Abstract. In this paper, we formally verify security properties of the ARMv7 Instruction Set Architecture (ISA) for user mode executions. To obtain guarantees that arbitrary (and unknown) user processes are able to run isolated from privileged software and other user processes, instruction level noninterference and integrity properties are provided, along with proofs that transitions to privileged modes can only occur in a controlled manner. This work establishes a main requirement for operating system and hypervisor verication, as demonstrated for the PROSPER separation kernel. The proof is performed in the HOL4 theorem prover, taking the Cambridge model of ARM as basis. To this end, a proof tool has been developed, which assists the verication of relational state predicates semi-automatically.
Introduction
The ability to execute application software in a manner which is isolated from other application software running on a shared processing platform is an essential prerequisite for security. This allows user applications or virtual machines to coexist without violating condentiality or integrity of critical data, it allows critical system resources to be protected from user manipulation, it can help to prevent fault propagation, and it can be used to save costly hardware that might otherwise be needed to provide physical separation.
Isolation is typically provided by a mix of hardware and software. A memory management unit (MMU) may be used to provide basic memory protection, and the processor may be equipped with multiple privilege levels, running application programs as userland processes and kernel routines at privileged levels, with additional abilities to access and congure critical parts of the processor, the MMU, and various storage/display/peripheral devices attached to the processor.
In such a setting, isolation is a result of the correct interplay between hardware and kernel. It is the responsibility of the kernel to correctly manipulate the processor state to achieve the desired eects, whatever they may be (context switching, logging, fault management, device management, etc). It is the responsibility of the processing hardware to correctly implement the partitioning safeguards and mode transition conventions assumed by the kernel. For security, the kernel and the processor must both be correct and agree on their mode of interaction. Most formal kernel analyses in the literature [7, 12, 13, 15, 18] address the kernel software itself, in source or binary form, and leave the properties of the instruction set architecture (ISA) to be handled by at. Our contribution is to suggest a possible approach, including tool support, for performing the ISA specic security analysis, specically for user mode execution.
We have identied two main concerns.
First, an implicit contract must exist which stipulates the region of inuence/dependency of userland processes. That is, in a given user mode processor/MMU conguration it must be determined which memory locations and (control) registers can be read or written, or, in a more ne grained analysis, how information is able to ow to or from specic parts of the processor and the memory. User processes must be constrained in accessing or otherwise being inuenced by critical resources of the kernel or of other user processes. This is not trivial. For instance, as shown by Duot et al. [9] , on some x86 processors it is possible for low-privilege code to overwrite higher privilege code by writing to an address that usually refers to the video card. To enable this attack, it suces to rst ip a conguration bit usually accessible from the low privilege level.
Second, kernel code relies on a set of mode switching conventions, for instance on ARM that program status registers and relevant user registers (including the program counter) are properly banked, the program counter is updated to point at the correct location in the vector table, and so on. If these conventions are not established by the processor and adhered to by the kernel, it may be possible for userland processes to induce various sorts of malicious behavior, for instance by letting a handler's link register point to a foreign address.
Performing this analysis is not trivial, particularly not if information ow is to be taken into account, as is done in this paper. All instructions, error conditions, and user to privileged mode transitions must be considered. The number of instructions is high and in modern processors a single instruction can involve a large number (order of 20-30) of atomic register or memory accesses.
In this paper, we identify and prove several partitioning-related properties of the ARMv7 ISA specication [2, 3] addressing user mode execution and mode switching. The rst is an instruction level noninterference property related to the non-inltration property in [12] stating that the behavior of an ARMv7 processor in user mode only depends on its accessible resources, mostly user registers, MMU congurations and the memory allocated to that process. The second, corresponding to the non-exltration property of [12] , is an integrity property stating that, again while in user mode, the processor is unable to modify protected resources. A third set of properties concerns mode switching conventions.
These properties have been applied in the PROSPER project [5] to verify isolation for the PROSPER separation kernel [8] . The PROSPER project aims at producing and verifying a fully functional secure hypervisor for embedded systems, providing services such as guest isolation, so that only explicitly allowed communication occurs.
Our proof uses the HOL4 [4] model of ARM, developed at Cambridge by Fox et al. [10] . We extend this model by simple memory protection. The ARMv7 ISA properties outlined above are formalized and proved. To make the quite sizable proof task feasible, we have developed a helper tool based on relational Hoare logic, that is able to automate signicant parts of the proof.
To the best of our knowledge our work represents the rst formalized analysis of the ARMv7 ISA. Others, specically the Cambridge HOL4 group, have developed various helper tools for assembling, disassembling, executing, and managing ARM machine code and the HOL4 ARM ISA model [10, 16] . Also, the HOL4 ARM model has been used in several verication exercises in the literature, on software fault isolation (SFI) [22] and on the extension of the seL4 verication work [13] from C to binary level [20] . However, we have not yet seen general correctness properties formalized and veried for ARM at the ISA level.
In fact, we believe the type of analysis presented here can be useful beyond kernel verication. For instance, formalized security properties can be useful to both improve the usefulness and precision of ISA specications, and to enable developers obtain a concise description of secure congurations, without manual consideration of extensive architecture specications. That is, if e holds in the nal state of f 1 , the return value of f 1 is passed to f 2 as the input parameter, otherwise f 2 is not executed.
errorT a = Error a condT e f = if e then f else constT () if e then f1 elsef2 = λs.if e s then f1 s else f2 s f1 |||e f2 = f1 =e (λx.f2 =e (λy.constT (x, y))) (λu. data_abort)))))))))) else take_exception irpt =nav (λu. clear_wait_for_irpt))) s (u,p) = permitted add is_write (mmu_registers s) F s.memory
4 Security Properties
We next turn to formalizing the instruction level partitioning properties. For user mode execution we formulate the requirements in terms of non-inltration and non-exltration properties (cf. [12] ), adapted to our setting. The relation bisim is the low equivalence relation. User mode processes are allowed to be inuenced by the user mode registers, the memory assigned to them, the CPSR, the coprocessors, pending access violations and the misc state component. Exclusive monitors (as eld of misc) can inherently inuence and be inuenced by user mode software and need thus to be cleared by kernels on context switches. bisim i s1 s2 = mmu_setup i s1 ∧ mmu_setup i s2 ∧ (equal_user_regs s1 s2) ∧ (∀a. (accessible i a) ⇒ (s1.memory a = s2.memory a)) ∧ (s1.psrs(CPSR)= s2.psrs(CPSR)) ∧ (s1.coproc.state = s2.coproc.state) ∧ (nav s1 = nav s2) ∧ (s1.misc = s2.misc) ∧ s1.psrs(spsr_(mode s1)) = s2.psrs(spsr_(mode s2)) ∧ s1.regs(lr_(mode s1)) = s2.regs(lr_(mode s2))
The two last items have been included to assure that SPSR and link register (of a possibly privileged poststate) only depend on resources allowed to inuence user mode execution as well, so that they can actually be restored later on.
Non-exltration
Non-exltration guarantees the integrity of resources foreign to the active user process. It expresses that, given an MMU setup for user process i active, the execution of a single instruction in user mode will not modify any other resources but those considered to be modiable by i. unmodified i s t = (s.coproc = t.coproc) ∧ (s.psrs(CPSR).F = t.psrs(CPSR).F) ∧ (∀a. ¬(accessible i a) ⇒ (s.memory a = t.memory a)) ∧ ((mode s ∈ {usr, mode t} ∧ mode t ∈ {usr, fiq, irq, svc, abt, und}) ⇒( (∀reg. reg / ∈ accessible_regs(mode t) ⇒ s.regs(reg) = t.regs(reg)) ∧ (∀psr. psr / ∈ {CPSR, spsr_(mode t)} ⇒ s.psrs(psr) = t.psrs(psr)) ∧ (mode t = usr ⇒((s.psrs(CPSR)).I = (t.psrs(CPSR)).I))))
Switching to Privileged Modes
Secure user mode execution is not by itself sucient. It is also necessary to consider transitions to privileged modes to prevent user processes from privileged execution rights. No user process should be able to eect a mode change with the PC set to a memory location of his choice. Instead, all entry points into privileged modes should be in the exception vector table. Similarly, even though user processes are allowed to choose a dierent endianness for their own execution, that should not inuence the interpretation of the system handlers when switching back to privileged mode. Theorem 3 covers those additional constraints. 
Safe User Mode Execution
The nal aim is to guarantee that as long as the machine is executing in user mode, it causes no noninterference or integrity violations. Let s 1 s n denote a sequence of next computations s 1 → s 2 → .... → s n in user mode, i.e. mode s i = usr, 1 ≤ i < n and mode s n = usr. The following theorem assures the safe execution and safe mode switching of a user process.
Theorem 5. Let s1 sn and mmu_setup i s1, (i) if s 1 s n and bisim i s1 s 1 then bisim i sn s n , (ii) unmodified i s1 sn, and (iii) priv_const sn−1 sn.
The proof of (i) and (ii) is an easy induction on n using theorems 1 and 2. Non-inltration The proof uses a relational Hoare logic based on assertions {f :R →R'} dened as follows:
The judgment asserts that, if started in prestates s 1 , s 2 related by prerelation R, either the executions of the monadic computation f return identical values a with poststates t 1 , t 2 related by postrelation R', or else they both return the same error e.
For the analysis it suces to consider a xed set of relations R_m = λs1.λs2.bisim i s1 s2 ∧ mode s1 = m ∧ mode s2 = m or R_(n,m) = R_n ∪ R_m. Figure 4 shows the relational logic inference rules. The inference system is incomplete, but sucient for our purpose. A relation R_m is preserved by errorT and constT (rules constTR and errorTR), and if a computation preserves one of the R_m relations then that computation can be used in a conditional or a for loop as well (condTR, conR and forTR). The rule widenR and absR are used to weaken the postrelation and reason about lambda computations, respectively.
The rule seqTR states that the postrelation of f = nav f is the union of the using an example. In the ARM model, all computations which lead to a privileged mode m end by a computation called take_m_exception. Figure 6 shows the function take_svc_exception for switching to supervisor mode. Let this computation start in state s1 and end in state sn. Consider the primitive constraint P psr stating that SPSR_svc of the nal state sn must be equal to CPSR of the initial state s1. Let t and t , respectively be the initial state and nal state of write_spsr cr and m be the mode of t . The computation write_spsr cr writes the value of free variable cr into SPSR_m and establishes the property P psr def = t .psrs(SPSR_m) = cr. We call write_spsr cr a P psr -establisher. A computation g is P-establisher, if independently of its input state, P holds in its output state, i.e. P−establ(g) = ∀s, a, t. g s = ValueState a t ∧ nav t =⇒ P t We can prove that the block starting from write_spsr cr establishes P psr as well, because the rest of the computations of this block does not modify this property. Then we can prove that the free variable cr takes the value s1.psrs(CPSR), and m is bound to svc. Thus, sn.psrs(SPSR_svc) = s1.psrs(CPSR) holds for the computation block from write_spsr cr. As this block is a P psr -establisher, we conclude that the computations before write_spsr do not inuence the established property and P psr is satised by take_svc_exception. Figure 7 shows the P-establisher inference rules. These rules along with the inference rules of Figure 5 are used to prove the privileged constraints. The rule seqTS1 states that if the monadic computation f is a P-establisher and P is an invariant of f , then the sequential composition f = nav f is P-establisher. The rule seqTS2 describes that if the monadic computation f is a P-establisher, then f = nav f is also P-establisher. Similar rules are dened for the ||| nav operator.
Theorem 8. All assertions P-establ(f ) derivable according to the inference rules in Figure 7 are valid.
∀y.P−establ(f y) P−establ(λy.f ) Fig. 7 . Privileged constraints inference rules 6 Implementation and Evaluation Implementation We use the HOL4 theorem prover to verify our properties. The central assets of our work are available from [5] . We have developed a tool, ARMprover, to automate the verication process based on the proof systems in Fig. 4 and 5. To avoid having to explore the instruction set more than once the prover actually combines the theorems 1, 2 and 3 into one.
The proof systems do not provide rules for case and let statements. These are easily handled using standard HOL4 simplication. Other monadic expressions are rened using the inference rules in Fig. 4 and 5 in a top down fashion.
The proofs for write primitives as well as register and memory accesses in user mode are done manually, but the tool can handle some of the read computations directly, allowing to prove a large share of the workload automatically.
A particular diculty concerns binding. When a binding expression f 1 = nav f 2 is decomposed the return value of f 1 becomes unbound in f 2 . To handle this we simplify computations by embedding more information before calling the prover, using some auxiliary lemmas. For example, the following formula states that cpsr in computation H following read_cpsr can be substituted by the CPSR in prestate s with mode m. Xeon(R) X3470 core. We invested about one person year of eort into this work.
Related Work
Several recent works address kernel verication. Some target information ow properties [7, 12, 15, 18] , based on variants of noninterference [11] . Other work establishes a renement relation between kernel code, in some representation, and an abstract specication. For the seL4 microkernel this was rst performed for its C implementation [13] and is now extended to binary level [20] . As is the case with most renement/simulation-based approaches, this work does not address information ow. In recent work on seL4 verication, Murray et al. [14, 15] present an unwinding-style characterization of intransitive noninterference. They introduce a proof calculus on nondeterministic state monads that is similar to that of this work. Their assertions are more general, however our proof rules cover several monadic operators and statements. In addition, we introduce rules to prove properties about executions that relate the nal state of a computation to its initial state.
Alkassar et al. [6] describe the emulation of a simplied MIPS machine in C.
The emulator allows the use of VCC to automatically check that every reachable state of a guest on a hypervisor is also reachable when the guest is running on a completely isolated machine. The C emulator has been adopted to verify parts of the hypervisor that mix C and assembly [17] , and allows unknown user processes to be considered. Information ow properties are not considered, however.
Wilding et al. [21] formally proved exltration, inltration and mediation theorems for the partitioning system of the AAMP7G microprocessor in ACL2. neither condentiality nor protection of privileged registers is addressed.
Most works on kernel verication address handler code only and do not consider user mode execution. In a few cases [6, 19] user mode execution is considered, but without justication in terms of concrete processor access modalities.
The main contribution of our work, over and beyond the above works, is that we attempt to justify the critical assumptions on processor level information ow in user mode execution through analysis at the level of a formalized ISA model.
Heitmeyer et al. [12] introduce non-exltration, non-inltration, kernel integrity and data/control separation properties to verify a separation kernel. Since we focus on user-mode execution, those properties apply only partially here. Our non-inltration property is the same as in [12] , but the non-exltration property in our work covers both their kernel integrity and non-exltration.
Conclusion
We introduced and proved several security properties including a non-exltration, a non-inltration and a safe switching property for user mode executions on the ARM architecture, using the Cambridge HOL4 ISA model. A logical framework based on (relational) Hoare logic has been developed for the analysis, supported by a tool, ARM-prover, which helps automate the proof. The ARM-prover can be used to prove general invariants about the ARM model (i.e., statements that need to hold at each execution point). We are planning to continue the development of the ARM-prover to improve automation further and cater for more general proof tasks.
Our results concerning register contents are generally valid and with small adaptations applicable in isolation verication of other hypervisors, separation kernels, and operating systems. Statements on memory safety depend on our specic setup. A reformulation that is independent of concrete MMU congurations should require a minor eort and is planned for future work.
The HOL4 model of ARM supports a partial coprocessor model. We made the assumption that the access to coprocessors via dedicated instructions is always denied in user mode. To have a more precise analysis and cover all possible side channels, a more comprehensive model of the available coprocessors involving all registers, the coprocessors' behavior and an acceptance/rejection-mechanism for register reads and writes that follows the specication is required. During context switches kernels need to mediate coprocessor registers user-accessible by dedicated coprocessor instructions. All other coprocessor registers are guaranteed to be non-modiable in user mode. However, kernels must not introduce information ow from non-active processes to the coprocessor registers that are part of the present ARM model, since those might inuence user mode execution.
Instructions that are underspecied (unpredictable) in the ARM Architecture Reference Manual (ARMARM) are problematic. The ARM specication states that unpredictable behavior must not perform any function that cannot be performed at the current or lower level of privilege using instructions that are not unpredictable [3] . In one interpretation of this statement, theorems 2, 3 and 4 are valid on unpredictable instructions as well. In general, this is not true for non-inltration. Yet, ARMARM requires further that unpredictable behavior must not represent security holes [2] . This formulation is very vague. However, we make the assumption that non-inltration is preserved. In fact, we argue that the security properties we have presented provide manufacturers of ARM processors with a precise description of secure behavior for unpredictable cases.
