Security Results for SIRRTL, A Hardware Description Language for Information Flow Security by Ferraiuolo, Andrew
Security Results for SIRRTL, A Hardware
Description Language for Information Flow
Security.
Andrew Ferraiuolo *
Cornell University
Abstract
This document establishes security results for SIRRTL, a secure variant of the
FIRRTL intermediate language. We developed ChiselFlow, a variant of the Chisel
hardware design language [1] for information flow security. ChiselFlow extends
Chisel, a hardware description language embedded in Scala. ChiselFlow allows
the hardeware designer to describe security policies about the hardware that are
checked at design-time. Much like Chisel, ChiselFlow gains much of the expres-
sive power of the rich host language, Scala. However, security enforcement is done
by a small intermediate language called SIRRTL, so the trusted component of Chi-
selFlow is small. ChiselFlow emits SIRRTL, a variant of the FIRRTL intermediate
language augmented with an information flow type system. ChiselFlow supports
security policies that depend on the run-time values of signals, though these poli-
cies are checked purely at design-time by SIRRTL. In this document, we prove that
well-typed SIRRTL modules enforce a timing safe variant of noninterference. We
constructed the HyperFlow processor using ChiselFlow thereby establishing high
assurance in the implementation of the processor.
1 Language
1.1 Syntax
Figure 1 shows a core syntax of SIRRTL that we use to establish security results.
SIRRTL labels, `, are pairs of confidentiality and integrity components (c, i). Label
components include atomic security levels n which form a lattice. The notation p1  p2
means that p1 has higher authority than p2. For confidentiality, c1  c2 means that c1
is more secret than c2. Dually, for integrity, i1  i2 means that i2 is more trusted than
i2. For either confidentiality or integrity components, p1 ∧ p2 denotes the join of p1
and p2, and p1 ∨ p2 denotes their meet. The greatest and least components are > and
⊥ respectively. The syntax of label components also includes functions f that are fully
*The author is now at Google.
1
applied to some number of free variables in the hardware module ~x. Components of
this form can be used to express dependent labels that change at run time based on
the values of signals. Dependent labels are important for the description of efficient
hardware designs that allow the hardware to be shared by different security domains
at run-time. Dependent labels of this form are similar to those in SecVerilog [4]. The
lattice over label components is lifted to a lattice over security labels which is defined
in Figure 2.
n ∈ N atomic principals
x ∈ V variable names
x¯ ∈ V next-cycle symbols
v ∈ N integers
i, c, p ::= n | > | ⊥ | p ∧ p | p ∨ p | f (~x)
` ::= (p, p)
e ::= v | x | x¯ | e ⊕ e | decl(e, `) | endo(e, `)
Prog, s ::= skip | s; s | when(e) s else s | x ⇐ e
Figure 1: SIRRTL core syntax.
(c1, i1) unionsq (c2, i2) , (c1 ∧ c2, i1 ∨ i2)
(c1, i1) u (c2, i2) , (c1 ∨ c2, i1 ∧ i2)
(c1, i1) v (c2, i2) ⇐⇒ c2  c1 and i1  i2
Figure 2: Lattice over labels.
The syntax of expressions is mostly standard. Values v are finite bit-vectors. Vari-
ables, denoted x, represent sequential variables that define registers. For simplicity, the
formal syntax of SIRRTL omits combinational variables, though in doing so it loses
no expressive power – combinational variables can simply be replaced with the expres-
sions that assign their values. The implementation of SIRRTL includes combinational
variables. The syntax x¯ represents a special symbol reserved for storing the next-cycle
valuation of x. The symbol x¯ cannot be written by the programmer; it is an auxilary
symbol used in the semantics and typing judgments to capture delayed updates to the
sequential variables. Binary operators are denoted e1 ⊕ e2. The syntax decl(e, `) and
2
endo(e, `) respectively express declassification and endorsement of the expression e
to the security level `. Declassification and endorsement respectively relax the confi-
dentiality and integrity level of the expression. Downgrades are controlled by the type
system so that they enforce non-malleable information flow control [2]. The syntax
of statements s is entirely standard except that when denotes a conditional statement.
Programs, written Prog are single commands.
Our full implementation of SIRRTL (and ChiselFlow) also securely supports record
types (bundles), arrays, synchronous and asynchronous memories, module declarations
and instantiations, and purely combinational wires, though the typing rules for these
features do not fundamentally change the design of the type system, so we omit them
to simplify the proofs.
1.2 Semantics
The big-step semantics of expressions, shown in Figure 1 is entirely standard aside
from the rule for x¯ which is similar to the evaluation of a conventional variable. The
small-step semantics of statements, shown in Figure 4 is mostly standard. Hardware
states, σ, are mappings from variables and next-cycle symbols to bit-vectors. Formally,
states range over (V +V ) → N, or isomorphically, (V → N) × (V → N); they are
are pairs including a function from variables to values and a function from next-cycle
symbols to values. For simplicity, we use σ(x) and σ( x¯) to denote the valuation of
either a variable or next-cycle symbol in σ. Assignments to a variable x cause updates
to x¯ rather than x to model the fact that updates to registers are delayed until the start
of the clock cycle.
Variables are updated by the program semantics. As the program is evaluated, the
program semantics constructs traces that have the syntax
t ::=  | (T, σ) | t1; t2
where T is a clock cycle counter represented by a positive integer. The program se-
mantics operates on configurations of the form 〈T, σ, s, t〉. Transitions between con-
figurations are denoted by →S , in which S represents the statement that is the initial
syntactic description of the program.
The rule, S − Tick applies when the program has been fully evaluated to skip.
This rule updates the contents of the registers on the new clock cycle. All variables
x1, ..., xn in the program S, are updated to their corresponding next-cycle valuations
stored in σx1, ..., σxn. The cycle counter is incremented, and a trace event that in-
cludes the clock cycle number and the state at the start of the cycle is emitted. The
program re-starts evaluation from S to compute the values for the next cycle. The rule,
S − Eval, applies when s is not skip, and it simply updates the statement and state ac-
cording to the semantics of statements. This semantics is similar to that of the variant
of SecVerilog with dependent types that are checked purely at compile-time [3].
1.3 Type Rules
Type environments Γ map variables and next-cycle symbols to labels. Because label
components in SIRRTL include functions of program variables, the valuation of com-
3
〈σ, n〉 ⇓ n S-CONST
σ(x) = n
〈σ, x〉 ⇓ n S-VAR
σ( x¯) = n
〈σ, x¯〉 ⇓ n S-VARNEXT
〈σ, e1〉 ⇓ n1 〈σ, e2〉 ⇓ n2 n = n1 ⊕ n2
〈σ, e1 ⊕ e2〉 ⇓ n
S-OP
〈σ, e〉 ⇓ n
〈σ, decl(e, `)〉 ⇓ n S-DECL
〈σ, e〉 ⇓ n
〈σ, endo(e, `)〉 ⇓ n S-ENDO
Figure 3: Expression semantics.
〈σ, x ⇐ e〉 −→ 〈σ[x¯ 7→ σ(x)], skip〉
〈σ, skip; s〉 −→ 〈σ, s〉
〈σ, s1; s2〉 −→ 〈σ′, s′1; s2〉 (if 〈σ, s1〉 −→ 〈σ′, s′1〉)
〈σ, when(e) s1 else s2〉 −→ 〈σ, s1〉 (if ¬(〈σ, e〉 ⇓ 0))
〈σ, when(e) s1 else s2〉 −→ 〈σ, s2〉 (if 〈σ, e〉 ⇓ 0)
Figure 4: Command semantics.
ponents and labels both depend on the state, σ. We use the meta-syntax C(p, σ) and
T (`, σ) respectively to denote the valuations of components p and labels ` respec-
tively. As in SecVerilog [4], the type rules apply only for type environments that are
well-formed. In a well-formed type environment 1) no label depends on variables with
more restrictive labels, and 2) variables that appear in labels cannot depend on labels.
The second condition is more restrictive than the one in SecVerilog, which allows vari-
ables to have labels that depend on themselves. Let f v(`) denote the free variables in
`. Formally, a type-environment is well-formed, written ` Γ when,
Definition 1 (Well-Formedness of Environments)
∀x ∈ V .(∀σ.∀x ′ ∈ f v(Γ(x)).
T (Γ(x ′), σ) v T (Γ(x), σ)
∧ f v(Γ(x ′)) = ∅)
Type judgements for expressions have the form Γ; pc ` e : ` which means that e
is well-typed in typing environment Γ under program counter label pc. The type rules
for expressions are mostly standard aside from next-cycle valuations of variables and
for downgrades. The rule T − NextVar computes the valuation of the label x on the
following clock cycle by substituting each occurrence of a free variable in the label
with its next-cycle symbol.
4
{x1, ..., xn} = vars(S)
σ′ = σ[x1 7→ σ( x¯1)]...[xn 7→ σ( x¯n)]
〈T, σ, skip, t〉 →S 〈T + 1, σ′,S, t; (T + 1, σ′)〉
S-TICK
s , skip 〈σ, s〉 → 〈σ′, s′〉
〈T, σ, s, t〉 →S 〈T, σ′, s′, t〉
S-EVAL
Figure 5: Program semantics.
Because labels in SIRRTL can depend on the run-time values of signals, SIRRTL
relies on a static program analysis that that models the run-time behavior of the hard-
ware. The notation P(η) ⇒ Q means that the program analysis has derived that the
proposition Q holds before executing control-flow graph node η.
The rules for downgrades enforce non-malleable information flow control and are
similar to those used to enforce the same security condition in a recent functional pro-
gramming language [2]. These rules require auxiliary definitions on labels. In particu-
lar, (`) is defined (c, i) , (c,>), and it computes a label that has the confidentiality
of `, but is fully trusted. Similarly, ( `) is defined (c, i)  , (⊥, i) and it computes a
label that has the integrity of ` but is fully public. The view of a label, ∆`) converts the
integrity of a label to a confidentiality component, and is defined by ∆c, i) , (i,>).
Dually, the voice of a label, ∇`) converts a confidentiality component to an integrity
component, and it is defined by ∇c, i) , (⊥, c).
The typing rules for commands are standard except that the rule for assignments
ensures that the expression can flow to the label of the next-cycle-valuation of the
variable that is assigned.
2 Security Results
We now prove security results about SIRRTL. Namely, that well-typed hardware mod-
ules that do not contain downgrades enforce a timing-safe variant of observational de-
terminism. The typing rules for downgrades in SIRRTL also resemble those from
a recent software type system that enforces a security condition in the presence of
downgrades called non-malleable information flow control [2]. We first define low-
equivalence of hardware states before stating the main theorems. We define a full-
evaluated security label as one which does not contain sub-components of the form
f (x). When two states, σ1 and σ2 are low-equivalent to an attacker at fully-evaluated
security label L we write σ1 ≈L σ2. Low-equivalence at level L is defined as follows,
σ1 ≈L σ2 , ∀x ∈ V .(T (Γ(x), σ1) v L ⇐⇒ T (Γ(x), σ2) v L)
∧T (Γ(x), σ1) v L =⇒ σ1(x) = σ2(x)
Traces are low-equivalent, written t1 ≈L t2 when for each element of the trace, the
corresponding clock cycle counters are equal, and the states are low-equivalent.
5
T-CONST
Γ; pc ` n : ⊥ T-VAR
Γ(x) = `
Γ; pc ` x : `
T-NEXTVAR
Γ(x) = ` {x1, ..., xn} = fv(Γ(x))
Γ; pc ` x¯ : `[x1 7→ x¯1]...[xn 7→ x¯n]
T-OP
Γ; pc ` e1 : `1
Γ; pc ` e2 : `2
Γ; pc ` e1 ⊕ e2 : `1 unionsq `2
T-DECL
Γ; pc ` e : `′ P(η) ⇒ `  = `′  ∧ pc v `
P(η) ⇒ `′ v ` unionsq ∆(`′ unionsq pc)
Γ; pc ` decl(e, l) : l
T-ENDO
Γ; pc ` e : `′ P(η) ⇒ ` = `′ ∧ pc v `
P(η) ⇒ `′  v `  unionsq ∇(`′ unionsq pc)
Γ; pc ` endo(e, l) : l
Figure 6: Type Rules: Expressions.
We now state the observational determinism theorem.
Theorem 1 (Observational Determinism) If Γ is a type environment, s is a statement
that does not contain downgrades, pc is a label, L is a fully-evaluated security label,
and σ1 and σ2 are states, then
` Γ ∧ Γ; pc ` s ∧ σ1 ≈L σ2∧
〈0, σ1, s, 〉 −→S 〈n1, σ′1, s, t1〉∧
〈0, σ2, s, 〉 −→S 〈n2, σ′2, s, t2〉
=⇒ σ′1 ≈L σ′2 ∧ t1 ≈L t2
Before proving the observational determinism result, we first prove some useful
lemmas. The first lemma states that low expressions other than downgrades do not
contain high variables.
Lemma 1 For all fully-evaluated security labels L, states σ, and expressions e that do
not contain downgrades,
` Γ ∧ Γ ` e : ` ∧ T (`, σ) v L
=⇒ ∀x ∈ vars(e).T (Γ(x), σ) v L
Proof. By induction on the structure of expressions. 
The next lemma states that low labels evaluate to the same concrete label in low-
equivalent states.
6
Γ; pc ` skip T-SKIP
Γ; pc ` s1 Γ; pc ` s2
Γ; pc ` s1; s2
SEQ
Γ; pc ` e : `
Γ; pc unionsq ` ` st
Γ; pc unionsq ` ` s f
Γ; pc ` when(e) st else s f
T-WHEN
Γ; pc ` e : ` {x1, ..., xn} = fv(Γ(x))
`′ = Γ(x)[x1 7→ x¯1]...[xn 7→ x¯n]
P(η) ⇒ ` unionsq pc @ `′
Γ; pc ` x ⇐ e T-ASSIGN
Figure 7: Type Rules: Statements.
Lemma 2 If Γ is a type environment, ` is a label, L is a fully-evaluated label, and σ1
and σ2 are states, then
σ1 ≈L σ2∧ ` Γ ∧ T (`, σ1) v L
=⇒ T (`, σ1) = T (`, σ2)
Proof. Let ` = (c, i) and L = (c′, i′). By the definition of v, c′  C(c, σ1) and
C(i, σ1)  i′. We show that C(c, σ1) = C(c, σ2) by induction on the structure of c.
The argument that C(i, σ1) = C(i, σ2) is exactly dual, and the result that T (`, σ1) =
T (`, σ2) follows directly.
Case c = n, c = >, c = ⊥: trivial.
Case c = f (~x): Let xi be some variable in vecx. By assumption, σ1 ≈(c′,i′) σ2.
By ` Γ, T (Γxi, σ1) v ` and T (Γxi, σ2) v ` By transitivity of v, T (Γ(xi), σ1) v L
and T (Γ(xi), σ2) v L. By definition of ≈L , σ1(xi) = σ2(xi). The same is true for all
other variables in ~x, and so C( f (~x), σ1) = C( f (~x), σ2)
Case p1 ∧ p2: T (p1 ∧ p2, σ1) = T (p1, σ1) ∧ T (p2, σ2). By assumption T (p1 ∧
p2, σ1)  c′, hence T (p1, σ1)  c′ and T (p2, σ2)  c′. By induction hypothe-
sis, T (p1, σ1) = T (p1, σ2) and T (p1, σ1) = T (p1, σ2). Hence, T (p1 ∧ p2, σ1) =
T (p1 ∧ p2, σ2)
Case p1∨p2: Similar to the case f (~x), by inspection of the free variables in p1∨p2.

The next lemma states that low expressions evaluate to the same value in low-
equivalent states.
7
Lemma 3 If Γ is a type environment, e is an expression, pc is a label, L is a fully-
evaluated security label, and σ1 and σ2 are states, then
σ1 ≈L σ2∧ ` Γ ∧ Γ ` e : ` ∧ T (`, σ1, v)L∧
〈σ1, e〉 ⇓ n1 ∧ 〈σ2, e〉 ⇓ n2
=⇒ n1 = n2
Proof. By Lemma 2, T (`, σ2) = T (`, σ1) v L. By Lemma 1, for all x in e,
T (x, σ1) v L and T (x, σ2) v L. Since σ1 ≈L σ2, σ1(x) = σ2x. Since this is
true for all x in e, n1 = n2. 
We now prove that SIRRTL enforces observational determinism for individual
statements.
Theorem 2 (Single-Statement Obsevational Determinism) If Γ is a type environment,
s is a statement that does not contain downgrades, pc is a label, L is a fully-evaluated
security label, and σ1 and σ2 are states, then
` Γ ∧ Γ; pc ` s ∧ σ1 ≈L σ2∧
〈σ1, s〉 −→∗ 〈σ′1, skip〉 ∧ 〈σ2, s〉 −→∗ 〈σ′2, skip〉
=⇒ σ′1 ≈L σ′2
Proof. Case s1; s2: If s1 =skip, then 〈σ1, s1; s2〉 → 〈σ′1, s2 and 〈σ2, s1; s2〉 → 〈σ′2, s2
so σ1 = σ′1 and σ2 = σ
′
2. By assumption, σ1 ≈L σ2 and so σ′1 ≈L σ′2. By the
induction hypothesis, execution of s2 from σ′1 and σ
′
2 results in low-equivalent states.
If s1 ,skip, then 〈σ1, s1; s2〉 → 〈σ′′1 , s1′; s2 and 〈σ2, s1; s2〉 → 〈σ′′2 , s1′′; s2
where 〈σ1, s1〉 → 〈σ′′1 , s1′ and 〈σ2, s1〉 → 〈σ′′2 , s1′′. By the induction hypothesis
σ′′1 ≈L σ′′2 But SIRRTL statements clearly do not diverge, so for some σ′′′1 and σ′′′2 ,〈σ′1, s′1 →∗ 〈σ′′′1 , skip〉 and 〈σ′2, s′1 →∗ 〈σ′′′2 , skip〉. By the induction hypothesis
σ′′′1 ≈L σ′′′2 . And since s2 is eventually evaluated from σ′′′1 and σ′′′2 in two execu-
tions, by the induction hypothesis, σ′1 ≈L σ′2
Case x ⇐ e: We have 〈σ1, x ⇐ e〉 → 〈σ1[x¯ 7→ n1], skip〉 and 〈σ2, x ⇐ e〉 →
〈σ2[x¯ 7→ n2], skip〉 Let `′ = ell[x1 7→ x¯1]...[xn 7→ x¯n]. We first consider the case
in which T (`′, σ1) v L. By assumption, σ1 ≈L σ2 and by Lemma 2, T (`′, σ2) =
T (`′, σ1) v L By T-ASSIGN, Γ; pc ` e : ` and ` unionsq pc v `′. By lattice properties,
` v `′ and ` v L. By Lemma 3, n1 = n2. Because σ1[x¯ 7→ n1] = σ′1 and σ1 agreee on
values of all variables other than x¯, σ1 ≈L σ′1. Similarly, σ2 ≈L σ′2 and by transitivity,
σ′2 ≈L σ′1.
We now consider the case in which T (`′, σ1) @ L We first show that T (`′, σ2) @ L
If T (`′, σ2) v L, then by Lemma 2, T (`′, σ1) v L which violates our assumption.
By ` Γ, x¯ < fv(Ga( x¯)). Because σ1 and σ1[x¯ 7→ n1] = σ′1 agree on valuations of all
variables other than x¯, T (`′, σ′1) @ L. Similarly, T (`′, σ′2) @ L. Hence, σ1 ≈l σ′1,
and σ2 ≈l σ′2, and by transitivity, σ′1 ≈l σ′2.
Case when(e)s1elses2: By T-COND, Γ; pc ` e : `. We first consider the case
in which T (`, σ1) v L. By Lemma 2, T (`, σ2) = T (`, σ1) v L. By Lemma 3,
8
〈σ1, e〉 ⇓ n and 〈σ2, e〉 ⇓ n for some n. By the semantics, either 〈σ1, s〉 → 〈σ1, s1
and 〈σ2, s〉 → 〈σ2, s1 or 〈σ1, s〉 → 〈σ1, s2 and 〈σ2, s〉 → 〈σ2, s2, but both executions
take the same path. If the branch is taken, then by the induction hypothesis, 〈σ1, s〉 →∗
〈σ′1, skip and 〈σ2, s〉 →∗ 〈σ′2, skip for some σ′1, σ′2 such that σ′1 ≈L σ′2. It is similar
if the branch is not taken.
We now consider the case in which T (`, σ1) @ L. By Lemma 7, T (`, σ2) @ L.
By T-COND, Γ; pc ` s1. Let pc′ = pc unionsq `. Then pc′ @ L by lattice properties. Let
x be some variable assigned in s1. By T-ASSGN, pc′ unionsq `′ where `′ , Γ(x)[x1 7→
x¯1]...[xn 7→ x¯n]. By T-NEXTVAR, Γ( x¯) = `′, and so pc′ v Γ( x¯), and Ga( x¯) @ L. The
same is true for all other variables assigned in s1 and for all variables assigned in s2.
Let 〈σ1, s1〉 →∗ 〈σ′′1 , skip. Because only high variables are assigned in s1, σ1 and σ′′1
may only disagree on high variables, and so σ′′1 ≈L σ1. Similarly, σ′′2 ≈L σ2. Becuase
σ1 ≈l σ2, by transitivity twice, σ′′1 ≈L σ′′2 .

We now prove that well-typed SIRRTL modules enforce a timing safe variant of
observational determinism
Theorem 1 (Observational Determinism) If Γ is a type environment, s is a statement
that does not contain downgrades, pc is a label, L is a fully-evaluated security label,
and σ1 and σ2 are states, then
` Γ ∧ Γ; pc ` s ∧ σ1 ≈L σ2∧
〈0, σ1, s, 〉 −→S 〈n1, σ′1, s, t1〉∧
〈0, σ2, s, 〉 −→S 〈n2, σ′2, s, t2〉
=⇒ σ′1 ≈L σ′2 ∧ t1 ≈L t2
1
Proof. By cases on the semantic rules for programs
Case S-TICK By induction on the value of T . The base case is T = 0, and we have
〈0, σ1, s, 〉 −→S 〈1, σ′1, s, (1, σ′1)〉∧
〈0, σ2, s, 〉 −→S 〈1, σ′2, s, (1, σ′2)〉
where
σ′1 = σ1[x1 7→ σ1( x¯1)]...[xn 7→ σ1( x¯n)]σ′2 = σ1[x1 7→ σ2( x¯1)]...[xn 7→ σ2( x¯n)]
Let x¯i be some next-cycle symbol such that xi ∈ { x¯1, ..., x¯n}. If T (Γ( x¯i), σ1) v L then
T (Γ( x¯i, σ2) v L by Lemma 2. By Lemma 3, σ1( x¯i) = σ2( x¯i). The same is true for
all other next-cycle symbols in { x¯1, ..., x¯n}. Since σ′1 ≈L σ2, and σ′2 and σ′1 agree on
low symbols x¯i , σ′1 ≈L σ′2.
We now consider the general case. We have
〈n, σ1, s, t1〉 −→S 〈n + 1, σ′1, s, t1; (n + 1, σ′1)〉∧
〈n, σ2, s, t2〉 −→S 〈n + 1, σ′2, s, t2; (n + 1, σ′2)〉
9
By the induction hypothesis, σ′1 ≈L σ′2 and t1 ≈L t2. So t1; (n+1, σ′1) ≈L t2; (n+1, σ′2)
Case S-EVAL: Follows directly from Theorem 2.

References
[1] J. Bachrach, H. Vo, B. Richards, Y. Lee, A. Waterman, R. Avižienis, J. Wawrzynek, and K. Asanovic´. Chisel: Con-
structing hardware in a scala embedded language. In DAC Design Automation Conference 2012, 2012.
[2] Ethan Cecchetti, Andrew C. Myers, and Owen Arden. Nonmalleable Information Flow Control. In Proceedings of the
2017 ACM SIGSAC Conference on Computer and Communications Security, CCS ’17.
[3] Andrew Ferraiuolo, Weizhe Hua, Andrew C Myers, and G Edward Suh. Secure information flow verification with
mutable dependent types. In Proceedings of the 54th Annual Design Automation Conference 2017, page 6. ACM,
2017.
[4] Danfeng Zhang, Yao Wang, G. Edward Suh, and Andrew C. Myers. A Hardware Design Language for Timing-Sensitive
Information-Flow Security. In ASPLOS, 2015.
10
