On Using B in the Design of Secure Micro-controllers: An Experience Report  by Benveniste, Marc
On Using B in the Design of Secure
Micro-controllers: An Experience Report
Marc Benveniste
1,2,3
Secure Microcontrollers Division
STMicroelectronics
Rousset, France
Abstract
The stepwise formal development of safety critical software is now a well established engineering practice,
noticeably in railway systems. However, it has not been applied as successfully to hardware development,
where formal methods are mainly used for veriﬁcation and gate level transformations and optimizations.
In this paper, we report our recent experience in the stepwise formal development of a real macro-cell,
that opens the way to the design of synchronous digital circuits with zero functional bugs. We propose a
development ﬂow suited for obtaining proven correct-by-construction circuits that further possess additional
robustness properties desirable for secure chips. The reported work is prospective and is meant to show the
feasibility of such a technique for high conﬁdence trustful devices.
Keywords: formal development ﬂow, digital circuit, robustness, secure micro-controller, correct by
construction.
1 Introduction
The ﬁrst contribution of this work shows the feasibility of a stepwise transformation
of a formal security policy model into a synthesize-able hardware description of the
security functionality that implements it.
The second contribution of this work enhances the experimental formal devel-
opment ﬂow so that robustness properties can also be handled in a proven way.
The third contribution of this work is an experimental combination of abstract
interpretation and model checking to verify a given set of properties on an algorithm
before any attempt to implement it.
Finally, we report on unsolved issues that have been identiﬁed and that call for
further research and development work.
1 Partially supported by Provence-Alpes-Coˆte d’Azur (PACA) Regional Council STM-focused Forcoment
project, PS-17bis, in a close and fruitful collaboration with Clearsy System Engineering.
2 Partially supported by Medea+ 2A303 Biop@ss project.
3 Email: marc.benveniste@st.com
Available online at www.sciencedirect.com
Electronic Notes in Theoretical Computer Science 280 (2011) 3–22
1571-0661 © 2011 Elsevier B.V. 
www.elsevier.com/locate/entcs
doi:10.1016/j.entcs.2011.11.014
Open access under CC BY-NC-ND license. 
2 Towards a formal development ﬂow
A traditional development ﬂow for digital circuits heavily relies on testing for
the veriﬁcation steps performed before launching the manufacturing process in a
foundry. Figure 1 below presents a schematic view of the main artefacts used dur-
ing the ﬁrst steps of a typical micro-controller function development.
Fig. 1. First steps of the development ﬂow of a digital function for a micro-controller circuit
Writing test programs, running and analysing simulations, represent a prepon-
derant part of this ﬁrst development eﬀort. The veriﬁcation plan is solely built
upon expertise and experience of specialized designers. Coverage of a veriﬁcation
campaign is measured by using some specialized tools, but functional speciﬁcation
coverage is at best mainly a matter of peer review: the only available reference is
the natural language description of the function to be designed.
A simple idea roots our work. Looking at a safety-critical software develop-
ment widely recognized as a success story, i.e. the Paris Me´tro Line 14 automated
system [25], it can be noticed that veriﬁcation was performed all along the devel-
opment through the use of the stepwise reﬁnement methodology underpinning the
B technology [2].
The simple idea was to adapt this B formal method to the development of our
digital circuits. Indeed, microelectronics development tools already resort to many
formal methods, but they are used mainly behind scenes, i.e. without designer
awareness of their presence, and more importantly, their application only starts after
the source code has been written. These methods are used for veriﬁcation purpose
and for various transformations in the long path leading from a Register Transfer
Level (RTL) representation to a ﬁnal placed and routed net list. Nevertheless, the
more expensive functional errors are often introduced before the ﬁrst line of code
is even written. Usually they stem from the functional, the high-level design, or
M. Benveniste / Electronic Notes in Theoretical Computer Science 280 (2011) 3–224
even the detailed design speciﬁcations. As already mentioned, no veriﬁcation tool is
available for these natural language representations. Only a thorough peer review
can possibly ﬁlter out these error seeds before they blossom into forests of erroneous
behaviours, once embedded into the circuit.
We deﬁned, and experienced on a use case [4], a new development ﬂow that
makes extensive use of formal proof and produces an exhaustively veriﬁed source
code both in its functional behaviour and in its interface deﬁnition (see ﬁgure 2).
This source code, actually VHDL, can directly be synthesized. It has therefore the
capability to enter the rest of the standard industrial ﬂow untouched.
This experimental development ﬂow relies on a formal model of the required
function expressed in Event-B [1], a recent evolution of the B Method targeting
system development. We believe that this new ﬂow can be used to build any digital
function in a proven correct-by-construction way. Analogue functions fall out of the
scope of these techniques, but their digital interfaces are used as a formal correctness
contract in order to include them in the otherwise proven digital circuit.
Fig. 2. The proposed development ﬂow, as deﬁned and experienced on a case study
3 Results
The proposed ﬂow begins with a huge abstraction step. The designer must write
an Event-B model of only a few lines that captures the essential property of the
function to be designed. Achieving this goal is no easy task. Many trials are required
even for a highly trained engineer. Just be reminded that simplicity is almost always
very hard to achieve.
M. Benveniste / Electronic Notes in Theoretical Computer Science 280 (2011) 3–22 5
The case study we experienced with was no exception. We had to struggle a
while before stating the following:
Deﬁnition 3.1 [Essential Property] The essential property of a memory protection
unit is to monitor all accesses a microprocessor performs.
This function is central to the access control security policy to be implemented
on the secure micro-controller as illustrated in ﬁgure 3.
Fig. 3. Case study: The memory protection unit of a secure micro-controller
The initial property level model is presented in a simpliﬁed way in ﬁgure 4.
Implementation details of the designed function are introduced gradually as it
is embedded into the host micro-controller. The main strategy of the reﬁnement
plan is to gradually deﬁne and transform the variable denoting the access rights
matrix, r0. The twofold transformation is guided on one hand, by the introduction
of diﬀerent type of accesses and their associated details, and on the other, by the
implementation representations for the rights matrix. It should be noted that our
reﬁnement path was constrained by the existence of a legacy module already im-
plementing the required functionality. That is why an Interface Speciﬁcation and a
chapter of the Data Sheet are identiﬁed as inputs to the development ﬂow in ﬁgure 2:
the former provides the wire-level interface for the module and the bus protocol to
comply to; the latter deﬁnes the register addresses, names, functions, bit meanings
and programmer’s guidance. An example of a timer description embedded in a
general purpose micro-controller public data sheet [23] is provided in ﬁgure 5.
Various reﬁnement paths and strategies were tried, often leading to a dead-
end or to complex situations were proof work would become overwhelming. The
M. Benveniste / Electronic Notes in Theoretical Computer Science 280 (2011) 3–226
SYSTEM
MPU
SETS
ADs ; CLs ; BYs ; TYs
ABSTRACT CONSTANTS
C 0, R 0
PROPERTIES
C 0 ∈ CLs
∧ R 0 ⊆ ADs × CLs × BYs × TYs
VARIABLES
c0, r0, v0
INVARIANT
c0 ∈ CLs
∧ r0 ⊆ ADs × CLs × BYs × TYs
∧ v0 ∈ BOOL
INITIALISATION
c0, r0, v0 := C 0, R 0, FALSE
EVENTS
allow = ANY a0,d0,t0
WHERE
a0 ∈ ADs ∧ d0 ∈ BYs ∧ t0 ∈ TYs
∧ (a0 → c0 → d0 → t0) ∈ r0
THEN
v0 := FALSE
|| c0 :∈ CLs
|| r0 :∈ ADs × CLs × BYs ↔ TYs
END ;
deny = ANY a0,d0,t0
WHERE
a0 ∈ ADs ∧ d0 ∈ BYs ∧ t0 ∈ TYs
∧ (a0 → c0 → d0 → t0) ∈ r0
THEN
v0 := TRUE
END
END
Fig. 4. Case study: Initial property level model
reﬁnement plan we ﬁnally established has two important “no” properties: no loss
of coverage and no non determinism. Indeed, as this clocked circuit must have a
well-deﬁned behaviour for any combination of inputs at every cycle, the Event-B
model must implement a total and deterministic function:
• The disjunction of its event’s guards must be vacuously true. Furthermore, we
imposed that no “holes” could be introduced when reﬁning an event. Whenever
an (abstract) event ea is reﬁned (split) by (concrete) events eci, if the disjunction
of the concrete event’s guards is implied by the guard of the abstract event, we
can be sure that no “case” has been left uncovered. In a dual way, whenever
(abstract) events eai are reﬁned (grouped) by a (concrete) event ec, we have to
prove that the concrete event’s guard is implied by the disjunction of the abstract
event’s guards. We call this property the coverage property;
• Non deterministic behaviours are proscribed for secure micro-controllers. We
had to ensure that events were pairwise exclusive. We call this property the
exclusiveness property.
Enforcing these properties was implemented through the generation of additional
proof obligations in the Event-B system engineering tool Atelier B [3]. Note that
proving these properties at each reﬁnement stage reduces the total number of proof
obligations, noticeably for the exclusiveness property, combinatorial in nature.
In order to provide a ﬂavour of the strategy we propose for developing digital
circuits, the main reﬁnement stages are sketched in the following paragraphs.
M. Benveniste / Electronic Notes in Theoretical Computer Science 280 (2011) 3–22 7
Fig. 5. Case study: Example of a data sheet level description, here a timer register
3.1 First levels
The ﬁrst reﬁnement introduced the diﬀerent types of accesses, like read (TyR)
and write (TyW ) for data, fetch (TyX ) for code, begin interrupt (TyB) and end
interrupt (TyE ), and no access (TyN ). The latter was initially forgotten but was
highlighted by the coverage proof obligations. These events are all reﬁnements of
the root “positive” event allow. The access matrix r0 is more precisely deﬁned as
a collection of matrices, one for each access type. Each of these matrices is left
undeﬁned at this stage. Only their relationship to r0 is fully deﬁned as illustrated
in ﬁgure 6.
Next reﬁnement introduces the automaton that drives some exceptions in case
of interrupts and on reset conditions of the host micro-controller. Only the state of
the automaton and the transitions performed by the concerned events are kept in
the next reﬁnement. This is a quite elegant way to constraint the system behaviour
for the rest of the development.
Next reﬁnement splits the root “negative” event deny according to the access
M. Benveniste / Electronic Notes in Theoretical Computer Science 280 (2011) 3–228
r0 = (rr1 × BYs × {TyR}) ∪
(rw1 × {TyW}) ∪
(rx1 × BYs × {TyX}) ∪
(rb1 × BYs × {TyB}) ∪
(re1 × BYs × {TyE}) ∪
(ADs × CLs × BYs × {TyN})
Fig. 6. Case study: Invariant anchoring the deﬁnition of r0
type. It could have been done together with the ﬁrst reﬁnement, but it would have
added useless complexity to the automaton deﬁnition. This reﬁnement introduces
also a local stack to manage clearance levels in case of nested interrupts. Matrices
rb1 and re1 get totally deﬁned at this stage using the top of stack (empty or full)
and the state of the automaton introduced in the previous reﬁnement.
3.2 Architecture levels
Architecture level details are then introduced. For instance, the memory map of the
host micro-controller is used to partition the set of addresses and the security policy
is specialized on the one hand for register addresses, and on the other, for memory
addresses. Correspondingly, matrices rr1, rw1 and rx1 are deﬁned by expressions
involving the adequate addresses, even though some of these expressions are not
yet fully deﬁned. They will get deﬁned at a later stage. This is the essence of this
reﬁnement technique.
The next two reﬁnements deal separately with the access policy for data and
that for code. Matrices rr4 (part of rr1 ) and rw4 (part of rw1 ) get more precisely
deﬁned for the data access policy, introducing (new) matrices rr5 and rw5 that will
get deﬁned in later stages. Just as for r0, the relation between rr4 (resp. rw4 ) and
rr5 (resp. rw5 ) is fully deﬁned. The same holds for matrix rx4 (part of rx1 ) and
the relations and sets introduced to deﬁne it in the 7th reﬁnement.
3.3 Implementation levels
Implementation details make their appearance in the following reﬁnements. One
of the key points of our successful reﬁnement plan is the way we managed to keep
out of arithmetic although we were dealing with addresses. We deferred the use
of arithmetic until the deﬁnition of the concrete constants parametrizing the whole
development. That is why in ﬁgure 2, the ﬁle that provides the valuation of all
constants is an input to the B4SYN, a speciﬁc translator of B for synthesis into
VHDL [4]. The “trick” here is to rely on VHDL’s type checking and proper use
of arithmetic while preferring set theory for Event-B. Indeed, the basic data type
in VHDL for synthesis is the std_logic_vector that represents both numbers in
binary base and sets of powers of 2.
M. Benveniste / Electronic Notes in Theoretical Computer Science 280 (2011) 3–22 9
We introduced the main concept of the case study, the segment, i.e. an accessible
address window, through the sole use of sets (given set SEs). Firstly introduced
as a set of addresses (sa7 ), see example 3.2, they became sets of address ranges
speciﬁed with a start and an end address. They were ﬁnally reﬁned to be deﬁned
by start and end address registers.
Example 3.2 [Case study: Segments as sets of addresses]
sa7 ∈ SEs ↔ ADs
Let us mention our use of constructive set expressions to pave the way towards
a VHDL translation that can be synthesized. For instance, letting ms7 be the set
of mapped segments, we can build the set ea7 of segments associated to a given
address a0 with the expression shown in example 3.3.
Example 3.3 [Case study: Constructive set expressions]
ea7 = { xa | xa ∈ SEs ∧ xa ∈ ms7 ∧ (xa → a0) ∈ sa7 }
These expressions are logically equivalent to let-expressions in B and in func-
tional languages like ML [14]. They smoothly translate into combinatorial logic
when simple enough predicates are used.
Two more reﬁnement stages allowed us to identify precisely the conditions under
which each violation alarm bit was required to be set. Again, the alarm register is
simply modelled by a set-valued variable in Event-B. Setting and clearing an alarm
bit provides code for set union and set diﬀerence operations as easily as testing a
bit value provides code for predicates of alarm membership. This is illustrated in
ﬁgure 7 where the unmapped alarm is risen in alm8 because the read access, not
part of an exception, is made to an address that does not belong to any mapped
segment.
...
alm8 ⊆ ALMs
alm8 := ∅
...
deny read memory Unmap
ref deny read memory
=
SELECT
m0 = 2
∧ t0 = TyR
∧ a0 ∈ MAs
∧ (a0 ∈ IVs ⇒ i2 = 1)
∧ ea7 = ∅
THEN
m0 := 0
|| v0 := TRUE
|| alm8 := alm8 ∪ {Unmap}
END
Fig. 7. Case study: Alarm register modelled as a set
We were also careful not to deﬁne modiﬁcations of the variables bound to become
registers and/or outputs too early to avoid complex proof work during reﬁnement.
Modiﬁcations are only indicated with the “becomes such that” substitution for as
long as possible. They become concrete modiﬁcations in the three last reﬁnements.
To keep proof work manageable, read (producing outputs) and write (modifying
M. Benveniste / Electronic Notes in Theoretical Computer Science 280 (2011) 3–2210
registers) operations get concrete in separate reﬁnement stages. The eﬀective read
and write operations are introduced with constant functions that clearly deﬁne the
functional interface between the host and the circuit under development, see status1b
and lock in ﬁgure 8. In fact, the natural use of constants in Event-B developments
promotes a total separation of concerns between functionality and host interface
through “accessors” constants. This separation is not widely practised in traditional
VHDL writing.
...
status1b ∈ P (ALMs) BYs
lock ∈ BYs  BOOL
.
.
.
read status1
=
SELECT
m0 = 2 ∧ t0 = TyR ∧ c0 ∈ p4 ∧ a0 ∈ A3Ds ∧ b13 = BdS1
THEN
m0, v0, out13 := 0, FALSE, status1b(alm8)
END ;
write lock
=
SELECT
m0 = 2 ∧ t0 = TyW ∧ c0 = ClSy ∧ a0 ∈ A3Ds ∧ b13 = BdL
THEN
m0, v0, l4 := 0, FALSE, lock(d0)
END
Fig. 8. Case study: Separation of concerns using accessors to interface to the host
3.4 Real interface
A last reﬁnement introduces the physical interface of the circuit as it is embedded
into the chosen host micro-controller. This reﬁnement strikingly illustrates the “As-
signing Programs to Meanings” essence of the B technology [2]. Each combination
of values of the incoming wires “codes” one of the semantic events as illustrated
in ﬁgure 9. We advocate to write this correspondence in the invariant so that the
concrete substitutions of the event reﬁnements get cross checked by the proof obli-
gations of invariance. When interfaces get trickier, this redundancy proves very
useful. Besides, one can imagine using this invariant as an assertion to monitor
the host system as reported in [6]. Be reminded that the coverage property will
ensure that all possible combinations of inputs have an associated event, and that
the exclusiveness property will ensure that each associated event is unique.
To summarize these subsections, the chosen reﬁnement strategy clearly shows
that predicate logic, set operations, relations and functions are concepts much closer
to the binary logics of a circuit than it may appear at ﬁrst sight.
3.5 Generating VHDL
The reﬁned model has become close enough to an explicit implementation. The
last level of reﬁnement is translated into a VHDL module by the use of B4SYN [4],
the constant valuation ﬁle, and a translator conﬁguration ﬁle that indicates, among
others, the list of inputs, outputs, clocks and synchronous events. The produced
M. Benveniste / Electronic Notes in Theoretical Computer Science 280 (2011) 3–22 11
..
.
(m0 = 0 ⇒
(t1 = TyR ⇔
( (PSEL → PENABLE → PWRITE) = (TRUE → TRUE → FALSE) ) ) )
∧ (m0 = 0 ⇒
(t1 = TyW ⇔
( (PSEL → PENABLE → PWRITE) = (TRUE → TRUE → TRUE) ) ) )
.
..
phi read ref phi =
SELECT
m0 = 0
∧ RESET = FALSE
∧ CLK = TRUE
∧ PSEL = TRUE
∧ PENABLE = TRUE
∧ PWRITE = FALSE
THEN
m0, a1, t1 := 1, PADDR, TyR
END;
phi write ref phi =
SELECT
m0 = 0
∧ RESET = FALSE
∧ CLK = TRUE
∧ PSEL = TRUE
∧ PENABLE = TRUE
∧ PWRITE = TRUE
THEN
m0, a1, d1, t1 := 1, PADDR, PWDATA, TyW
END
Fig. 9. Case study: Assigning wires to events
VHDL can directly be synthesized, and as B4SYN preserves the Event-B seman-
tics 4 , this VHDL source code is a proven correct-by-construction implementation
of the original abstract function essential property 3.1.
The produced VHDL source code can now safely be integrated into the clas-
sical ﬂow for the rest of the circuit development. All the proof work performed
by the designer, and recorded by Atelier B [3], remains as deliverable evidence to
any third party inquiry on the correctness of that function of the circuit. Indeed,
these discharged proof obligations formalize the correctness rationale of all the de-
sign decisions that found their way into the function development. Our case study
required about 18 development stages generating around 1 600 proof obligations
for a ﬁnal net list in the order of 5 000 elementary gates. The obtained VHDL
module was submitted to the veriﬁcation campaign available from the legacy de-
velopment of this function and all tests reached a pass verdict both at RTL level
and at gate level, thereby conﬁrming an indistinguishable host-level behaviour over
the campaign coverage. All this work has been assessed by a security evaluation
facility and contributed to the world’s ﬁrst EAL6+ Common Criteria 3.1 certiﬁcate,
awarded by the French certiﬁcation body, ANSSI [13,9].
4 From correctness to robustness
It is well known that a correct design is not necessarily a secure design, the con-
verse being true however. Our experimental ﬂow uses a correctness reﬁnement
4 Work not yet done.
M. Benveniste / Electronic Notes in Theoretical Computer Science 280 (2011) 3–2212
relation that fails, in general, to preserve security properties such as conﬁdentiality
or integrity. This is by no means a serious drawback to the proposed ﬂow. We
strongly believe that alternative speciﬁc formal methods, and their associated tool-
sets, should be used to tackle those properties at each development step. Although
the following publications are not very recent, we can refer the reader to [5] for
a practical approach to the veriﬁcation of cryptographic protocols, to [10,8] for an
original organization based access control model and its application to network secu-
rity policies, to [22] for a survey on enforcing information-ﬂow policies like integrity
or conﬁdentiality through static program analysis techniques, or to [20] for a non-
interference formulation that can be preserved under process algebra reﬁnement,
amongst many other relevant work devoted to security properties.
However, some security properties, in practice, can indeed be handled by our
proposed ﬂow.
Take integrity for instance. The proposed development ﬂow makes the silent as-
sumption that the underlying execution model, i.e. the elementary gate, is a perfect
device. Note that this assumption is also present in all source code descriptions of
digital circuits, i.e. in all current development ﬂows. Real life teaches us otherwise:
laboratory experience shows that building block devices are not perfect and are sub-
ject to various disruptions, be them of accidental or malicious nature. For instance,
a ﬂip-ﬂop, the basic logic (i.e. volatile) memory element, could be forced to a given
value through controlled aggressions of the digital circuit environment [12]. The
standard semantics of Event-B excludes this kind of misbehaviour and therefore
our proposed ﬂow is not well equipped to mention this kind of integrity losses. We
call them robustness issues.
A model of a ﬂip-ﬂop bank, or register, written in Event-B is presented in
ﬁgure 10. It is parametrized by its reset value, Q 1, and its logical address A 1.
On a write reg event, the presented input d1 is stored into its state variable q1.
Just as we did in the previous case study, we defer the explicit introduction of an
output variable to a later reﬁnement stage, so on a read reg event, no observable
modiﬁcation occurs, but q1, the last stored value is available for output. The last
event, none, models an irrelevant access, i.e. either not to this address or not a read
or a write.
We could introduce these issues into our developments by explicitly modelling
disruption as follows: simply replace every assignment by an non-deterministic
choice between the correct assignment and a “becomes any value” command. This
path, although interesting to describe robustness properties, happens to be a dead-
end for the construction of any desired function since following it would allow us to
build a randomly failing device!
The second simple idea we followed stems from the observation that once a
failing mode causing the integrity loss is identiﬁed, a secure-circuit designer has no
other choice than to build a counter-measure. That counter-measure is designed-in
and, in the end, it happens to be just another function! For the ﬂip-ﬂop example at
hand, it could be some kind of redundant information management function such
that it is physically impractical to externally force a change both in the vulnerable
M. Benveniste / Electronic Notes in Theoretical Computer Science 280 (2011) 3–22 13
REFINEMENT ﬀ01a REFINES ﬀ00a
SETS
ADs ; BYs ;TYs = {TyR, TyW, TyN}
ABSTRACT CONSTANTS A 1, Q 1
PROPERTIES A 1 ∈ ADs ∧ Q 1 ∈ BYs
VARIABLES m0, a1, d1, t1, q1
INVARIANT
a1 ∈ ADs ∧ d1 ∈ BYs ∧ t1 ∈ TYs ∧ q1 ∈ BYs
INITIALISATION
m0 := 0 || a1 :∈ ADs || d1 :∈ BYs || t1 :∈ TYs || q1 :∈ BYs
EVENTS
read reg =
SELECT
m0 = 2 ∧ a1 = A 1 ∧ t1 = TyR
THEN
m0 := 0
END;
write reg =
SELECT
m0 = 2 ∧ a1 = A 1 ∧ t1 = TyW
THEN
m0, q1 := 0, d1
END;
none =
SELECT
m0 = 2 ∧ (a1 = A 1 ⇒ t1 = TyN)
THEN
m0 := 0
END
END
Fig. 10. Example of a ﬂip-ﬂop bank, or register, in Event-B
ﬂip-ﬂop and in the implementation of its redundant function. In this way, integrity
loss is not avoided but it becomes detected and hence, the security breach attempt
can be reported and dealt with through other functions either in hardware, ﬁrmware
or software.
4.1 Focusing on correctness
For our register example, we start with the introduction of the anticipated alarm,
err0, initially unset. Events write reg, read reg and none get their guards reinforced
by the condition that the alarm is not set. We introduce a redundancy constant
function, in fact a bijection, RED 2, left undeﬁned at this stage, and the redundant
state variable q2. The invariant ties everything together formalizing the counter-
measure intent as shown in ﬁgure 11.
.
..
INVARIANT
q2 ∈ BYs
.
.
.
∧ (q1 → q2) ∈ RED 2
∧ err0 = bool( (q1 → q2) ∈ RED 2 )
Fig. 11. Excerpt from the register example with anticipated integrity loss counter-measure
Now event write reg has to update q2 so that the invariant holds. This is
easily accomplished by assigning it the image of the presented input d1 through the
redundancy constant function, RED 2.
The counter-measure works if, and only if, the alarm is constantly updated, i.e.
it must be implemented in the combinatorial logic of the circuit. Therefore, the
corresponding event in our execution model, psi, is reﬁned to specify this alarm
M. Benveniste / Electronic Notes in Theoretical Computer Science 280 (2011) 3–2214
updating as shown in ﬁgure 12.
The critical reader must have noticed that the exhibited invariant is slightly too
strong as it only holds for undisrupted circuits. Indeed, as long as none of the state
variables, i.e. neither q1 nor q2, gets modiﬁed in an uncontrolled way, we can prove
that the alarm is never set. This reﬁnement stage allows to prove exactly that.
The next reﬁnement stage, in fact the implementation, weakens slightly the
invariant and introduces the real bus interface. Abstract constants A 1, Q 1, and
RED 2 get reﬁned by concrete constants identical but with a suﬃx i for valuation
in the ﬁnal implementation. Besides, the condition on the alarm is removed from
the event’s guards because the host ensures that under alarm a reset event is always
generated before the next clock rising edge. An excerpt of this last reﬁnement is
shown in ﬁgure 12. An auxiliary q3 variable is introduced to enable the translation
of the expression that sets the alarm; this technique was already illustrated in the
code presented in example 3.3. The output signal ERR FF is just the alarm.
..
.
INVARIANT
.
.
.
∧ ERR FF ∈ BOOL
∧ err0 = ERR FF
∧ ( (m0 = 1) ⇒
ERR FF = bool( (q1 → q2) ∈ RED 2 i ) )
...
EVENTS
psi =
SELECT
m0 = 1
THEN
m0 := 2
|| q3, ERR FF :( q3 = RED 2 i(q1) ∧ ERR FF = (bool( ¬ ( q3 = q2 ))) )
END;
read reg=
SELECT
m0 = 2 ∧ a1 = A 1 i ∧ t1 = TyR
THEN
m0, PRDATA := 0, q1
END;
write reg=
SELECT
m0 = 2 ∧ a1 = A 1 i ∧ t1 = TyW
THEN
m0, q1, q2 := 0, d1, RED 2 i(d1)
END
.
.
.
Fig. 12. Excerpt of the robust register implementation example
As just stated, this model is not equipped to notice a disruption. Hence, the
implemented function can indeed be proved correct. The main reason for weakening
the invariant is to make it as similar as possible to the invariant of the companion
model whose writing is explained in the following paragraphs.
4.2 Proving eﬀectiveness
We write a not-to-be-implemented reﬁnement of the model partially exhibited in
ﬁgure 11. We enrich it with a fault model and its associated disruption event in
order to prove the eﬃciency of the counter-measure in those precise circumstances.
M. Benveniste / Electronic Notes in Theoretical Computer Science 280 (2011) 3–22 15
For this endeavour we resort to a change of variables for the state q1, its redun-
dancy q2, and the alarm err0. We also introduce an abstract witness to denote the
occurrence of a disruption, df3. The fault model we envision is one were only one of
the state variables is modiﬁed. We further impose that disruption happens before
combinatorial logic gets stable. Any number of bits can be modiﬁed as long as they
all belong to the same variable representation. This fault model is quite general
because we do not get into the details of how the fault is injected, concentrating
only on its memorized eﬀects, i.e. situations where state or output are observed
modiﬁed. We do not cover combinatorial disruptions, but we do not foresee any
technical limitation to build a fault model covering them also.
The resulting reﬁnement is partially shown in ﬁgure 13. The invariant tells us
that the “sibling” implemented case, partially shown in ﬁgure 12, coincides with
the state space of this faulty version if, and only if, no disruption occurs. This is
precisely our intent. Do notice the designed similarity of the predicates formalizing
the meaning of the alarm in ﬁgures 12 and 13.
..
.
INVARIANT
.
.
.
df3 = bool( (q3 → p3) ∈ RED 2 )
∧ ( (df3 = FALSE) ⇔
(q1 = q3 ∧ q2 = p3 ∧ err0 = err3 ) )
∧ ( (m0 = 1) ⇒
err3 = bool( (q3 → p3) ∈ RED 2 ) )
ASSERTIONS
( (m0 = 1) ⇒ df3 = err3 )
EVENTS
disrupt =
SELECT
m0 = 1 ∧ df3 = FALSE
THEN
q3, df3 :( q3 ∈ BYs ∧ df3 = bool(q3 → p3 ∈ RED 2) )
END;
psi =
SELECT
m0 = 1
THEN
m0, err3 := 2, bool(q3 → p3 ∈ RED 2)
END;
read ok ref read reg =
SELECT
m0 = 2 ∧ err3 = FALSE ∧ a1 = A 1 ∧ t1 = TyR
THEN
m0 := 0
END;
write ok ref write reg =
SELECT
m0 = 2 ∧ a1 = A 1 ∧ t1 = TyW ∧ err3 = FALSE
THEN
m0, q3, p3 := 0, d1, RED 2(d1)
END
.
.
.
Fig. 13. Excerpt of the robust register example with disruption
Although they are not shown in ﬁgure 13, we introduce events read ko, write ko,
and none ko in the faulty model in order to satisfy the coverage property because
now the alarm can indeed ﬁre. The associated substitutions just start a new cycle
(m0 gets 0) and in a next reﬁnement, these three events are merge into a single faulty
event, a “miracle” when disruption cannot happen, i.e. in the sibling implementable
M. Benveniste / Electronic Notes in Theoretical Computer Science 280 (2011) 3–2216
model partially shown in ﬁgure 12.
This simple example clearly shows our point: a security property can very well
be, at least partially, translated into a functional requirement, overcoming thereby
the reﬁnement limitation regarding security preservation.
We successfully applied this technique to enrich the MPU case study develop-
ment with the integrity property that makes inviolable the updated implementation
of this control access policy, considering current state-of-the-art vulnerabilities of
the underlying semiconductor technology. We added a functional redundancy in
the early implementation stages, planting there for the rest of the development a
new alarm to be triggered whenever redundant information looses consistency. For
proof work only, a dead-end branch of the reﬁnement introduced a “disrupt” event
that can always be triggered and whose action is precisely the “becomes any value”
command. Several fault models were tried in turn. Each considered fault model
(single bit fault, double fault, etc.) was introduced by properly choosing the vari-
ables impacted by this “disrupt” event. We also reinforced the invariant predicates
so that the proof obligations formalized the fact that no loss of consistency could
fail to trigger the new alarm event. Discharging these proof obligations meant that
whatever the fault on those variables impacted in the tried fault models, a correct
implementation would never fail to trigger an alarm as speciﬁed. This side-way
proof work established, once for all, the eﬀectiveness of the counter-measure func-
tion; the regular proof work in the main development branch only dealt with the
correctness of its implementation [7,11].
To sum up this section, we have been able to circumvent an apparent short-
coming of the proposed ﬂow by decomposing a robustness issue into two essentially
distinct parts:
(i) one model to state and prove the eﬀectiveness of the functional description of
a proposed counter-measure to thwart the eﬀects of inﬂicted faults;
(ii) one model to build the proposed function in a correct-by-construction proven
way, both models being reﬁnements of the original vulnerable function.
5 A diverted use to verify an algorithm
Besides robustness, secure micro-controllers are required to be very discreet, no-
ticeably when cryptographic operations are executed. Indeed, power analysis [26]
provides very powerful techniques to extract secrets, usually cryptographic keys,
from physical characteristics, usually power consumption, of the circuit’s opera-
tion. Therefore, the design of cryptographic accelerators of secure micro-controllers
must integrate counter-measures to mitigate the exploitation of these inescapable
observations.
The design starts with the description of an algorithm, usually a standard
one [16,15,21]. For some of these algorithms, desirable security properties are known
to signiﬁcantly thwart power analysis success. For instance, in the case of a sym-
metric key algorithm [16,15], property 5.1 has to be satisﬁed in the ﬁnal layout of
the circuit.
M. Benveniste / Electronic Notes in Theoretical Computer Science 280 (2011) 3–22 17
Deﬁnition 5.1 [Security property] Any value depending on both the input message
and the key must be masked with a random.
Although correctness preservation does not entail conﬁdentiality preservation in
a development, if the detailed description of the algorithm violates the property,
the ﬁnal layout will violate it also with a probability close to certainty.
A third simple idea allowed us to contribute to the analysis of the detailed
algorithm proposed by the designers. Observing that the required property 5.1
involves dependencies among values more than actual data values, we manually
transcoded 5 the detailed algorithm using abstract interpretation [24], changing its
domain from data to dependencies. The used abstraction focuses on masking and
unmasking operations on sensitive data.
The transformation is illustrated in ﬁgure 14, where an operation Op is per-
formed on the content D1 and D2 of two registers, masked 6 respectively by ran-
dom numbers m1 and m2. An interface output register, labelled reg o, either gets
its value from the left-hand data path, labelled lmux, unmasked with m1, i.e. value
D1 = (D1⊕m1)⊕m1, or it gets the constant value 0, according to the multiplexer
setting, i.e. left or right position.
Fig. 14. From “data” to “dependencies” domains, excerpt of a detailed algorithm data path
As reported in [19], we wrote an Event-B (ﬂat) system to represent the set of
dependencies on each wire and in each register, observed after each clocked step of
the detailed algorithm under analysis. We equipped this model with an invariant
for each required property.
Just to provide a ﬂavour of the resulting Event-B system, the excerpt of a de-
tailed algorithm data path shown in ﬁgure 14 is used to write a small corresponding
Event-B system. It is provided in ﬁgure 15.
Getting back to the example in ﬁgure 14, a sensitive data is a data that depends
both on the input message and the key. In a ﬁrst approximation, the input message
and the key are abstracted by two distinct constant dependency labels, I and K 7 .
5 The rigour of this step can be improved through automation.
6 The masking operation is a bitwise exclusive disjunction, xor, ⊕.
7 In the Event-B system of ﬁgure 15, D1 and D2 are considered sensitive data on their own.
M. Benveniste / Electronic Notes in Theoretical Computer Science 280 (2011) 3–2218
SYSTEM edp dep
DEFINITIONS
MASKS == {M1, M2}
; XOR(A , B ) == ( ((A ) ∪ (B )) - ((A ) ∩ (B ) ∩ MASKS) )
; SECRET == P1 ( {D1,D2} )
; REGDEPs == {drego, dreg1, dregr, dreg3}
; SENSITIVE ALWAYS MASKED == ( SECRET ∩ REGDEPs = ∅ )
SETS
DEPs = {D1, D2, M1, M2}; MUXPOS = {LP, RP}
VARIABLES clk, step, drego, dreg1, dregr, dreg3, dlmux, muxpos
INVARIANT
clk ∈ BOOL ∧ step ∈ Z ∧ drego ⊆ DEPs ∧ dreg1 ⊆ DEPs ∧ dregr ⊆ DEPs
∧ dreg3 ⊆ DEPs ∧ dlmux ⊆ DEPs ∧ muxpos ∈ MUXPOS
∧ step ∈ 1 . . 17
∧ SENSITIVE ALWAYS MASKED
INITIALISATION
clk, step := TRUE, 1
|| muxpos :∈ MUXPOS
|| drego, dreg1, dregr, dreg3, dlmux := ∅ , ∅ , ∅ , ∅ , ∅
EVENTS
switch left = SELECT muxpos = RP ∧ clk = TRUE
THEN muxpos, dlmux, clk := LP, dreg1, FALSE END;
switch right = SELECT muxpos = LP ∧ clk = TRUE
THEN muxpos, dlmux, clk := RP, ∅ , FALSE END;
load reg1 = SELECT step = 1 ∧ clk = TRUE
THEN dreg1, step, clk := {D1,M1}, step + 1, FALSE END;
load reg2 = SELECT step = 2 ∧ clk = TRUE
THEN dregr, step, clk := {D2,M2}, step + 1, FALSE END ;
do op and feed =
SELECT
step = 3 ∧ clk = TRUE
THEN
dreg3, drego, step, clk := dreg1 ∪ dregr, XOR( dlmux, {M1} ), step + 1, FALSE
END;
update wire left = SELECT clk = FALSE ∧ muxpos = LP
THEN dlmux, clk := dreg1, TRUE END ;
update wire right = SELECT clk = FALSE ∧ muxpos = RP
THEN dlmux, clk := ∅ , TRUE END ;
other steps = SELECT step > 3 ∧ step ≤ 16 ∧ clk = TRUE
THEN clk, step := FALSE, 17 END ;
do cycle = SELECT step > 16 ∧ clk = TRUE THEN clk, step := FALSE, 1 END
END
Fig. 15. Event-B system code based on the algorithm shown in ﬁgure 14
A sensitive data is abstracted by the set:
secret = {I,K}(1)
Masks are abstracted into a unique constant dependency label, i.e. Z.
Each data operation of the algorithm is abstracted into its eﬀect on the depen-
dencies of the operated data. Still referring to ﬁgure 14, empirical experience shows
that Op is such that a dependency on both its inputs can be observed in its output.
It is therefore abstracted into the set union. The xor operation used to unmask
data is abstracted into the set diﬀerence.
Each wire and each register is represented by a variable that holds its current
dependencies. In ﬁgure 14, these variables are labelled with the name of the wire
(resp. register) preﬁxed by d (for dependencies).
Each step is modelled by a sequence of two events as we need to observe registers
and wires. One event represents the update of registers, and the other one represents
the stable update of all the outgoing wires of the registers.
The security property 5.1 becomes the following invariant (for w wires and r
registers) :
secret 	∈ {d wire1, . . . , d wirew, d reg1, . . . , d regr}(2)
We used the model checker ProB [17] to verify whether all the properties were
M. Benveniste / Electronic Notes in Theoretical Computer Science 280 (2011) 3–22 19
satisﬁed by the detailed algorithm. We found the model checker very eﬃcient for
this analysis because counter-examples are provided whenever a property is violated.
Each step leading to the violation is clearly identiﬁed by the tool.
Referring to ﬁgure 14, ProB 8 immediately shows that when d reg r gets a de-
pendency to a masked sensitive data and the multiplexer is set to the left, property 2
is violated because the wire input of d reg o gets the secret dependency.
This may seem trivial to most of us, but performing the veriﬁcation on the real
detailed algorithm unveiled quite tricky situations that only a very thorough analysis
could have discovered. Furthermore, we were able to suggest an improvement to the
detailed algorithm. We convinced the designers to implement it by showing that
with the proposed modiﬁcation, ProB could complete the exhaustive veriﬁcation of
all the properties.
Although our ﬁndings had an immediate impact on the development of the
studied algorithm, this approach is not to be considered as a practical solution yet,
but rather as an invitation to the research community to look at these new diverted
ways of combining abstract interpretation and proof and/or model checking to tackle
diﬀerent facets of a complex system.
6 Concluding remarks and ways forward
Although feasibility of a correct-by-construction proven development ﬂow for digital
circuits has clearly been established through a sizeable case study, we have to temper
our enthusiasm in view of the huge amount of further work required by the following
issues:
• Robustness issues have been shown, through the same sizeable case study, to
be amenable to a convenient functional-like treatment, but neither a systematic
process nor a sound underlying theory have been deﬁned to consider the matter
settled;
• A whole part of the security of secure micro-controllers has not even been con-
sidered in the proposed ﬂow: indeed conﬁdentiality issues, as explained, do not
behave in a conservative manner with reﬁnement relations as the one we used.
We have hinted at the use of other specialized formal methods to deal with these
issues, a more precise articulation of various specialized formal methods to achieve
a realistic development ﬂow for secure elements still needs to be investigated;
• Lastly, feasibility is only a ﬁrst step towards deploying a new technique. A lot
of engineering, technical, economical and human problems rest ahead in order to
scale up to an industrial use of the secure-by-construction development ﬂow for
digital circuits.
8 ProB is completely integrated both in the Atelier B and in Rodin [18].
M. Benveniste / Electronic Notes in Theoretical Computer Science 280 (2011) 3–2220
Acknowledgement
This experiment could not have succeeded without the brilliant work of Louis
Mussat who developed the original Event-B models and associated proofs for the
case studies. Thierry Lecomte and Antoine Requet designed and implemented the
B4SYN translator and its integration into Atelier B [3]. May they read in these few
lines a thankful recognition of their sizeable contribution to the project. I also wish
to acknowledge the constructive remarks provided by Marie-Laure Potet on the ﬁrst
draft of this paper, and thank the program committee members of the workshop
for their interest in this work.
References
[1] Abrial, J.-R., “Modeling in Event-B”, Cambridge University Press, 2010.
[2] Abrial, J.-R., “The B Book : Assigning Programs to Meanings”, Cambridge University Press, 1996.
[3] “Atelier B”, http://www.atelierb.eu/index en.html.
[4] Benveniste, M., A Correct by Construction Realistic Digital Circuit, RIAB Workshop, FMWeek 2009,
Eindhoven, handout.pdf.
[5] Bolignano, D., Towards a Mechanization of Cryptographic Protocol Veriﬁcation, in CAV’97, Lecture
Notes in Computer Science 1254 (1997), 131–142, SpringerLink.
[6] Borrione, D., M. Liu, P. Ostier, L. Fesquet, PSL-based online monitoring of digital systems, in A.
Vachoux (ed.) “Applications of speciﬁcation and design languages for SoCs: Selected papers from FDL
2005” Chap. 2 (2006), 5–22, SpringerLink.
[7] Commission of the European Communities Directorate XIII/F SOG-IS, “Information Technology
Evaluation Criteria”, June 1991, ITSEC.
[8] Cuppens, F., N. Cuppens-Boulahia, T. Sans, and A. Mie`ge, A Formal Approach to Specify and Deploy
a Network Security Policy, in Second IFIP Workshop on Formal Aspects in Security and Trust (FAST),
203–218, 2004, [pdf].
[9] EE Herald, New products, 5 November 2010, [Web page].
[10] El Kamal, A.A., R. El Baida, P. Balbiani, S. Benferhat, F. Cuppens, Y. Deswarte, A. Mie`ge, C. Sorel,
and G. Trouessin, Organization Based Access Control, in 4th IEEE International Workshop on Policies
for Distributed Systems and Networks (Policy’03), 120–134, 2003, [pdf].
[11] Jansen, W., “Directions in Security Metrics Research”, National Institute of Standards and Technology
Interagency Report, NISTIR 7569, Computer Security Division, Information Technology Laboratory,
April 2009.
[12] Leveugle, R., A. Ammari, V. Maingot, E. Teyssou, P. Moitrel, C. Mourtel, N. Feyt, J.-B. Rigaud, and
A. Tria, Experimental Evaluation of Protections Against Laser-induced Faults and Consequences on
Fault Modeling, in DATE 07, 1587–1592, 2007, [pdf].
[13] Microcontroˆleurs se´curise´s SAYR48/80B et SBYR48/80B, incluant la bibliothe`que cryptographique
NesLib v2.0 ou v3.0 en conﬁguration SA ou SB, ANSSI-CC-2010/02, February 2010.
[14] Milner, R., M. Tofte, R. Harper, and D. MacQueen, “The Deﬁnition of Standard ML: Revised 1997”,
The MIT Press, 1997, Online ML Tutorial.
[15] National Institute of Standards and Technology, U.S. Department of Commerce, “Advanced Encryption
Standard (AES)”, FIPS PUB 197, November 2001.
[16] National Institute of Standards and Technology, U.S. Department of Commerce, “Data Encryption
Standard (DES)”, FIPS PUB 46-3, October 1999.
[17] “Pro B”, http://www.stups.uni-duesseldorf.de/ProB/index.php5/Main Page.
M. Benveniste / Electronic Notes in Theoretical Computer Science 280 (2011) 3–22 21
[18] “RODIN, Rigorous Open Development Environment for Complex Systems”,
http://rodin.cs.ncl.ac.uk/.
[19] Romain, F., M. Benveniste, J. Mercier, Designing a secure accelerator for symmetric cryptography,
e-Smart 2010, Day 2, Cryptographic Implementations Breakthroughs, Sophia-Antipolis, September
2010.
[20] Roscoe, A. W., J. C. P. Woodcock, and L. Wulf, Non-interference through determinism, in ESORICS’94,
Lecture Notes in Computer Science 875 (1994), 33–53, , [pdf] of extended paper.
[21] RSA Laboratories, “PKCS #1 v2.1: RSA Cryptography Standard”, PKCS #1 v2.1, June 2002.
[22] Sabelfeld, A., and A. C. Myers, Language-Based Information-Flow Security, in IEEE Journal on
Selected Areas in Communications 21(1) (2003), 5–19, [pdf].
[23] STMicroelectronics, “ST62T40B/E40B: 8-bit OTP/EPROM MCU with LCD driver, EEPROM and
A/D converter”, Data Sheet, 1999, [Web page].
[24] Wikipedia, Abstract interpretation, [Wiki].
[25] Wikipedia, Me´te´or, Paris Me´tro Line 14, [Wiki].
[26] Wikipedia, Power analysis, [Wiki].
M. Benveniste / Electronic Notes in Theoretical Computer Science 280 (2011) 3–2222
