬀect can be veriﬁed with the analysis
then the variable and signal states hold the same timing behaviour as the type
for all variables and signals.
First, we deﬁne an ordering  over the types as
τ  τ ′ ≡ ∀ : n ∈ dom(τ ′) ⇒ τ n ⊇ τ ′ n
The ﬁrst result we aim to show is that expressions evaluated in states, that have
well-formed timing behaviours for all variables and signals, also have resulting
timing behaviours that match the result of the analysis.
Lemma 6.4 (Secure Expressions) For every expression e where the semantics
evaluates the expression in the states σ1 and ϕ1 as E [[e]]〈σ1, ϕ1〉 = (v1, t1), and
106 Timing Leaks
in the states σ2 and ϕ2 as E [[e]]〈σ2, ϕ2〉 = (v2, t2) we have
Γ  e : δ ∧
σ1 x|Time ∈ Γ x ∧ σ2 x|Time ∈ Γ x ∧ (6.4.1)
ϕ1 s 0|Time ∈ Γ s ∧ ϕ2 s 0|Time ∈ Γ s (6.4.2)
⎫⎬
⎭⇒ t1 ∈ δ ∧ t2 ∈ δ
Proof. The proof proceeds by induction on the shape of the derivation sequence.
Case m : The semantics evaluates the expression as
E [[m]]〈σ1, ϕ1〉 = (L[[m]], ∅)
and
E [[m]]〈σ2, ϕ2〉 = (L[[m]], ∅)
The analysis gives
Γ  m : ∅
and the case follows.
Case x : The semantics evaluates the expression as
E [[x]]〈σ1, ϕ1〉 = σ1 x
and
E [[x]]〈σ2, ϕ2〉 = σ2 x
The analysis gives
Γ  x : Γ(x)
and the case follows from condition (6.4.1).
Case s : The semantics evaluates the expression as
E [[s]]〈σ1, ϕ1〉 = ϕ1 s 0
6.4 Soundness 107
and
E [[s]]〈σ2, ϕ2〉 = ϕ2 s 0
The analysis gives
Γ  s : Γ(s)
and the case follows from condition (6.4.2).
Case not e : The semantics evaluates the expression as
E [[not e]]〈σ1, ϕ1〉 = (not v1, t1)
where E [[e]]〈σ1, ϕ1〉 = (v1, t1), and
E [[not e]]〈σ2, ϕ2〉 = (not v2, t2)
where E [[e]]〈σ2, ϕ2〉 = (v2, t2). The analysis gives
Γ  e : δ
Γ  not e : δ
the case follows from the induction hypothesis.
Case e1 and e2 : The semantics evaluates the expression as
E [[e1 and e2]]〈σ1, ϕ1〉 = (v1 and v′1, t1 ∪ t′1)
where E [[e1]]〈σ1, ϕ1〉 = (v1, t1) and E [[e2]]〈σ1, ϕ1〉 = (v′1, t′1), and
E [[e1 and e2]]〈σ2, ϕ2〉 = (v2 and v′2, t2 ∪ t′2)
where E [[e1]]〈σ2, ϕ2〉 = (v2, t2) and E [[e2]]〈σ2, ϕ2〉 = (v′2, t′2). The analysis gives
Γ  e1 : δ Γ  e2 : δ′
Γ  e1 and e2 : δ ⊗ δ′
We have t1 ∈ δ, t2 ∈ δ, t′1 ∈ δ′ and t′2 ∈ δ′ from the induction hypothesis. Hence
t1 ∪ t′1 ∈ δ ⊗ δ′ and t2 ∪ t′2 ∈ δ ⊗ δ′.
108 Timing Leaks
Case e1 or e2 : The semantics evaluates the expression as
E [[e1 or e2]]〈σ1, ϕ1〉 = (v1 or v′1, t1 ∪ t′1)
where E [[e1]]〈σ1, ϕ1〉 = (v1, t1) and E [[e2]]〈σ1, ϕ1〉 = (v′1, t′1), and
E [[e1 or e2]]〈σ2, ϕ2〉 = (v2 or v′2, t2 ∪ t′2)
where E [[e1]]〈σ2, ϕ2〉 = (v2, t2) and E [[e2]]〈σ2, ϕ2〉 = (v′2, t′2). The analysis gives
Γ  e1 : δ Γ  e2 : δ′
Γ  e1 or e2 : δ ⊗ δ′
We have t1 ∈ δ, t2 ∈ δ, t′1 ∈ δ′ and t′2 ∈ δ′ from the induction hypothesis. Hence
t1 ∪ t′1 ∈ δ ⊗ δ′ and t2 ∪ t′2 ∈ δ ⊗ δ′.
Case e1 xor e2 : The semantics evaluates the expression as
E [[e1 xor e2]]〈σ1, ϕ1〉 = (v1 xor v′1, t1 ∪ t′1)
where E [[e1]]〈σ1, ϕ1〉 = (v1, t1) and E [[e2]]〈σ1, ϕ1〉 = (v′1, t′1), and
E [[e1 xor e2]]〈σ2, ϕ2〉 = (v2 xor v′2, t2 ∪ t′2)
where E [[e1]]〈σ2, ϕ2〉 = (v2, t2) and E [[e2]]〈σ2, ϕ2〉 = (v′2, t′2). The analysis gives
Γ  e1 : δ Γ  e2 : δ′
Γ  e1 xor e2 : δ ⊗ δ′
We have t1 ∈ δ, t2 ∈ δ, t′1 ∈ δ′ and t′2 ∈ δ′ from the induction hypothesis. Hence
t1 ∪ t′1 ∈ δ ⊗ δ′ and t2 ∪ t′2 = δ ⊗ δ′. 
The correctness of the analysis for statements is stated in the following subject
reduction result.
Lemma 6.5 (Subject Reduction) For a statement ss that is evaluated by the
semantics in the states σ and ϕ as t  〈ss, σ, ϕ〉 ⇒ 〈ss′, σ′, ϕ′〉 we have
Γ, δ  ss : τ ∧ t ∈ δ ∧
∀x : σ x|Time ∈ Γ x ∧
∀s : ϕ s 0|Time ∈ Γ s
⎫⎬
⎭⇒
{ ∃τ ′ : Γ, δ  ss′ : τ ′ ∧
τ  τ ′
Proof. The proof proceeds by induction on the shape of the execution tree.
6.4 Soundness 109
Case Local Variable Assignment: The semantics evaluates the statement
as
t  〈x := e, σ, ϕ〉 ⇒ 〈final, σ′, ϕ〉
where E [[e]]〈σ, ϕ〉 = (v, t′) and σ′ = σ[x → (v, t ∪ t′)]. The analysis gives
Γ  e : δ′ δ ⊗ δ′ ⊆ Γ(x)
Γ, δ  x := e : [x → δ ⊗ δ′]
and
Γ, δ  final :⊥
now τ = [x → δ ⊗ δ′] and τ ′ =⊥, hence τ  τ ′.
Case Signal Assignment: The semantics evaluates the statement as
t  〈s <= e, σ, ϕ〉 ⇒ 〈final, σ, ϕ′〉
where E [[e]]〈σ, ϕ〉 = (v, t′) and ϕ′ = ϕ[1][s → (v, t ∪ t′)]. The analysis gives
Γ  e : δ′ δ ⊗ δ′ ⊆ Γ(s)
Γ, δ  s <= e : [s → δ ⊗ δ′]
and
Γ, δ  final :⊥
now τ = [s → δ ⊗ δ′] and τ ′ =⊥, hence τ  τ ′.
Case Skip: The semantics evaluates the statement as
t  〈null, σ, ϕ〉 ⇒ 〈final, σ, ϕ〉
The analysis gives
Γ, δ  null :⊥
and
Γ, δ  final :⊥
now τ =⊥ and τ ′ =⊥, and the case follows as τ = τ ′.
110 Timing Leaks
Case Composition: In one rule the semantics evaluates the statement as
t  〈ss1, σ, ϕ〉 ⇒ 〈ss′1, σ′, ϕ′〉
t  〈ss1; ss2, σ, ϕ〉 ⇒ 〈ss′1; ss2, σ′, ϕ′〉
where ss′1 ∈ Stmt. The analysis gives
Γ, δ  ss1 : τ1 Γ, δ  ss2 : τ2
Γ, δ  ss1; ss2 : τ1  τ2
and the analysis of ss′1 gives Γ, δ  ss′1 : τ ′1. Now applying the rule for compo-
sition we can derive
Γ, δ  ss′1 : τ ′1 Γ, δ  ss2 : τ2
Γ, δ  ss′1; ss2 : τ ′1  τ2
now it follows from the induction hypothesis for t  〈ss1, σ, ϕ〉 ⇒ 〈ss′1, σ′, ϕ′〉
and Γ, δ  ss1 : τ1 that we can choose τ ′1 such that Γ, δ  ss′1 : τ ′1 and τ1  τ ′1,
and clearly τ1τ2  τ ′1τ2 which proves the rule. In the other rule the semantics
evaluates the statement as
t  〈ss1, σ, ϕ〉 ⇒ 〈final, σ′, ϕ′〉
t  〈ss1; ss2, σ, ϕ〉 ⇒ 〈ss2, σ′, ϕ′〉
The analysis gives
Γ, δ  ss1 : τ1 Γ, δ  ss2 : τ2
Γ, δ  ss1; ss2 : τ1  τ2
and
Γ, δ  ss2 : τ2
now τ1  τ2  τ2.
Case Low Conditional: The semantics evaluates the statement as
t  〈if e then ss1 else ss2, σ, ϕ〉 ⇒ 〈[t ∪ te]ss′, σ, ϕ〉, where ss′ = ss1 when
E[[e]]〈σ, ϕ〉 = (′1′, te) and ss′ = ss2 when E[[e]]〈σ, ϕ〉 = (′0′, te). The analysis
gives
FV (e) ∪ FS(e) ⊆ L Γ  e : δe Γ, δ ⊗ δe  ss1 : τ1 Γ, δ ⊗ δe  ss2 : τ2
Γ, δ  if e then ss1 else ss2 : τ1 uniondbl τ2
6.4 Soundness 111
and
Γ, δ ⊗ {te}  ss′ : τ ′
Γ, δ  [te]ss′ : τ ′
from Lemma 6.4 we get that te ∈ δe. Thus δ ⊗ {te} ⊆ δ ⊗ δe and we get that
either τ1  τ ′ or τ2  τ ′. Now it follows that τ1 uniondbl τ2  τ ′.
Case High Conditional: The semantics evaluates the statement as
t  〈if e then ss1 else ss2, σ, ϕ〉 ⇒ 〈[t ∪ te]ss′, σ, ϕ〉, where ss′ = ss1 when
E[[e]]〈σ, ϕ〉 = (′1′, te) and ss′ = ss2 when E[[e]]〈σ, ϕ〉 = (′0′, te). The analysis
gives
FV (e) ∪ FS(e) ⊆ L Γ  e : δ′ Γ, δ ⊗ δ′  ss1 : τ Γ, δ ⊗ δ′  ss2 : τ
Γ, δ  if e then ss1 else ss2 : τ
where ∀n : n ∈ dom(τ) ∧ |τ n| ≤ 1. Now from Lemma 6.4 we get that te ∈ δe
and
Γ, δ ⊗ {te}  ss′ : τ ′
Γ, δ  [te]ss′ : τ ′
it follows that τ  τ ′.
Case Branch: In one rule the semantics evaluates the statement as
t ∪ te  〈ss, σ, ϕ〉 ⇒ 〈ss′, σ′, ϕ′〉
t  〈[te]ss, σ, ϕ〉 ⇒ 〈ss′, σ′, ϕ′〉
where ss′ ∈ Stmt. The analysis gives
Γ, δ ⊗ {te}  ss : τ
Γ, δ  [te]ss : τ
and
Γ, δ ⊗ {te}  ss′ : τ ′
Γ, δ  [te]ss′ : τ ′
and the case follows from applying the induction hypothesis. In the other rule
the semantics evaluates the statement as
t ∪ te  〈ss, σ, ϕ〉 ⇒ 〈final, σ′, ϕ′〉
t  〈[te]ss, σ, ϕ〉 ⇒ 〈final, σ′, ϕ′〉
112 Timing Leaks
again the analysis gives
Γ, δ ⊗ {te}  ss : τ
Γ, δ  [te]ss : τ
and
Γ, δ  final :⊥
and the case follows because τ ′ =⊥, hence τ  τ ′. 
Now we stated that the result of the analysis of a program contain all possible
modiﬁcations of timing behaviours in the associated states. First it is shown
for semantical evaluations in one step. Below we generalise for executions of
arbitrary length.
Lemma 6.6 (One step semantic correctness of time delays) For a statement
ss that is evaluated by the semantics in the states σ and ϕ as t  〈ss, σ, ϕ〉 ⇒
〈ss′, σ′, ϕ′〉 we have
Γ, δ  ss : τ ∧
Γ, δ  ss′ : τ ′ ∧
t ∈ δ ∧
σ x|Time ∈ Γ x ∧
ϕ s 0|Time ∈ Γ s
⎫⎪⎪⎪⎪⎬
⎪⎪⎪⎭
⇒
⎧⎪⎪⎪⎪⎨
⎪⎪⎪⎩
σ′ x|Time ∈ Γ x ∧ ϕ′ s 1|−−Time ∈ Γ s ∧
∀x′ : x′ ∈ dom(τ)\dom(τ ′) ⇒ σ x′ = σ′ x′ ∧
∀x′′ : x′′ ∈ dom(τ)\dom(τ ′) ⇒ σ′ x′′|Time ∈ τ x′′ ∧
∀s′ : s′ ∈ dom(τ)\dom(τ ′) ⇒ ϕ s′ 1 = ϕ′ s′ 1 ∧
∀s′′ : s′′ ∈ dom(τ)\dom(τ ′) ⇒ ϕ′ s′′ 1|−−Time ∈ τ s′′
Proof. By induction on the shape of the derivation tree.
Case Local Variable Assignment: The semantics evaluates the statement
as
t  〈x := e, σ, ϕ〉 ⇒ 〈final, σ′, ϕ〉
where E [[e]]〈σ, ϕ〉 = (v, t′) and σ′ = σ[x → (v, t ∪ t′)], while the analysis gives
Γ  e : δ′ δ ∪ δ′ ⊆ Γ(x)
Γ, δ  x := e : τ
and
Γ, δ  final : τ ′
where τ = [x → δ⊗ δ′] and τ ′ =⊥. From Lemma 6.4 it follows that t′ ∈ δ′. Now
σ′ x|Time ∈ Γ x = τ x, dom(τ) = {x}, dom(τ ′) = ∅ and dom(τ)\dom(τ ′) = {x}.
6.4 Soundness 113
Case Signal Assignment: The semantics evaluates the statement as
t  〈s <= e, σ, ϕ〉 ⇒ 〈final, σ, ϕ′〉
where E [[e]]〈σ, ϕ〉 = (v, t′) and ϕ′ = ϕ[1][s → (v, t ∪ t′)], while the analysis gives
Γ  e : δ′ (δ ⊗ δ′)−− ⊆ Γ(s)
Γ, δ  s <= e : τ
and
Γ, δ  final : τ ′
where τ = [s → (δ ⊗ δ′)−− and τ ′ =⊥. From Lemma 6.4 it follows that t′ ∈ δ′.
Now ϕ′ s 1|−−TimeδΓ s = τ s, dom(τ) = {s}, dom(τ ′) = ∅ and dom(τ)\dom(τ ′) =
{s}.
Case Skip: The semantics evaluates the statement as
t  〈null, σ, ϕ〉 ⇒ 〈final, σ, ϕ〉
while the analysis gives
Γ, δ  null :⊥
and
Γ, δ  final :⊥
so that the case follows.
Case Composition: There are two subcases. One is where the semantics
evaluates the statement as
t  〈ss1, σ, ϕ〉 ⇒ 〈ss′1, σ′, ϕ′〉
t  〈ss1; ss2, σ, ϕ〉 ⇒ 〈ss′1; ss2, σ′, ϕ′〉
where ss′1 ∈ Stmt, while the analysis give
Γ, δ  ss1 : τ1 Γ, δ  ss2 : τ2
Γ, δ  ss1; ss2 : τ1  τ2
114 Timing Leaks
Now assuming that Γ, δ  ss′1 : τ ′1 we can apply rule [Composition] with the
same derivation tree as above for ss2 and get
Γ, δ  ss′1 : τ ′1 Γ, δ  ss2 : τ2
Γ, δ  ss′1; ss2 : τ ′1  τ2
Applying the induction hypothesis on t  〈ss1, σ, ϕ〉 ⇒ 〈ss′1, σ′, ϕ′〉 we get
σ′ x|Time ∈ Γ x ∧ ϕ′ s 1|−−Time ∈ Γ s ∧
∀x : x ∈ dom(τ1)\dom(τ ′1) ⇒ σ x = σ′ x ∧
∀x : x ∈ dom(τ1)\dom(τ ′1) ⇒ σ′ x|Time ∈ τ1 x ∧
∀s : s ∈ dom(τ1)\dom(τ ′1) ⇒ ϕ s 1 = ϕ′ s 1 ∧
∀s : s ∈ dom(τ1)\dom(τ ′1) ⇒ ϕ′ s 1|−−Time ∈ τ1 s
and since dom(τ1  τ2)\dom(τ ′1  τ2) = dom(τ1)\dom(τ ′1) the case follows. The
other subcase is where the ﬁrst step in the derivation sequence was evaluated as
t  〈ss1, σ, ϕ〉 ⇒ 〈final, σ′, ϕ′〉
t  〈ss1; ss2, σ, ϕ〉 ⇒ 〈ss2, σ′, ϕ′〉
and again the analysis gives
Γ, δ  ss1 : τ1 Γ, δ  ss2 : τ2
Γ, δ  ss1; ss2 : τ1  τ2
and
Γ, δ  ss2 : τ2
Applying the induction hypothesis on t  〈ss1, σ, ϕ〉 ⇒ 〈final, σ′, ϕ′〉 we get
σ′ x|Time ∈ Γ x ∧ ϕ′ s 1|−−Time ∈ Γ s ∧
∀x : x ∈ dom(τ1)\dom(τ ′1) ⇒ σ x = σ′ x ∧
∀x : x ∈ dom(τ1)\dom(τ ′1) ⇒ σ′ x|Time ∈ τ1 x ∧
∀s : s ∈ dom(τ1)\dom(τ ′1) ⇒ ϕ s 1 = ϕ′ s 1 ∧
∀s : s ∈ dom(τ1)\dom(τ ′1) ⇒ ϕ′ s 1|−−Time ∈ τ1 s
where τ ′1 =⊥ because Γ, δ  final :⊥. Since dom(τ1  τ2)\dom(τ2) = dom(τ1)
the case follows.
6.4 Soundness 115
Case Low Conditional: The semantics evaluates the statement as
t  〈if e then ss1 else ss2, σ, ϕ〉 ⇒ 〈[t ∪ te]ss′, σ, ϕ〉, where ss′ = ss1 when
E[[e]]〈σ, ϕ〉 = (′1′, te) and ss′ = ss2 when E[[e]]〈σ, ϕ〉 = (′0′, te). The analysis
gives
FV (e) ∪ FS(e) ⊆ L Γ  e : δ′ Γ, δ ⊗ δ′  ss1 : τ1 Γ, δ ⊗ δ′  ss2 : τ2
Γ, δ  if e then ss1 else ss2 : τ1 uniondbl τ2
now as the states are unchanged and the case follows.
Case High Conditional: The semantics evaluates the statement as
t  〈if e then ss1 else ss2, σ, ϕ〉 ⇒ 〈[t ∪ te]ss′, σ, ϕ〉, where ss′ = ss1 when
E[[e]]〈σ, ϕ〉 = (′1′, te) and ss′ = ss2 when E[[e]]〈σ, ϕ〉 = (′0′, te). The analysis
gives
FV (e) ∪ FS(e) ⊆ L Γ  e : δ′ Γ, δ ⊗ δ′  ss1 : τ Γ, δ ⊗ δ′  ss2 : τ
Γ, δ  if e then ss1 else ss2 : τ
where ∀n : n ∈ dom(τ) ∧ |τ n| ≤ 1. Now as the states are unchanged and the
case follows.
Case Branch: There are two subcases. One is where the semantics evaluates
the statement
t ∪ t′  〈ss, σ, ϕ〉 ⇒ 〈ss′, σ′, ϕ′〉
t  〈[t′]ss, σ, ϕ〉 ⇒ 〈[t′]ss′, σ′, ϕ′〉
while the analysis gives
Γ, δ ⊗ {t′}  ss : τ
Γ, δ  [t′]ss : τ
and
Γ, δ ⊗ {t′}  ss′ : τ ′
Γ, δ  [t′]ss′ : τ ′
The desired result then follows from applying the induction hypothesis. In the
other subcase the semantics evaluates the statement as
t ∪ t′  〈ss, σ, ϕ〉 ⇒ 〈final, σ′, ϕ′〉
t  〈[t′]ss, σ, ϕ〉 ⇒ 〈final, σ′, ϕ′〉
116 Timing Leaks
and again the analysis
Γ, δ ⊗ {t′}  ss : τ
Γ, δ  [t′]ss : τ
and
Γ, δ  final :⊥
The desired result follows from applying the induction hypothesis on t ∪ t′ 
〈ss, σ, ϕ〉 ⇒ 〈final, σ′, ϕ′〉. Where the analysis for t ∪ t′  〈final, σ′, ϕ′〉 gives
Γ, δ ⊗ {t′}  final :⊥. This completes the proof of Lemma 6.6. 
We generalise the result above by showing that the result of the analysis of a
program contain all modiﬁcations of timing behaviours in executions of arbitrary
length.
Lemma 6.7 (Semantic correctness of time delays) For a statement ss that
is evaluated by the semantics in the states σ and ϕ as t  〈ss, σ, ϕ〉 ⇒∗
〈final, σ′, ϕ′〉 we have
Γ, δ  ss : τ ∧ t ∈ δ ∧
σ x|Time ∈ Γ x ∧
ϕ s 0|Time ∈ Γ s
⎫⎬
⎭⇒
⎧⎪⎪⎨
⎪⎪⎩
∀x′ : x′ ∈ dom(τ) ⇒ σ x′ = σ′ x′ ∧
∀x′′ : x′′ ∈ dom(τ) ⇒ σ′ x′′|Time ∈ τ x′′ ∧
∀s′ : s′ ∈ dom(τ) ⇒ ϕ s′ 1 = ϕ′ s′ 1 ∧
∀s′′ : s′′ ∈ dom(τ) ⇒ ϕ′ s′′ 1|−−Time ∈ τ s′′
Proof. The Lemma follows from the transitive closure of Lemma 6.6. 
In the below results of secure statements we need to consider the ﬁrst coming
statement in the evaluation. This is deﬁned in the following deﬁnition.
Deﬁnition 6.8 (First statement) The function first on a statements is deﬁned
as
firstt(x := e) = x := e
firstt(s <= e) = s <= e
firstt(null) = null
firstt(ss1; ss2) = firstt(ss1)
firstt(if e then ss1 else ss2) = [t]if e then ss1 else ss2
firstt([t′]ss) = firstt∪t′(ss)
Now we stated that the successful analysis of a program provides the guarantees
stated in the absence of timing leaks property. First it is shown for semantical
evaluations in one step. Below we generalise for executions of arbitrary length.
6.4 Soundness 117
Lemma 6.9 (One step Secure Statements) For every statement ss where
firstt(ss) = [t′]if e then ss1 else ss2 or FV (e) ∪ FS(e) ⊆ L then if the
semantics evaluates the statement in the states σ1 and ϕ1 as t  〈ss, σ1, ϕ1〉 ⇒
〈ss′1, σ′1, ϕ′1〉 and in states σ2 and ϕ2 as t  〈ss, σ2, ϕ2〉 ⇒ 〈ss′2, σ′2, ϕ′2〉 we have
Γ, δ  ss : τ ∧ t ∈ δ ∧
σ1 x|Time = σ2 x|Time ∈ Γ x ∧ (6.9.1)
ϕ1 s 0|Time = ϕ2 s 0|Time ∈ Γ s ∧ (6.9.2)
∀s : s ∈ L ⇒ ϕ1 s 0 = ϕ2 s 0 (6.9.3)
implies
ss′1 = ss′2 ∧ (6.9.4)
σ′1 x|Time = σ′2 x|Time ∧ (6.9.5)
ϕ′1 s 1|Time = ϕ′2 s 1|Time (6.9.6)
otherwise if firstt(ss) = [t′]if e then ss1 else ss2 and FV (e) ∪ FS(e) ⊆ L
then if the semantics evaluates the statement in the states σ1 and ϕ1 as t′ 
〈if e then ss1 else ss2, σ1, ϕ1〉 ⇒∗ 〈final, σ′1, ϕ′1〉 and in states σ2 and ϕ2
as t′  〈if e then ss1 else ss2, σ2, ϕ2〉 ⇒∗ 〈final, σ′2, ϕ′2〉 we have
Γ, δ  ss : τ ∧ t ∈ δ ∧
σ1 x|Time = σ2 x|Time ∈ Γ x ∧ (6.9.7)
ϕ1 s 0|Time = ϕ2 s 0|Time ∈ Γ s ∧ (6.9.8)
∀s : s ∈ L ⇒ ϕ1 s 0 = ϕ2 s 0 (6.9.9)
implies
σ′1 x|Time = σ′2 x|Time ∧ (6.9.10)
ϕ′1 s 1|Time = ϕ′2 s 1|Time (6.9.11)
Proof. The proof proceeds by induction on the shape of the derivation sequence.
Case Local Variable Assignment: The semantics evaluates the statement
as
t  〈x := e, σ1, ϕ1〉 ⇒ 〈final, σ1[x → (v1, t ∪ t1)], ϕ1〉
where E [[e]]〈σ1, ϕ1〉 = (v1, t1), and
t  〈x := e, σ2, ϕ2〉 ⇒ 〈final, σ2[x → (v2, t ∪ t2)], ϕ2〉
118 Timing Leaks
where E [[e]]〈σ2, ϕ2〉 = (v2, t2). The analysis gives
Γ  e : δ′ δ ⊗ δ′ ⊆ Γ(x)
Γ, δ  x := e : [x → δ ⊗ δ′]
and from Lemma 6.4 we get t1 = t2 ∈ δ′ and t ∪ t1 = t ∪ t2 ∈ δ ⊗ δ′. Hence
σ′1 x|Time = σ′2 x|Time which proves (6.9.5). Finally, (6.9.4) and (6.9.6) follow
directly from the evaluation and the analysis.
Case Signal Assignment: The semantics evaluates the statement as
t  〈s <= e, σ1, ϕ1〉 ⇒ 〈final, σ1, ϕ[1]1 [s → (v1, t ∪ t1)]〉
where E [[e]]〈σ1, ϕ1〉 = (v1, t1), and
t  〈s <= e, σ2, ϕ2〉 ⇒ 〈final, σ2, ϕ[1]2 [s → (v2, t ∪ t2)]〉
where E [[e]]〈σ2, ϕ2〉 = (v2, t2). The analysis gives
Γ  e : δ′ (δ ⊗ δ′)−− ⊆ Γ(s)
Γ, δ  s <= e : [s → (δ ⊗ δ′)−−]
and from Lemma 6.4 we get t1 = t2 ∈ δ′, and t ∪ t1 = t ∪ t2 ∈ δ ⊗ δ′. Hence
ϕ′1 s 1|Time = ϕ′2 s 1|Time which proves (6.9.6). Finally, (6.9.4) and (6.9.5)
follow directly from the evaluation and the analysis.
Case Skip: The semantics evaluates the statement as
t  〈null, σ1, ϕ1〉 ⇒ 〈final, σ1, ϕ1〉
and
t  〈null, σ2, ϕ2〉 ⇒ 〈final, σ2, ϕ2〉
The analysis gives
Γ, δ  null :⊥
and the case follows.
6.4 Soundness 119
Case Composition: There are two subcases. One is where the semantics
evaluates the statement as
t  〈ss1, σ1, ϕ1〉 ⇒ 〈ss′1, σ′1, ϕ′1〉
t  〈ss1; ss2, σ1, ϕ1〉 ⇒ 〈ss′1; ss2, σ′1, ϕ′1〉
and
t  〈ss1, σ2, ϕ2〉 ⇒ 〈ss′2, σ′2, ϕ′2〉
t  〈ss1; ss2, σ2, ϕ2〉 ⇒ 〈ss′2; ss2, σ′2, ϕ′2〉
where ss′1 ∈ Stmt. The analysis gives
Γ, δ  ss1 : τ1 Γ, δ  ss2 : τ2
Γ, δ  ss1; ss2 : τ1  τ2
and the case follows from applying the induction hypothesis. In the other sub-
case the semantics evaluates the statement as
t  〈ss1, σ1, ϕ1〉 ⇒ 〈final, σ′1, ϕ′1〉
t  〈ss1; ss2, σ1, ϕ1〉 ⇒ 〈ss2, σ′1, ϕ′1〉
and
t  〈ss1, σ2, ϕ2〉 ⇒ 〈final, σ′2, ϕ′2〉
t  〈ss1; ss2, σ2, ϕ2〉 ⇒ 〈ss2, σ′2, ϕ′2〉
again the analysis gives
Γ, δ  ss1 : τ1 Γ, δ  ss2 : τ2
Γ, δ  ss1; ss2 : τ1  τ2
and the case follows from applying the induction hypothesis.
Case Low Conditional: The semantics evaluates the statement as
t  〈if e then ss1 else ss2, σ1, ϕ1〉 ⇒ 〈[te]ss′, σ′1, ϕ′1〉
and
t  〈if e then ss1 else ss2, σ2, ϕ2〉 ⇒ 〈[t′e]ss′′, σ′2, ϕ′2〉
The analysis gives
FV (e) ∪ FS(e) ⊆ L Γ  e : δ′ Γ, δ ⊗ δ′  ss1 : τ1 Γ, δ ⊗ δ′  ss2 : τ2
Γ, δ  if e then ss1 else ss2 : τ1 uniondbl τ2
120 Timing Leaks
now it follow from FV (e)∪FS(e) ⊆ L and (6.9.3) that E [[e]]〈σ1, ϕ1〉 = E [[e]]〈σ2, ϕ2〉.
Therefore we have te = t′e and ss′ = ss′′. Because the states are unchanged the
case follows.
Case High Conditional: The semantics evaluates the statement as
t  〈if e then ss1 else ss2, σ1, ϕ1〉 ⇒∗ 〈final, σ′1, ϕ′1〉
and
t  〈if e then ss1 else ss2, σ2, ϕ2〉 ⇒∗ 〈final, σ′2, ϕ′2〉
The analysis gives
FV (e) ∪ FS(e) ⊆ L Γ  e : δ′ Γ, δ ⊗ δ′  ss1 : τ Γ, δ ⊗ δ′  ss2 : τ
Γ, δ  if e then ss1 else ss2 : τ
where ∀n : n ∈ dom(τ) ∧ |τ n| ≤ 1 and from Lemma 6.7 we get
(i) x′ ∈ dom(τ) ⇒ σ1 x′ = σ′1 x′ ∧
(ii) x ∈ dom(τ) ⇒ σ′1 x|Time ∈ τ x ∧
(iii) s′ ∈ dom(τ) ⇒ ϕ1 s′ 1 = ϕ′1 s′ 1 ∧
(iv) s ∈ dom(τ) ⇒ ϕ′1 s 1|−−Time ∈ τ s
and
(v) x′ ∈ dom(τ) ⇒ σ2 x′ = σ′2 x′ ∧
(vi) x ∈ dom(τ) ⇒ σ′2 x|Time ∈ τ x ∧
(vii) s′ ∈ dom(τ) ⇒ ϕ2 s′ 1 = ϕ′2 s′ 1 ∧
(viii) s ∈ dom(τ) ⇒ ϕ′2 s 1|−−Time ∈ τ s
Since the timing behaviour for each branch is identical τ , each timing eﬀect
has a unique timing delay for all variables and signals (due to the condition
∀n : n ∈ dom(τ) ∧ |τ n| ≤ 1), and the states projected on to the timing delays
are equivalent σ1 x|Time = σ2 x|Time, we can combine (i) and (v) to obtain
∀x′ : x′ ∈ dom(τ) ⇒ σ′1 x′|Time = σ′2 x′|Time
and similarly (ii) and (vi) to obtain
∀x : x ∈ dom(τ) ⇒ {σ′1 x|Time} = τ x = {σ′2 x|Time}
6.4 Soundness 121
combining these we get
∀x : σ′1 x|Time = σ′2 x|Time
In a similar way one can combine (iii), (iv), (vii) and (viii) to get
∀s : ϕ′1 s 1|Time = ϕ′2 s 1|Time
Hence the case follows.
Case Branch: There are two subcases. One is where the semantics evaluates
the statement as
t ∪ t′  〈ss, σ1, ϕ1〉 ⇒ 〈ss′1, σ′1, ϕ′1〉
t  〈[t′]ss, σ1, ϕ1〉 ⇒ 〈ss′1, σ′1, ϕ′1〉
and
t ∪ t′  〈ss, σ2, ϕ2〉 ⇒ 〈ss′2, σ′2, ϕ′2〉
t  〈[t′]ss, σ2, ϕ2〉 ⇒ 〈ss′2, σ′2, ϕ′2〉
The analysis gives
Γ, δ ⊗ {t′}  ss : τ
Γ, δ  [t′]ss : τ
and the case follows from applying the induction hypothesis. In the other sub-
case the semantics evaluates the statement as
t ∪ t′  〈ss, σ1, ϕ1〉 ⇒ 〈final, σ′1, ϕ′1〉
t  〈[t′]ss, σ1, ϕ1〉 ⇒ 〈final, σ′1, ϕ′1〉
and
t ∪ t′  〈ss, σ2, ϕ2〉 ⇒ 〈final, σ′2, ϕ′2〉
t  〈[t′]ss, σ2, ϕ2〉 ⇒ 〈final, σ′2, ϕ′2〉
and again the analysis gives
Γ, δ ⊗ {t′}  ss : τ
Γ, δ  [t′]ss : τ
now the case follows from applying the induction hypothesis. 
122 Timing Leaks
We generalise the static security guarantee of the analysis of statements for
executions of arbitrary length.
Lemma 6.10 (Secure Statements) For every statement ss that is evaluated by
the semantics in the states σ1 and ϕ1 as t  〈ss, σ1, ϕ1〉 ⇒∗ 〈final, σ′1, ϕ′1〉 and
in the states σ2 and ϕ2 as t  〈ss, σ2, ϕ2〉 ⇒∗ 〈final, σ′2, ϕ′2〉 we have
Γ, δ  ss : τ ∧ t ∈ δ ∧
σ1 x|Time = σ2 x|Time ∈ Γ x ∧ (6.10.1)
ϕ1 s 0|Time = ϕ2 s 0|Time ∈ Γ s (6.10.2)
implies
σ′1 x|Time = σ′2 x|Time ∧ (6.10.3)
ϕ′1 s 1|Time = ϕ′2 s 1|Time (6.10.4)
Proof. The proof proceeds by induction on the length of the derivation sequence
Case Local Variable Assignment, Signal Assignment, Skip and Con-
ditional follow from Lemma 6.9.
Case Composition: From Lemma 6.6 we have for the ﬁrst evaluation step
for both semantical rules for composition that σ′1 x|Time = σ′2 x|Time ∈ Γ x.
As the semantics for statements does not modify the present value of signals we
have ϕ′1 s 0|Time = ϕ′2 s 0|Time ∈ Γ s. Both subcases follows from the induction
hypothesis to the remaining part of the derivation sequence, which is obviously
shorter.
Case Branch: There are two cases. The case where the semantics evaluated
the statement in one step the case follows from Lemma 6.9. The case where
the branch statement is not evaluated in one step the we have that σ′1 x|Time =
σ′2 x|Time ∈ Γ x from Lemma 6.6. As the semantics for statements does not
modify the present value of signals we have ϕ′1 s 0|Time = ϕ′2 s 0|Time ∈ Γ s.
The case follows from the induction hypothesis to the remaining part of the
derivation sequence, which is obviously shorter. 
Finally, we show the main result for processes.
Theorem 6.11 (Secure Process) For every concurrent statement css where the
semantics evaluates each process i in the states σ1i and ϕ1i as ‖i∈I 〈cssi, σ1i, ϕ1i〉
6.4 Soundness 123
=⇒∗H=⇒A‖i∈I 〈css′1i, σ′1i, ϕ′1i〉 and in the states σ2i and ϕ2i as ‖i∈I 〈cssi, σ2i, ϕ2i〉
=⇒∗H=⇒A‖i∈I 〈css′2i, σ′2i, ϕ′2i〉 implies
Γ c css : τ ∧
σ1i x|Time = σ2i x|Time ∈ Γ x ∧
ϕ1i s 0|Time = ϕ2i s 0|Time ∈ Γ s ∧
ϕ′1i s 1|Time = ϕ′2i s 1|Time ∧
∀s : s ∈ L ⇒ ϕ1 s 0 = ϕ2 s 0
implies
css′1i = css
′
2i ∧
σ′1i x|Time = σ′2i x|Time ∈ Γ x ∧
ϕ′1i s 0|Time = ϕ′2i s 0|Time ∈ Γ s ∧
ϕ′1i s 1|Time = ϕ′2i s 1|Time = undef
Proof. We introduce a conﬁguration on the evaluation sequences, such that
‖i∈I 〈cssi, σ1i, ϕ1i〉 =⇒∗H‖i∈I 〈css′′1i, σ′′1i, ϕ′′1i〉 =⇒A‖i∈I 〈css′1i, σ′1i, ϕ′1i〉
and
‖i∈I 〈cssi, σ2i, ϕ2i〉 =⇒∗H‖i∈I 〈css′′2i, σ′′2i, ϕ′′2i〉 =⇒A‖i∈I 〈css′2i, σ′2i, ϕ′2i〉
For the evaluation sequences ‖i∈I 〈cssi, σ1i, ϕ1i〉 =⇒∗H‖i∈I 〈css′′1i, σ′′1i, ϕ′′1i〉 and
‖i∈I 〈cssi, σ2i, ϕ2i〉 =⇒∗H‖i∈I 〈css′′2i, σ′′2i, ϕ′′2i〉 applying Lemma 6.10 give
σ′′1i x|Time = σ′′2i x|Time ∧ (6.10.3)
ϕ′′1i s 1|Time = ϕ′′2i s 1|Time (6.10.4)
furthermore it follows that css′′1i = css
′′
2i. Now from Lemma 6.6 we have
σ′′1i x|Time = Γ x ∧ ϕ′′1i s 1|−−Time = Γ s
and because evaluating the conﬁguration with the rule [Active signals (A)]
give
‖i∈I 〈i : process (clk) begin ssi; end process i, σi, ϕi〉 =⇒‖i∈I 〈ss′i, σi, ϕ′i〉
where
ϕ′i s 0 =
⎧⎨
⎩
fs{{(v, t−−) | U(ϕk, s) = (v, t) ∧ k ∈ I}}
if ∃j ∈ I. ϕj s 1 is deﬁned
(v, t−−) otherwise, ϕi s 0 = (v, t)
ϕ′i s 1 = undef
ss′i = ssi; i : process (clk) begin ssi; end process i
124 Timing Leaks
Now css′1i = css
′
2i, σ
′
1i x|Time = σ′2i x|Time ∈ Γ x and ϕ′1i s 1|Time = ϕ′2i s 1|Time
= undef follow directly from the rule. Finally, ϕ′1i s 0|Time = ϕ′2i s 0|Time ∈ Γ s
follow from the two cases; ﬁrst when ∃j ∈ I. ϕj s 1 is deﬁned we have the result
of the analysis ϕ′′1i s 1|−−Time = ϕ′′2i s 1|−−Time ∈ Γ s, and since the rule modify
the signal stores as ϕ′i s 0 = fs{{(v, t−−) | U(ϕk, s) = (v, t) ∧ k ∈ I}} we get
the result for all active signals. The other case is when the signal is not active.
From Lemma 6.7 we observe that if a signal is not active in one execution it
will never be in any execution that can be typed with the same behaviour, τ .
Hence no execution path will modify the signals timing delay, therefore it will
be ∅, and the case follows. 
6.5 Analysing Advanced Encryption Standard
In this Section we brieﬂy summarise the application of our prototype imple-
mentation of the analysis to verify the AES standard pipelined implementation
[WBRF00]. The 128 bit version of the algorithm works on blocks of 128 bit,
that are encrypted through 10 rounds. Each round consists of 4 stages that sub-
stitute, shift, mix and add a round key to the block, respectively. Decryption is
done by reversing the order of the inverse stages in each round. The implemen-
tation considered performs either encryption or decryption depending on the
value of the incoming signal ALG ENC. The implementation uses the concurrent
statement
ALG DATA LAST <= POST OUT INT when ALG ENC = ’0’ else FINAL OUT;
to transfer the result of either encryption or decryption from an internal signal
to the ﬁnal register before the outgoing signal is set. Observe that only one of
the signals POST OUT INT and FINAL OUT inﬂuences the signal ALG DATA LAST,
depending on the value of the signal ALG ENC. In the case of decryption the
algorithm speciﬁes that the key should be added to the ﬁnal state. For encryp-
tion this is done before the ﬁrst round instead. Figure 6.2 shows the ﬂow of
information from the process performing the last round in the AES algorithm
to the ALG DATA LAST signal is set.
The implementation of the analysis starts by pre-processing VHDL programs to
CoreVHDL . For the statement considered it is rewritten into a conditional
using the rule presented in [Ash02]. It turns out that our analysis does not
accept the program because the process ARRAY REG128 will spend one clock
cycle to stabilise the signal for the adder (POST ADD) that then add the ﬁnal
6.6 Discussion of practical issues 125
STATE(ROUND-1)
FINAL_ROUND_BLOCK
FINAL_ROUND_KEY
ARRAY_REG128
ASGN_to_ALG_DATA_LAST
POST_ADD
POST_ADD_KEY
Figure 6.2: Process dependencies of part of AES
key to the block. This diﬀerence might cause a timing leak, as it could leak the
value of ALG ENC.
Observing the signal ALG ENC tells whether the system is performing encryption
or decryption, and hence carry no secret information. Therefore to verify the
implementation we added the signal to the threshold of our observer (L =
{ALG ENC}). This allow us to verify that the system is timing secure, as an
observer can learn no additional information by observing the timing delays of
the outcoming signals.
6.6 Discussion of practical issues
The presented semantics for CoreVHDL extended with timing behaviours cap-
ture the delays introduced by executions paths found in the speciﬁcation. Al-
ternative execution paths have been illustrated to have the capability to result
in timing channels, yet a couple of practical issues remain to be investigated.
Hence in this section two practical issues that could result in timing channels
are discussed. Observe that they have no impact on the analysis of the AES
example, and thus our results for the example program remain valid.
126 Timing Leaks
6.6.1 Stabilising signals
The VHDL Standard [IEE01] speciﬁes that all signals should carry stable values
before the next synchronisation. Therefore for synchronous speciﬁcations it is
safe to assume that all signals will have a stable value no later than the rising
clock edge. But all signals are not assigned a value at exactly the time of the
clock, rather all signals are assigned their value in the interval between two clock
edges. In our model of systems an observer can measure this interval, and with
speciﬁc knowledges about the layout at gate level the observer might use the
stabilising time to diﬀerentiate between secret input values.
Example 6.2 For a VHDL speciﬁcation the synthesiser tool will generate the
electrical circuit. Consider the program
d <= a or (b and c)
assume that d is an outgoing signal and that the synthesiser tool would generate
a circuit corresponding to the gates illustrated in Figure 6.3(a). For the input
[a = 1, b = 0, c = 1]
the circuit will stabilise its value at the time tor, since the or gate stabilises
because of the value of a, without waiting for the and gate to stabilise. However
if the input was
[a = 0, b = 1, c = 1]
then the value of d would not stabilise before the time of the or gate and the and
gate (i.e. tor + tand). The times are illustrated in the graph in Figure 6.3(b),
where the time tclock is the clock the system synchronises on.
To handle this possible diﬀerence in stabilising speeds we transform the VHDL
speciﬁcation in such a manner that all secret outgoing signals go through a
buﬀer. Technically this is done by rewriting the program so that all assignments
to an outgoing signal are altered to assignment to our buﬀer signal. Then we
introduce a process of the form
6.6 Discussion of practical issues 127
and
or
a b c
d
0 1
1
tor tand
time
tclock
(a) (b)
Figure 6.3: Stabilising times for a small circuit; (a) the considered circuit, (b)
timing of signals changes
bufs : process (clk) begin s <= sbuf ; end process;
where s is the outgoing signal, sbuf is an internal signal speciﬁed within the
block, and clk is the signal carrying the global clock. The buﬀer process will
delay the signal one clock cycle, and then uniformly transfer the value from the
memory cell to the outgoing wire.
While this buﬀering method handles the potential diﬀerences in time intervals of
stabilising signals, it is not suﬃcient for eliminating timing channels completely.
Timing channels caused by diﬀerent paths through a program are considered in
the following Section.
6.6.2 Shortest circuit evaluation
In this Section we introduce an alternative semantics for the logical operators
and and or. This extension is based on the observation that when applying
the operators, one side of the expression might be disregarded as the value of
the other side might dominate the value of evaluating the expression. This
observation has previously been exploited in e.g. short circuit evaluation of
boolean expression in compilers [WM95].
The semantics are extended with a set of specialised rules that apply to the cases
128 Timing Leaks
where a shorter circuit is available instead of evaluating the whole expression.
E [[e1 or e2]]〈σ, ϕ〉 =
⎧⎪⎨
⎪⎪⎩
(′1′, t1) where E [[e1]]〈σ, ϕ〉 = (′1′, t1)
(′1′, t2) where E [[e2]]〈σ, ϕ〉 = (′1′, t2)
(v1 or v2, t1 ∪ t2) where E [[e1]]〈σ, ϕ〉 = (v1, t1)
and E [[e2]]〈σ, ϕ〉 = (v2, t2)
E [[e1 and e2]]〈σ, ϕ〉 =
⎧⎪⎪⎨
⎪⎪⎩
(′0′, t1) where E [[e1]]〈σ, ϕ〉 = (′0′, t1)
(′0′, t2) where E [[e2]]〈σ, ϕ〉 = (′0′, t2)
(v1 and v2, t1 ∪ t2) where E [[e1]]〈σ, ϕ〉 = (v1, t1)
and E [[e2]]〈σ, ϕ〉 = (v2, t2)
The analysis can be modiﬁed to accommodate the alternative semantics. The
rules for and and or can be modiﬁed as
Γ  e1 : t1 Γ  e2 : t2 t1  t2
Γ  e1 and e2 : t1 ∪ t2
Γ  e1 : t1 Γ  e2 : t2 t1  t2
Γ  e1 or e2 : t1 ∪ t2
We introduce the binary operator  for comparing the types of two expression
t1  t2 ⇔ {(n, z1) | ∃z2 : (n, z1) ∈ t1 ∧ (n, z2) ∈ t2} =
{(n′, z2) | ∃z1 : (n′, z1) ∈ t1 ∧ (n′, z2) ∈ t2}
which is used to make sure that if the evaluation of an expression might depend
on only part of the values manipulated, then the timing delay of each part
is the same. As an example for the operators and and or the evaluation of
the ﬁrst operand might determine the value of the whole expression, thereby
rendering the other operand without inﬂuence of the result and the timing delay
of dependent signals. Notice that the evaluation of xor always need to evaluate
both operands to determine the resulting value, therefore we don’t need to
restrict the operands timing delay.
6.7 Summary
A semantics for a synchronous synthesizable subset of VHDL has been presented,
with a novel component for describing the timing delay of programs. It was
argued that when considering speciﬁcations of hardware a new model for the
absence of timing leaks is needed. This is needed because for hardware systems
an outgoing signal has a value at all times, and an observer therefore might
6.7 Summary 129
observe modiﬁcations rather than termination or diﬀerence in execution time.
A model was proposed and formalised with respect to the semantics.
To verify the absence of timing leaks in a speciﬁcation of a system an automatic
type based analysis have been presented. A novel point of the analysis is that
it focuses on the problem of timing leaks. This allows us to argue the absence
of timing channels in such systems as cryptographic algorithms, even when
information ﬂow analyses would not permit it. Furthermore the result of the
analysis can be composed with the information ﬂow analyses for CoreVHDL to
achieve a timing sensitive bisimulation-based conﬁdentiality property. Finally
the analysis was used it to verify the AES standard implementation.
130 Timing Leaks
C h a p t e r 7
Conclusion
In the Kamigata area they have a sort of tiered lunchbox
they use for a single day when ﬂower viewing.
Upon returning, they throw them away, trampling them underfoot.
The end is important in all things.
— Yamamoto Tsunetomo
In this thesis the semantical model of VHDL has been investigated and for-
malised. As a result we have been able to present formal security properties for
VHDL programs that guarantee them to preserve the conﬁdentiality of secret
information by not allowing channels observable to diﬀerent principals to in-
terfere. In fact, the investigated security properties generalise noninterference,
yet in a controlled fashion, allowing systems, through the execution of speciﬁed
parts of the program, to dynamically release sensitive information. Our security
properties are supported by static analyses, that allow for automatic veriﬁcation
of systems.
Previously the need for static mechanisms has been argued [Vol99], and the
analyses proposed here fulﬁll the requirements stated in Chapter 1:
Automatic: The analyses are speciﬁed so that the process of validating a se-
curity policy for a given program is fully automated. Furthermore the
prototype implementation of the analyses provide automated inference al-
gorithms.
132 Conclusion
Correctness: The semantic correctness of the analyses, shown in Chapter 4
and 6, demonstrates how the analyses are tied to the semantics of VHDL
and the security properties. The extensions presented in Chapter 5 are
based on existing analysis approaches and hence the correctness is believed
to be adaptable from the similar results presented in [NNH99].
Eﬃcient: The analyses for verifying the ﬂow of information are divided into
several components, and the correctness results are stated such that the
local dependencies are suﬃcient for verifying most systems. Hence the
global dependency analysis is a means to trade in eﬃciency for precision.
Exhaustiveness: By their nature the analyses clearly provide an exhaustive
approach to verifying programs, as we do not rely on the extraction of
a model of the essential part of the program, program transformations,
or similar abstractions. Instead the analyses are applied directly to the
veriﬁcation target.
Another main achievement is the veriﬁcation of the reference implementation
of the Advanced Encryption Standard. This allows us to conclude that the pri-
mary goal of this thesis, namely to accommodate the veriﬁcation of hardware
speciﬁcations, has been achieved. The prototype implementation has also been
successful in analysing the systems provided by Maersk Data Defence. Although
the full Common Criteria report considers aspects of the system that has not
been discussed in this thesis, the objectives regarding the identiﬁcation of infor-
mation ﬂow and covert channels stated in the Chapter 13.1 Objective: Covert
Channel Analysis (AVA CCA), have been achieved.
7.1 Final remarks
Throughout the thesis we have investigated the reference implementation of
the Advanced Encryption Standard. Verifying a cryptographic algorithm in
the information ﬂow setting is not straightforward, and we have assumed that
the inreversibility of the cipher text is indeed provided by the implementation.
History-based Release has merely allowed us to guarantee that all rounds are
applied, and that each round gradually lowers the conﬁdentiality level of texts.
The correctness of the implementation has previously been argued by the de-
velopers in [WBRF00] and related publications. Their correctness result relies
on mathematical observations and testing through a test-bench, following the
Monte Carlo approach where the output is fed back into the program for the
next round. This approach clearly does not provide an exhaustive correctness
result.
7.1 Final remarks 133
Other approaches include the correctness guarantees of the algorithm in the
information ﬂow analysis. Laud [Lau03] presents an information ﬂow analysis
that considers the computations and by doing this can verify systems that pro-
tect the secrecy of the input with a given complexity of the reversibility of the
outputs. Recently, Askarov et al. [AS05, AHS06] have investigated the informa-
tion ﬂow in systems where cryptographic functions are available. However the
cryptographic functions are considered as black boxes that correctly implement
the cryptographic algorithms and hence provide the necessary guarantees.
The issue of timing channels have been investigated by several researchers [VS99,
Aga00, SS00, Sab01, KM05, KB06], yet the security properties proposed are all
strong noninterference properties. In this thesis we have specialised the absence
of timing leaks to deal with timing channels. Hence the property becomes
orthogonal to the generalised noninterference properties that we might choose
to use for verifying the ﬂow of information through the system. This ﬂexibility
also allows us to specify that information is allowed to ﬂow on a channel, yet
not being observable by observations on the timing behaviour of this channel.
This is of utmost importance when considering cryptographic systems, as timing
channels have often been exploited in order to reduce the search space of secret
key or plain text attacks.
The analyses presented throughout this thesis have been implemented using
the Succinct Solver v. 1.0 [NNS02, NNS+04], which has made it possible to
verify the AES implementation and the Maersk Data Defence program. The
prototype implementation has shown very good running times on the discussed
programs, taking only a few minutes. However, for the analysis of large-scale,
complex systems Mantel [Man01, Man02] have argued in favour of composi-
tional properties and analyses. In this thesis we have taken an approach that
allows for a great deal of compositionallity. First, the local dependencies are
analysed at process level, without regard for the rest of the system. Second, the
global dependencies are derived from the local dependencies and strengthened
by the Reaching Deﬁnitions analysis. This means that during a development
process where the system goes through several stages, the analysis result for
each unmodiﬁed process can be reused when verifying the complete system.
Future investigations might consider the possibility of deciding the need for
applying the Reaching Deﬁnitions analysis automatically, by a pre-analysis of
the security policy. This would also allow for a ﬁne-grained trade oﬀ between
precision and eﬃciency, where necessary.
134 Conclusion
Bibliography
[AB04] Torben Amtoft and Anindya Banerjee. Information ﬂow analysis in
logical form. In Proc. Symposium on Static Analysis, volume 3148
of Lecture Notes in Computer Science, pages 100–115. Springer-
Verlag, 2004.
[AF03] Mart´ın Abadi and Ce´dric Fournet. Access control based on execu-
tion history. In Proceedings of the Network and Distributed System
Security Symposium. The Internet Society, 2003.
[Aga00] Johan Agat. Transforming out timing leaks. In Proc. ACM Sympo-
sium on Principles of Programming Languages, pages 40–53. ACM
Press, January 2000.
[AHS06] Aslan Askarov, Daniel Hedin, and Andrei Sabelfeld.
Cryptographically-masked ﬂows. In Proc. Symposium on Static
Analysis, volume 4134 of Lecture Notes in Computer Science,
pages 353–369. Springer-Verlag, 2006.
[AS05] Aslan Askarov and Andrei Sabelfeld. Security-typed languages
for implementation of cryptographic protocols: A case study. In
Proc. European Symposium on Research in Computer Security, vol-
ume 3679 of Lecture Notes in Computer Science, pages 197–221.
Springer-Verlag, 2005.
[Ash02] Peter J. Ashenden. The Designer’s Guide To VHDL. Morgan
Kaufmann, 2nd edition, 2002.
[BBN+03] Lorenzo Bettini, Viviana Bono, Rocco De Nicola, Gian Luigi
Ferrari, Daniele Gorla, Michele Loreti, Eugenio Moggi, Rosario
136 BIBLIOGRAPHY
Pugliese, Emilio Tuosto, and Betti Venneri. The klaim project:
Theory and practice. In Global Computing, volume 2874 of Lecture
Notes in Computer Science, pages 88–150. Springer-Verlag, 2003.
[BDF05] Massimo Bartoletti, Pierpaolo Degano, and Gian Luigi Ferrari.
History-based access control with local policies. In Proc. Founda-
tions of Software Science and Computation Structure, volume 3441
of Lecture Notes in Computer Science, pages 316–332. Springer-
Verlag, 2005.
[BFK94] Peter T. Breuer, Luis Sa´nchez Ferna´ndez, and Carlos Delgado
Kloos. Clean formal semantics for vhdl. In EDAC-ETC-
EUROASIC, pages 641–647, 1994.
[BL73] David E. Bell and Len J. LaPadula. Secure computer systems:
Mathematical foundations. Technical Report MTR-2547, Vol. 1,
MITRE Corp., Bedford, MA, 1973.
[BLPV94] Jo¨rg Bormann, Jo¨rg Lohse, Michael Payer, and Gerd Venzl. Vhdl
translation for bdd-based formal veriﬁcation. Technical report,
Siemens, 1994.
[BN04] Anindya Banerjee and David A. Naumann. History-based access
control and secure information ﬂow. In Construction and Analy-
sis of Safe, Secure, and Interoperable Smart Devices, International
Workshop, volume 3362 of Lecture Notes in Computer Science,
pages 27–48. Springer-Verlag, March 2004.
[BS06] Niklas Broberg and David Sands. Flow locks: Towards a core
calculus for dynamic ﬂow policies. In Proc. European Symposium on
Programming, volume 3924 of Lecture Notes in Computer Science,
pages 180–196. Springer-Verlag, 2006.
[CC98] International Standards Organisation. Common Criteria for infor-
mation technology security (CC), ISO/IS 15408 Final Committee
Draft, version 2.0., 1998.
[CFR+99] Edmund M. Clarke, Masahiro Fujita, Sreeranga P. Rajan,
Thomas W. Reps, Subash Shankar, and Tim Teitelbaum. Program
slicing of hardware description languages. In Proc. Conference on
Correct Hardware Design and Veriﬁcation Methods, volume 1703
of Lecture Notes in Computer Science, pages 298–312. Springer-
Verlag, 1999.
[CHH02] David Clark, Chris Hankin, and Sebastian Hunt. Information ﬂow
for algol-like languages. Comput. Lang., 28(1):3–28, 2002.
BIBLIOGRAPHY 137
[CM04] Stephen Chong and Andrew C. Myers. Security policies for down-
grading. In CCS ’04: Proceedings of the 11th ACM conference on
Computer and communications security, pages 198–209, New York,
NY, USA, 2004. ACM Press.
[CM05] Stephen Chong and Andrew C. Myers. Language-based information
erasure. In Proc. IEEE Computer Security Foundations Workshop,
pages 241–254. IEEE Computer Society Press, 2005.
[Coh77] Ellis S. Cohen. Information transmission in computational systems.
ACM SIGOPS Operating Systems Review, 11(5):133–139, 1977.
[Coh78] Ellis S. Cohen. Information transmission in sequential programs.
In R. A. DeMillo, D. P. Dobkin, A. K. Jones, and R. J. Lipton,
editors, Foundations of Secure Computation, pages 297–335. Aca-
demic Press, 1978.
[CW87] David D. Clark and David R. Wilson. A comparison of commercial
and military computer security policies. In Proc. IEEE Symposium
on Security and Privacy, pages 184–194. IEEE Computer Society
Press, 1987.
[DB93] David De´harbe and Dominique Borrione. A qualitative ﬁnite subset
of vhdl and semantics. Technical Report RR943, IMAG Institute,
1993.
[DB95] David De´harbe and Dominique Borrione. Semantics of a
veriﬁcation-oriented subset of vhdl. In Proc. Conference on Correct
Hardware Design and Veriﬁcation Methods, volume 987 of Lecture
Notes in Computer Science, pages 293–310. Springer-Verlag, 1995.
[DD77] D. E. Denning and P. J. Denning. Certiﬁcation of programs for
secure information ﬂow. Comm. of the ACM, 20(7):504–513, July
1977.
[Den76] Dorothy E. Denning. A lattice model of secure information ﬂow.
Comm. of the ACM, 19(5):236–243, May 1976.
[DKL+98] Jean-Franc¸ois Dhem, Franc¸ois Koeune, Philippe-Alexandre Ler-
oux, Patrick Mestre´, Jean-Jacques Quisquater, and Jean-Louis
Willems. A Practical Implementation of the Timing Attack. In
Proc. of CARDIS’98, volume 1820 of Lecture Notes in Computer
Science, pages 167–182. Springer-Verlag, 1998.
[DOD85] Department of Defense. Department of Defense Trusted Computer
System Evaluation Criteria, dod 5200.28-std (the orange book) edi-
tion, December 1985.
138 BIBLIOGRAPHY
[Est05] Esterel Technologies. The Esterel v7 Reference Manual, version
v7 30 - initial IEEE standardization proposal edition, 2005.
[GM82] Joseph A. Goguen and Jose´ Meseguer. Security policies and security
models. In Proc. IEEE Symposium on Security and Privacy, pages
11–20. IEEE Computer Society Press, April 1982.
[GM84] Joseph A. Goguen and Jose´ Meseguer. Unwinding and inference
control. In Proc. IEEE Symposium on Security and Privacy, pages
75–87. IEEE Computer Society Press, 1984.
[Goo95] Kees G. W. Goossens. Reasoning About VHDL Using Operational
and Observational Semantics. In Proc. Conference on Correct
Hardware Design and Veriﬁcation Methods, volume 987 of Lecture
Notes in Computer Science, pages 311–327. Springer-Verlag, 1995.
[HKMY86] J. Thomas Haigh, Richard A. Kemmerer, John McHugh, and
William D. Young. An experience using two covert channel analysis
techniques on a real system design. In Proc. IEEE Symposium on
Security and Privacy, pages 14–24. IEEE Computer Society Press,
1986.
[HL98] Yee-Wing Hsieh and Steven P. Levitan. Control / data-ﬂow analysis
for vhdl semantic extraction. Journal of Information Science and
Engineering, 14(3):547–565, 1998.
[HMU01] John E. Hopcroft, Rajeev Motwani, and Jeﬀrey D. Ullman. In-
troduction to automata theory, languages, and computation, 2nd
edition. Addison-Wesley, 2001.
[HR98] Nevin Heintze and Jon G. Riecke. The slam calculus: Programming
with secrecy and integrity. In Proc. ACM Symposium on Principles
of Programming Languages, pages 365–377. ACM Press, 1998.
[HS06] Sebastian Hunt and David Sands. On ﬂow-sensitive security types.
In Proc. ACM Symposium on Principles of Programming Lan-
guages. ACM Press, January 2006.
[HY86] J. Thomas Haigh and William D. Young. Extending the Non-
Interference Version of MLS for SAT. In Proc. IEEE Symposium
on Security and Privacy, pages 232–239. IEEE Computer Society
Press, 1986.
[Hym02] Charles Hymans. Checking Safety Properties of Behavioral VHDL
Descriptions by Abstract Interpretation. In Proc. Symposium on
Static Analysis, volume 2477 of Lecture Notes in Computer Science,
pages 444–460. Springer-Verlag, 2002.
BIBLIOGRAPHY 139
[IEC05] IEC and IEEE inc. International Standard VHDL Register Transfer
Level (RTL) synthesis, IEC 62050, IEEE Std 1076.6-2004, 2005.
Revision of IEEE Std 1076.6-1999.
[IEE87] IEEE inc. IEEE Standard VHDL Language Reference Manual,
IEEE Std 1076-1987, 1987.
[IEE93a] IEEE inc. IEEE Standard Multivalue Logic System for VHDL
Model Interoperability (Std logic 1164), IEEE Std 1164-1993, 1993.
[IEE93b] IEEE inc. IEEE Standard VHDL Language Reference Manual,
IEEE Std 1076-1993, 1993. Revision of IEEE Std 1076-1987
[IEE87].
[IEE95] IEEE inc. IEEE Standard Verilog Hardware Description Language,
IEEE Std 1364-1995, 1995.
[IEE01] IEEE inc. IEEE Standard VHDL Language Reference Manual,
IEEE Std 1076-2001, 2001. Revision of IEEE Std 1076-1993
[IEE93b].
[IEE05] IEEE inc. IEEE Standard SystemC Language Reference Manual,
IEEE Std 1666-2005, 2005.
[ITS91] Commission of the European Communities. Information Tech-
nology Security Evaluation Criteria (ITSEC): Preliminary Har-
monised Criteria, document COM(90) 314, Version 1.2 edition,
June 1991.
[KB06] Boris Ko¨pf and David Basin. Timing-sensitive information ﬂow
analysis for synchronous systems. In Proc. European Symposium
on Research in Computer Security, volume 4189 of Lecture Notes
in Computer Science, pages 243–262. Springer-Verlag, 2006.
[Kem82] Richard A. Kemmerer. A practical approach to identifying storage
and timing channels. In Proc. IEEE Symposium on Security and
Privacy, pages 66–73. IEEE Computer Society Press, 1982.
[Kem02] Richard A. Kemmerer. A practical approach to identifying storage
and timing channels: Twenty years later. In Proc. IEEE Annual
Computer Security Applications Conference, pages 109–118. IEEE
Computer Society Press, 2002.
[KJJ99] Paul C. Kocher, Joshua Jaﬀe, and Benjamin Jun. Diﬀerential power
analysis. In Proc. CRYPTO’99, volume 1666 of Lecture Notes in
Computer Science, pages 388–397. Springer-Verlag, 1999.
140 BIBLIOGRAPHY
[KM05] Boris Ko¨pf and Heiko Mantel. Eliminating implicit information
leaks by transformational typing and uniﬁcation. In Proc. Work-
shop on Formal Aspects in Security and Trust, volume 3866 of Lec-
ture Notes in Computer Science, pages 47–62. Springer-Verlag, July
2005.
[Koc96] Paul C. Kocher. Timing attacks on implementations of Diﬃe-
Hellman, RSA, DSS, and other systems. In Proc. CRYPTO’96,
volume 1109 of Lecture Notes in Computer Science, pages 104–113.
Springer-Verlag, 1996.
[KT96] Richard A. Kemmerer and Tad Taylor. A modular covert chan-
nel analysis methodology for trusted dg/ux/sup tm/. In Proc.
IEEE Annual Computer Security Applications Conference, pages
224–235. IEEE Computer Society Press, 1996.
[KWMK01] Ramesh Karri, Kaijie Wu, Piyush Mishra, and Yongkook Kim.
Fault-based side-channel cryptanalysis tolerant rijndael symmet-
ric block cipher architecture. In Proc. Defect and Fault-Tolerance
in VLSI Systems, pages 427–435. IEEE Computer Society Press,
2001.
[Lam73] Butler W. Lampson. A note on the conﬁnement problem. Comm.
of the ACM, 16(10):613–615, 1973.
[Lau03] Peeter Laud. Handling encryption in an analysis for secure infor-
mation ﬂow. In Proc. European Symposium on Programming, vol-
ume 2618 of Lecture Notes in Computer Science, pages 159–173.
Springer-Verlag, 2003.
[Man01] Heiko Mantel. Information ﬂow control and applications - bridging
a gap. In FME, volume 2021 of Lecture Notes in Computer Science,
pages 153–172. Springer-Verlag, March 2001.
[Man02] Heiko Mantel. On the composition of secure systems. In Proc.
IEEE Symposium on Security and Privacy, pages 88–101. IEEE
Computer Society Press, May 2002.
[Mat04] Dan Matthews. Hardware Bus Security in Embedded Systems. The
Fifth HOPE. 2600, 2004.
[MB05] Ana Almeida Matos and Ge´rard Boudol. On declasiﬁcation and
the non-disclosure policy. In Proc. IEEE Computer Security Foun-
dations Workshop, pages 226–240. IEEE Computer Society Press,
June 2005.
[McH83] John McHugh. Towards Eﬃcient Code from Veriﬁed Programs.
PhD thesis, The University of Texas at Austin, 1983.
BIBLIOGRAPHY 141
[McH95] John McHugh. Covert Channel Analysis. Handbook for the Com-
puter Security Certiﬁcation of Trusted Systems, 1995.
[MED02] MEDEA+. Design Automation Solutions for Europe, 2002.
[MED04] MEDEA+. The Future of the European Microelectronics Industry,
2004.
[Men03] Mentor Graphics. ModelSim SE 5.7d VHDL simulator, 2003.
http://www.model.com/.
[ML97] Andrew C. Myers and Barbara Liskov. A decentralized model for
information ﬂow control. In Proc. ACM Symposium on Operating
System Principles, pages 129–142. ACM Press, 1997.
[MS04] Heiko Mantel and David Sands. Controlled declassiﬁcation based
on intransitive noninterference. In Proc. Asian Symposium on Pro-
gramming Languages and Systems, volume 2244 of Lecture Notes
in Computer Science, pages 129–145. Springer-Verlag, 2004.
[Mye99a] Andrew C. Myers. Jﬂow: Practical mostly-static information ﬂow
control. In Proc. ACM Symposium on Principles of Programming
Languages, pages 228–241. ACM Press, 1999.
[Mye99b] Andrew C. Myers. Mostly-Static Decentralized Information Flow
Control. PhD thesis, Laboratory for Computer Science, Massa-
chusetts Institute of Technology, 1999.
[NN92] Hanne Riis Nielson and Flemming Nielson. Semantics with Appli-
cations - A Formal Introduction. John Wiley & Sons, 1992.
[NNH99] Flemming Nielson, Hanne Riis Nielson, and Chris Hankin. Princi-
ples of Program Analysis. Springer-Verlag, 1999.
[NNS02] Flemming Nielson, Hanne Riis Nielson, and Helmut Seidl. A Suc-
cinct Solver for ALFP. Nordic Journal of Computing, 9(4):335–372,
2002.
[NNS+04] Flemming Nielson, Hanne Riis Nielson, Hongyan Sun, Michael
Buchholtz, Rene´ Rydhof Hansen, Henrik Pilegaard, and Helmut
Seidl. The Succinct Solver Suite. In Proc. Tools and Algorithms
for the Construction and Analysis of Systems, volume 2988 of Lec-
ture Notes in Computer Science, pages 251–265. Springer-Verlag,
2004.
[Plo04] Gordon D. Plotkin. A structural approach to operational semantics.
J. Log. Algebr. Program., 60–61:17–139, 2004.
142 BIBLIOGRAPHY
[QS01] Jean-Jacques Quisquater and David Samyde. ElectroMagnetic
Analysis (EMA): Measures and counter-measures for smart cards.
In Proc. of E-smart, volume 2140 of Lecture Notes in Computer
Science, pages 200–210. Springer-Verlag, 2001.
[RBG00] Vanderlei Moraes Rodrigues, Dominique Borrione, and Philippe
Georgelin. Using the acl2 theorem prover to reason about vhdl
components. RITA, 7(1):129–148, 2000.
[RG99] A. W. Roscoe and M. H. Goldsmith. What is intransitive noninter-
ference? In Proc. IEEE Computer Security Foundations Workshop,
pages 228–238. IEEE Computer Society Press, 1999.
[RMMG01] Peter Ryan, John D. McLean, Jonathan K. Millen, and Virgil D.
Gligor. Non-interference: Who needs it? In Proc. IEEE Computer
Security Foundations Workshop, pages 237–238. IEEE Computer
Society Press, 2001.
[Rus92] John M. Rushby. Noninterference, Transitivity, and Channel-
Control Security Policies. Technical Report CSL-92-02, SRI In-
ternational, December 1992.
[Rus95] David M. Russinoﬀ. A formalization of a subset of vhdl in the
boyer-moore logic. Formal Methods in System Design, 7(1/2):7–
25, 1995.
[Sab01] Andrei Sabelfeld. The impact of synchronisation on secure infor-
mation ﬂow in concurrent programs. In Proc. Andrei Ershov In-
ternational Conference on Perspectives of System Informatics, vol-
ume 2244 of Lecture Notes in Computer Science, pages 227–241.
Springer-Verlag, 2001.
[SEM03] International SEMATECH. International Technology Roadmap for
Semiconductors. 2003.
[SH89] A. Salz and Mark Horowitz. IRSIM: An Incremental MOS Switch-
Level Simulator. In Proc. 26th Design Automation Conference,
June 1989.
[SM03a] Andrei Sabelfeld and Andrew C. Myers. Language-based
information-ﬂow security. IEEE J. Selected Areas in Communi-
cations, 21(1):5–19, January 2003.
[SM03b] Andrei Sabelfeld and Andrew C. Myers. A model for delimited in-
formation release. In ISSS, volume 3233 of Lecture Notes in Com-
puter Science, pages 174–191. Springer-Verlag, 2003.
BIBLIOGRAPHY 143
[SS00] Andrei Sabelfeld and David Sands. Probabilistic noninterference
for multi-threaded programs. In Proc. IEEE Computer Security
Foundations Workshop, pages 200–214. IEEE Computer Society
Press, July 2000.
[SS01] Andrei Sabelfeld and David Sands. A per model of secure infor-
mation ﬂow in sequential programs. Higher Order and Symbolic
Computation, 14(1):59–91, 2001.
[SS05] Andrei Sabelfeld and David Sands. Dimensions and principles of
declassiﬁcation. In Proc. IEEE Computer Security Foundations
Workshop. IEEE Computer Society Press, 2005.
[Sut86] D. Sutherland. A model of information. In Proc. National Com-
puter Security Conference, pages 175–183, September 1986.
[SV98] Geoﬀrey Smith and Dennis M. Volpano. Secure information ﬂow in
a multi-threaded imperative language. In Proc. ACM Symposium
on Principles of Programming Languages, pages 355–364. ACM
Press, 1998.
[SV00] Daryl Stewart and Myra VanInwegen. Three notes on the interpre-
tation of verilog. Technical Report 485, University of Cambridge,
2000.
[TE01] Krishnaprasad Thirunarayan and Robert L. Ewing. Structural Op-
erational Semantics for a Portable Subset of Behavioral VHDL-93.
Formal Methods in System Design, 18(1):69–88, 2001.
[Thi03] Personal communication with Krishnaprasad Thirunarayan, Au-
gust 2003.
[TN06] Terkel K. Tolstrup and Flemming Nielson. Analyzing for absence
of timing leaks in VHDL. In Proc. Sixth International Workshop
on Issues in the Theory of Security, March 2006.
[TNH06] Terkel K. Tolstrup, Flemming Nielson, and Rene´ Rydhof Hansen.
Locality-based security policies. In Proc. Workshop on Formal As-
pects in Security and Trust, Lecture Notes in Computer Science.
Springer-Verlag, August 2006.
[TNN05] Terkel K. Tolstrup, Flemming Nielson, and Hanne Riis Nielson.
Information Flow Analysis for VHDL. In Proc. Eighth International
Conference on Parallel Computing Technologies, volume 3606 of
Lecture Notes in Computer Science. Springer-Verlag, August 2005.
[Tui92] Paul W. Tuinenga. SPICE: A Guide to Circuit Simulation and
Analysis Using PSpice. Prentice Hall, 1992.
144 BIBLIOGRAPHY
[Vol99] Dennis M. Volpano. Safety versus secrecy. In Proc. Symposium on
Static Analysis, volume 1694 of Lecture Notes in Computer Science,
pages 303–311. Springer-Verlag, 1999.
[VS99] Dennis M. Volpano and Geoﬀrey Smith. Probabilistic noninterfer-
ence in a concurrent language. J. Computer Security, 7(2–3):231–
253, November 1999.
[VSI93] The Keystone Research Group. VCOMP & VSIM, 1993.
[VSI96] Dennis M. Volpano, Geoﬀrey Smith, and Cynthia E. Irvine. A
sound type system for secure ﬂow analysis. J. Computer Security,
4(3):167–187, 1996.
[vT93] John P. van Tassel. FEMTO-VHDL: The semantics of a subset of
VHDL and its embedding in the hol proof assistant. PhD thesis,
University of Cambridge, 1993.
[WBRF00] Bryan Weeks, Mark Bean, Tom Rozylowicz, and Chris Ficke. Hard-
ware performance simulations of round 2 advanced encryption stan-
dard algorithms. Technical report, National Security Agency, 2000.
[WM95] Reinhard Wilhelm and Dieter Maurer. Compiler Design. Addison
Wesley Higher Education, 1995.
[ZM01] Steve Zdancewic and Andrew C. Myers. Robust declassiﬁcation.
In Proc. IEEE Computer Security Foundations Workshop, pages
15–23. IEEE Computer Society Press, 2001.
